Add an allowlist test for non-root owned files and ensure their UID/GID are statically allocated about fedora-coreos-config HOT 9 OPEN

I did an analysis pass on the OS content of current next, and these are the entries that need some tweaking:

# ostree ls <REV> -R / | grep -v ' 0 0'

-00640 0 992    540 /usr/etc/chrony.keys
-00644 0 985  27981 /usr/etc/dnsmasq.conf
d00755 0 985      0 /usr/etc/dnsmasq.d
d00750 0 998      0 /usr/etc/polkit-1/localauthority
d00700 999 0      0 /usr/etc/polkit-1/rules.d
-02555 0 999 334248 /usr/libexec/openssh/ssh-keysign
d00700 999 0      0 /usr/share/polkit-1/rules.d

These are the packages and bugzilla tickets for each of those:

• chrony: could be moved to a tmpfiles.d fragment (or get a static ID) - https://bugzilla.redhat.com/show_bug.cgi?id=2104918
• dnsmasq: could be moved to plain root:root ownership - https://bugzilla.redhat.com/show_bug.cgi?id=2104973
• openssh: group ssh_keys needs static GID - https://bugzilla.redhat.com/show_bug.cgi?id=2104595
• polkit: user/group polkitd need static ID - https://bugzilla.redhat.com/show_bug.cgi?id=2104615

from fedora-coreos-config.

Yes, that would help for packages that aren't directly used for base FCOS images. I'll try to put something together for fedora-devel after this initial small round of packages for our scenario is fixed.

from fedora-coreos-config.

The dnsmasq entries have been moved to root:root ownership in dnsmasq-2.86-10.fc36.

from fedora-coreos-config.

The ssh_keys group got moved to a static GID in openssh-8.8p1-3 (F37).

from fedora-coreos-config.

I think rpm-ostree should traverse the target root (it has to anyways) and warn if there are any non-root owned files in /usr with dynamic ids.

from fedora-coreos-config.

It'd be good to socialize this on e.g. fedora-devel@ - this work conceptually isn't specific to FCOS and needs to be something that other OS developers/packagers understand. @lucab mind doing that?

from fedora-coreos-config.

May even be Change worthy. Or perhaps packaging guidelines. And/or ensure that any tests for this are e.g. executed also for other editions.

from fedora-coreos-config.

I think this should actually be an rpm-ostree builtin feature.

from fedora-coreos-config.

@cgwalters mind detailing what is the this above? I was thinking of moving the ownership details of /etc content to systemd-tpmfiles, which would work better with dynamic users/groups. But /usr content is still a build-time problem open for brainstorming.
Right now we are already doing workarounds in rpm-ostree (pinning the dynamic IDs to static ones via manifest entries).

from fedora-coreos-config.