From 9abe624265d1ede86c2bd38be544405ee9be0d5b Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Thu, 7 May 2026 22:24:42 +0100 Subject: [PATCH] Install and use sysusers.d/tmpfiles.d config files sysusers.d/tmpfiles.d config files allow a package to use declarative configuration instead of manually written maintainer scripts. This also allows image-based systems to be created with /usr/ only, and also allows for factory resetting a system and recreating /etc/ on boot. https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html Tests: - /var/lib/plinth and /var/lib/plinth/sessions/ are created on package install. Ownership is plinth:plinth. 0755 is permissions. - /var/lib/plinth/firstboot-wizard-secret file is created on package install. Ownership is plinth:plinth. 0400 is permissions. During first wizard, providing the secret works. - /var/lib/plinth/backups-data is owned by root:root. - When upgrading from old package to new the permissions don't change. - When reinstalling the new package, the permissions do not change. - User is created same as before. plinth:x:987:987:FreedomBox service:/var/lib/plinth:/usr/sbin/nologin - Group is created same as before. plinth:x:987: - id plinth uid=987(plinth) gid=987(plinth) groups=987(plinth) - Upgrading from old package to new does not change user and group records. - Reinstalling new version does not change user and group records. [sunil: Don't recursively change ownership for /var/lib/plinth/] [sunil: Change ownership specifically for /var/lib/plinth/firstboot-wizard-secret] Signed-off-by: Sunil Mohan Adapa Reviewed-by: Sunil Mohan Adapa Tested-by: Sunil Mohan Adapa --- debian/control | 2 +- debian/freedombox.postinst | 12 ------------ debian/freedombox.sysusers | 1 + debian/freedombox.tmpfiles | 3 +++ 4 files changed, 5 insertions(+), 13 deletions(-) create mode 100644 debian/freedombox.sysusers create mode 100644 debian/freedombox.tmpfiles diff --git a/debian/control b/debian/control index d130d3bf2..21d662fa0 100644 --- a/debian/control +++ b/debian/control @@ -11,6 +11,7 @@ Uploaders: James Valleroy , Build-Depends: debhelper-compat (= 13), + dh-sequence-installsysusers, dblatex, dh-python, docbook-xsl, @@ -74,7 +75,6 @@ Depends: ${python3:Depends}, ${misc:Depends}, ${freedombox:Depends}, - adduser, augeas-tools, bind9-dnsutils, curl, diff --git a/debian/freedombox.postinst b/debian/freedombox.postinst index c824606f7..ff6bc2a58 100755 --- a/debian/freedombox.postinst +++ b/debian/freedombox.postinst @@ -13,21 +13,9 @@ sed -i 's+-:ALL EXCEPT root fbx (admin) (sudo):ALL+-:ALL EXCEPT root fbx plinth case "$1" in configure) - if ! getent group plinth >/dev/null; then - addgroup --system --quiet plinth - fi - - if ! getent passwd plinth >/dev/null; then - adduser --system --quiet --ingroup plinth --no-create-home --home /var/lib/plinth plinth - fi - - chown plinth: /var/lib/plinth - chown plinth: /var/lib/plinth/sessions - if [ ! -e '/var/lib/freedombox/is-freedombox-disk-image' ]; then umask 377 base64 < /dev/urandom | head -c 16 | sed -e 's+$+\n+' > /var/lib/plinth/firstboot-wizard-secret - chown plinth:plinth /var/lib/plinth/firstboot-wizard-secret db_subst plinth/firstboot_wizard_secret secret $(cat /var/lib/plinth/firstboot-wizard-secret) db_input high plinth/firstboot_wizard_secret || true db_go diff --git a/debian/freedombox.sysusers b/debian/freedombox.sysusers new file mode 100644 index 000000000..d79adecfc --- /dev/null +++ b/debian/freedombox.sysusers @@ -0,0 +1 @@ +u! plinth - "FreedomBox service" /var/lib/plinth diff --git a/debian/freedombox.tmpfiles b/debian/freedombox.tmpfiles new file mode 100644 index 000000000..6a93eb87c --- /dev/null +++ b/debian/freedombox.tmpfiles @@ -0,0 +1,3 @@ +d /var/lib/plinth 0755 plinth plinth +d /var/lib/plinth/sessions 0755 plinth plinth +Z /var/lib/plinth/firstboot-wizard-secret 0400 plinth plinth