Add an allowlist test for non-root owned files and ensure their UID/GID are statically allocated

[travier]

Most of the files that are shipped as part of the ostree commit are root:root owned but a very small subset is not.

To make sure that those files end up using the same user and group in the final system, we need to make sure that their user -> UID and group -> GID associations are static.

Let's make a test that verify that for our current set of files.

See:

• https://bugzilla.redhat.com/show_bug.cgi?id=2104595
• Similar existing tests:
  • https://github.com/coreos/fedora-coreos-config/blob/testing-devel/tests/kola/files/file-directory-permissions
  • https://github.com/coreos/fedora-coreos-config/blob/testing-devel/tests/kola/files/setgid

[lucab]

I did an analysis pass on the OS content of current next, and these are the entries that need some tweaking:

# ostree ls <REV> -R / | grep -v ' 0 0'

-00640 0 992    540 /usr/etc/chrony.keys
-00644 0 985  27981 /usr/etc/dnsmasq.conf
d00755 0 985      0 /usr/etc/dnsmasq.d
d00750 0 998      0 /usr/etc/polkit-1/localauthority
d00700 999 0      0 /usr/etc/polkit-1/rules.d
-02555 0 999 334248 /usr/libexec/openssh/ssh-keysign
d00700 999 0      0 /usr/share/polkit-1/rules.d

These are the packages and bugzilla tickets for each of those:

• chrony: could be moved to a tmpfiles.d fragment (or get a static ID) - https://bugzilla.redhat.com/show_bug.cgi?id=2104918
• dnsmasq: could be moved to plain root:root ownership - https://bugzilla.redhat.com/show_bug.cgi?id=2104973
• openssh: group ssh_keys needs static GID - https://bugzilla.redhat.com/show_bug.cgi?id=2104595
• polkit: user/group polkitd need static ID - https://bugzilla.redhat.com/show_bug.cgi?id=2104615

[lucab]

The dnsmasq entries have been moved to root:root ownership in dnsmasq-2.86-10.fc36.

[cgwalters]

It'd be good to socialize this on e.g. fedora-devel@ - this work conceptually isn't specific to FCOS and needs to be something that other OS developers/packagers understand. @lucab mind doing that?

[cgwalters]

May even be Change worthy. Or perhaps packaging guidelines. And/or ensure that any tests for this are e.g. executed also for other editions.

[lucab]

Yes, that would help for packages that aren't directly used for base FCOS images. I'll try to put something together for fedora-devel after this initial small round of packages for our scenario is fixed.

[lucab]

The ssh_keys group got moved to a static GID in openssh-8.8p1-3 (F37).

[cgwalters]

I think this should actually be an rpm-ostree builtin feature.

[lucab]

@cgwalters mind detailing what is the this above? I was thinking of moving the ownership details of /etc content to systemd-tpmfiles, which would work better with dynamic users/groups. But /usr content is still a build-time problem open for brainstorming.
Right now we are already doing workarounds in rpm-ostree (pinning the dynamic IDs to static ones via manifest entries).

[cgwalters]

I think rpm-ostree should traverse the target root (it has to anyways) and warn if there are any non-root owned files in /usr with dynamic ids.