[yocto] [meta-security][PATCH v2 3/9] trousers: tcsd.conf must be owned tss:tss

[Patrick Ohly]

The upstream dist/Makefile.am ensures that /etc/tcsd.conf is owned by
tss:tss, and that must not be changed because otherwise tcsd refuses
to start.

In addition, tss group and user should be added as special system
group resp. user, because they are not normal users.  This also avoids
the host-user-contaminated QA warning because the "tss" user will
typically not get assigned a UID from the same range as the host user
that is used for building.

Signed-off-by: Patrick Ohly <patrick.ohly at intel.com>
---
 recipes-tpm/trousers/trousers_git.bb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/recipes-tpm/trousers/trousers_git.bb b/recipes-tpm/trousers/trousers_git.bb
index 5737de3..6671808 100644
--- a/recipes-tpm/trousers/trousers_git.bb
+++ b/recipes-tpm/trousers/trousers_git.bb
@@ -39,7 +39,6 @@ do_install_append() {
         install -m 0644 ${WORKDIR}/tcsd.service ${D}${systemd_unitdir}/system/
         sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/tcsd.service
     fi        
-    chown -R root:root ${D}${sysconfdir}/tcsd.conf
 }
 
 CONFFILES_${PN} += "${sysconfig}/tcsd.conf"
@@ -107,8 +106,8 @@ INITSCRIPT_NAME = "trousers"
 INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
 
 USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM_${PN} = "tss"
-USERADD_PARAM_${PN} = "-M -d /var/lib/tpm -s /bin/false -g tss tss"
+GROUPADD_PARAM_${PN} = "--system tss"
+USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
 
 SYSTEMD_PACKAGES = "${PN}"
 SYSTEMD_SERVICE_${PN} = "tcsd.service"
-- 
git-series 0.9.1