etc: synchronize master.password, group to NetBSD

IMPORTANT: this change has a docs/UPDATING entry!

This change is a long overdue switch-over from the old MINIX set of
user and group accounts to the NetBSD set.  This switch-over is
increasingly important now that we are importing more and more
utilities from NetBSD, several of which expect various user accounts
to exist.  By switching over in one go, we save ourselves various
headaches in the long run, even if the switch-over itself is a bit
painful for existing MINIX users.

The newly imported master.passwd and group files have three exceptions
compared to their NetBSD originals:

1. There is a custom "service" account for MINIX 3 services.  This
   account is used to limit run-time privileges of various system
   services, and is not used for any files on disk.  Its user ID may
   be changed later, but should always correspond to whatever the
   SERVICE_UID definition is set to.
2. The user "bin" has its shell set to /bin/sh, instead of NetBSD's
   /sbin/nologin.  The reason for this is that the test set in
   /usr/tests/minix-posix will not be able to run otherwise.
3. The group "operator" has been set to group ID 0, to match its old
   value.  This tweak is purely for transitioning purposes: as of
   writing, pkgsrc packages are still using root:operator as owner and
   group for most installed files.  Sometime later, we can change back
   "operator" to group ID 5 without breaking anything, because it does
   not appear that this group name is used for anything important.

Change-Id: I689bcfff4cf7ba85c27d1ae579057fa3f8019c68

crypto/external/bsd/libsaslc/etc/Makefile

@@ -7,11 +7,7 @@ SUBDIR=mech
 .if ${MKSHARE} != "no"
 FILESDIR=/usr/share/examples/libsaslc
 FILESOWN=root
-.if !defined(__MINIX)
 FILESGRP=wheel
-.else
-FILESGRP=operator
-.endif # !defined(__MINIX)
 FILESMODE=444
 
 FILES= saslc.conf

crypto/external/bsd/libsaslc/etc/mech/Makefile

@@ -5,11 +5,7 @@
 .if ${MKSHARE} != "no"
 FILESDIR=/usr/share/examples/libsaslc/mech
 FILESOWN=root
-.if !defined(__MINIX)
 FILESGRP=wheel
-.else
-FILESGRP=operator
-.endif # !defined(__MINIX)
 FILESMODE=444
 
 FILES=

distrib/common/parselist.awk

@@ -133,7 +133,7 @@ BEGIN \
 		print "install:"
 	} else if (mode == "mtree") {
 		print "/unset\tall";
-		print "/set\ttype=file uname=root gname=operator";
+		print "/set\ttype=file uname=root gname=wheel";
 		print;
 	} else if (mode == "populate") {
 		print "cd " ENVIRON["CURDIR"];

distrib/sets/maketars

@@ -185,7 +185,7 @@ for setname in ${lists}; do
 		    > "${SDIR}/flist.${setname}.full" \
 		    || exit 1
 		(
-			echo "/set uname=root gname=operator"
+			echo "/set uname=root gname=wheel"
 			${AWK} -f "${rundir}/join.awk" \
 				"${SDIR}/flist.${setname}.full" "${metalog}"
 			echo "./etc/mtree/set.${setname} type=file mode=0444"

distrib/sets/regpkg

@@ -819,7 +819,7 @@ create_syspkg_tgz()
 					"${spec1}" "${metalog}"
 				${AWK} -f "${rundir}/join.awk" \
 					"${spec1}" /dev/stdin <<EOF
-./etc/mtree/set.${pkgset} type=file mode=0444 uname=root gname=operator
+./etc/mtree/set.${pkgset} type=file mode=0444 uname=root gname=wheel
 EOF
 			else
 				cat "${spec1}"

docs/UPDATING

@@ -1,3 +1,77 @@
+20170218:
+	Before starting a build, you will have to update your master.passwd and
+	group files in /etc.  This is needed because we have switched over from
+	the old set of MINIX users and groups to the new set of NetBSD users
+	and groups, as needed by various imported tools.  Follow these steps.
+
+	1. Make a back-up copy of your old master.passwd and group files:
+
+		# cp /etc/master.passwd /etc/master.passwd~
+		# cp /etc/group /etc/group~
+
+	2. Install /usr/src/etc/master.passwd to /etc/master.passwd, and
+	   install /usr/src/etc/group to /etc/group.  If you have NOT created
+	   any local user accounts yourself, for example because you are
+	   upgrading a fresh MINIX 3 installation right away, all you need to
+	   do is copy over those two files:
+
+		# cp /usr/src/etc/master.passwd /etc/master.passwd
+		# cp /usr/src/etc/group /etc/group
+
+	   If you DO have custom user accounts or groups, you need to merge
+	   their lines (and only those!) into the new master.passwd and group
+	   files manually.  If you are unsure whether you have such custom
+	   entries, you can use the following commands:
+
+		# cd /usr/src
+		# git show 68804c2:etc/master.passwd | diff -u - /etc/master.passwd
+		# git show 68804c2:etc/group | diff -u - /etc/group
+
+	   This should show any changes compared to the old two templates.  If
+	   you have such changes, you need to reapply them after copying over
+	   the new two templates.  The following procedure shows one approach:
+
+		# cd /usr/src
+		# cp /etc/master.passwd /tmp/my-passwd
+		# vi /tmp/my-passwd
+		<remove any lines from /tmp/my-passwd that have no password>
+		# cp /usr/src/etc/master.passwd /etc/master.passwd
+		# cat /tmp/my-passwd >> /etc/master.passwd
+		# rm /tmp/my-passwd
+
+	   ..and follow a similar procedure for /etc/group.
+
+	3. Once the new files are in place, update all derived password files:
+
+		# pwd_mkdb -p /etc/master.passwd
+
+	   If you did everything right so far, the following command:
+
+		# postinstall check uid gid
+
+	   ..should show "postinstall checks passed: uid gid" and no failures.
+
+	4. Now perform a full build as usual:
+
+		# cd /usr/src
+		# make build
+
+	   As part of the build, all /dev files will get new proper ownership.
+
+	5. There may still be files that are owned by users and groups that now
+	   have been renumbered.  It is advisable to run at least the following
+	   three commands to apply the renumbering to the most common files:
+
+		# find / -user 2 -exec chown bin \{\} \;
+		# find / -user 5 -exec chown uucp \{\} \;
+		# find / -user 9998 -exec chown games \{\} \;
+
+	   If you have installed custom programs, you may want to check whether
+	   they are not affected by the change.  This should be rare, though.
+
+	Until a subsequent reboot, various running services will show up in
+	ps(1) output and /proc as owned by "postfix".  This is no problem.
+
 20170122:
 	MINIX 3 did not import NetBSD's passwd.conf file, which makes the
 	userland fall back by default to the old, broken UNIX password hashing

etc/Makefile

@@ -91,7 +91,7 @@ INSTALLATION_DIRS=	binary binary/sets binary/kernel installation
 
 # -rw-r--r--
 BINOWN= root
-BINGRP= operator
+BINGRP= wheel
 UTMPGRP= utmp
 .if defined(__MINIX)
 BIN1+=	boot.cfg.default \
@@ -296,15 +296,15 @@ CONFIGSYMLINKS+=	\
 #
 install-etc-files: .PHONY .MAKE check_DESTDIR MAKEDEV
 	${_MKMSG_INSTALL} ${DESTDIR}/etc/master.passwd
-	${ETC_INSTALL_FILE} -o root -g operator -m 600 \
+	${ETC_INSTALL_FILE} -o root -g wheel -m 600 \
 	    master.passwd ${DESTDIR}/etc
 	${TOOL_PWD_MKDB} -p ${PWD_MKDB_ENDIAN} -d ${DESTDIR}/ \
 	    ${DESTDIR}/etc/master.passwd
 .if ${MKUNPRIVED} != "no"
 	( \
 		mode=0600; \
 		for metaent in spwd.db passwd pwd.db; do \
-	    		echo "./etc/$${metaent} type=file mode=$${mode} uname=root gname=operator tags=etc_pkg"; \
+	    		echo "./etc/$${metaent} type=file mode=$${mode} uname=root gname=wheel tags=etc_pkg"; \
 			mode=0644; \
 		done; \
 	) | ${METALOG.add}
@@ -351,7 +351,6 @@ install-etc-files: .PHONY .MAKE check_DESTDIR MAKEDEV
 	${MAKEDIRTARGET} . install-etc-files-safe
 
 install-etc-files-safe: .PHONY .MAKE check_DESTDIR MAKEDEV
-# LSC Minix administrator group is operator, not wheel
 .endif # defined(__MINIX)
 	${_MKMSG_INSTALL} ${DESTDIR}/etc/ttys
 .if !defined(__MINIX)
@@ -393,7 +392,6 @@ install-etc-files-safe: .PHONY .MAKE check_DESTDIR MAKEDEV
 # TAC to the .for block above.
 .if !defined(__MINIX)
 .for owner group mode file in \
-		${BINOWN} operator	664	/etc/ttys  \
 		${BINOWN} operator	664	/etc/dumpdates  \
 		${BINOWN} operator	600	/etc/skeykeys \
 		root wheel		600	/var/at/at.deny \

etc/group

@@ -1,29 +1,35 @@
-operator:*:0:
-daemon:*:1:
-bin:*:2:
-other:*:3:
-tty:*:4:
-uucp:*:5:
-news:*:6:
-ftp:*:7:
-kmem:*:8:
-www:*:9:
-driver:*:10:
-server:*:11:
+wheel:*:0:root
+daemon:*:1:daemon
+kmem:*:2:root
+sys:*:3:root
+tty:*:4:root
+operator:*:0:root
+mail:*:6:
+bin:*:7:
+wsrc:*:9:
+maildrop:*:11:
+postfix:*:12:
 games:*:13:
+named:*:14:
+ntpd:*:15:
+sshd:*:16:
 _pflogd:*:18:
 _rwhod:*:19:
+staff:*:20:root
 _proxy:*:21:
 _timedc:*:22:
 _sdpd:*:23:
 _httpd:*:24:
 _mdnsd:*:25:
 _tests:*:26:
 _tcpdump:*:27:
-smtpd:*:40:
-postfix:*:41:
-maildrop:*:42:
-mail:*:43:
-sshd:*:44:
-nogroup:*:99:
+_tss:*:28:
+_gpio:*:29:
+_rtadvd:*:30:
+guest:*:31:root
+nobody:*:39:
+utmp:*:45:
+authpf:*:72:
 users:*:100:
+dialer:*:117:
+nogroup:*:32766:

etc/master.passwd

@@ -1,16 +1,24 @@
-root::0:0::0:0:Big Brother:/root:/bin/sh
-daemon:*:1:1::0:0:The Deuce:/etc:/bin/sh
-bin:*:2:0::0:0:Binaries Commands and Source:/nonexistent:/bin/sh
-uucp:*:5:5::0:0:UNIX to UNIX copy:/usr/spool/uucp:/usr/bin/uucico
-news:*:6:6::0:0:Usenet news:/usr/spool/news:/bin/sh
-ftp:*:7:7::0:0:Anonymous FTP:/usr/ftp:/bin/sh
-www:*:9:9::0:0:World Wide Web:/usr/www:/bin/sh
-driver:*:10:10::0:0:Device Drivers:/:/bin/sh
-server:*:11:11::0:0:OS Servers:/:/bin/sh
-service:*:12:12::0:0:System Services:/:/bin/sh
-sshd:*:22:22::0:0:sshd:/:/bin/sh
-smtpd:*:25:25::0:0:smtpd:/:/bin/sh
-postfix:*:27:27::0:0:postfix:/usr/var/spool/postfix:/usr/bin/false
-postgres:*:30:30::0:0:postgresql:/:/usr/bin/false
-games:*:9998:13::0:0:games:/:/bin/sh
-nobody:*:9999:39::0:0:Unprivileged user:/tmp:/bin/sh
+root::0:0::0:0:Charlie &:/root:/bin/sh
+toor:*:0:0::0:0:Bourne-again Superuser:/root:/bin/sh
+daemon:*:1:1::0:0:The devil himself:/:/sbin/nologin
+operator:*:2:5::0:0:System &:/usr/guest/operator:/sbin/nologin
+bin:*:3:7::0:0:Binaries Commands and Source:/:/bin/sh
+games:*:7:13::0:0:& pseudo-user:/usr/games:/sbin/nologin
+postfix:*:12:12::0:0:& pseudo-user:/var/spool/postfix:/sbin/nologin
+named:*:14:14::0:0:& pseudo-user:/var/chroot/named:/sbin/nologin
+ntpd:*:15:15::0:0:& pseudo-user:/var/chroot/ntpd:/sbin/nologin
+sshd:*:16:16::0:0:& pseudo-user:/var/chroot/sshd:/sbin/nologin
+_pflogd:*:18:18::0:0:& pseudo-user:/var/chroot/pflogd:/sbin/nologin
+_rwhod:*:19:19::0:0:& pseudo-user:/var/rwho:/sbin/nologin
+_proxy:*:21:21::0:0:Proxy Services:/nonexistent:/sbin/nologin
+_timedc:*:22:22::0:0:& pseudo-user:/nonexistent:/sbin/nologin
+_sdpd:*:23:23::0:0:& pseudo-user:/nonexistent:/sbin/nologin
+_httpd:*:24:24::0:0:& pseudo-user:/var/www:/sbin/nologin
+_mdnsd:*:25:25::0:0:& pseudo-user:/nonexistent:/sbin/nologin
+_tests:*:26:26::0:0:& pseudo-user:/nonexistent:/sbin/nologin
+_tcpdump:*:27:27::0:0:& pseudo-user:/var/chroot/tcpdump:/sbin/nologin
+_tss:*:28:28::0:0:& pseudo-user:/var/tpm:/sbin/nologin
+_rtadvd:*:30:30::0:0:& pseudo-user:/var/chroot/rtadvd:/sbin/nologin
+uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/nonexistent:/sbin/nologin
+service:*:999:0::0:0:System Services:/:/sbin/nologin
+nobody:*:32767:39::0:0:Unprivileged user:/nonexistent:/sbin/nologin

etc/mtree/special

@@ -13,8 +13,7 @@
 #	  with diff(1)s if $check_changelist is enabled.
 #
 
-#__MINIX: gname is not wheel
-/set uname=root gname=operator
+/set uname=root gname=wheel
 
 .				type=dir  mode=0755
 

etc/rc.subr

@@ -1053,13 +1053,13 @@ backup_file()
 			ci -q -f -u -t-"$_msg0" -m"$_msg1" $_cur
 			rcs -q -kb -U $_cur
 			co -q -f -u $_cur
-			chown root:operator $_cur $_cur,v
+			chown root:wheel $_cur $_cur,v
 			;;
 		remove)
 			cp /dev/null $_cur
 			ci -q -f -u -t-"$_msg0" -m"$_msg1" $_cur
 			rcs -q -kb -U $_cur
-			chown root:operator $_cur $_cur,v
+			chown root:wheel $_cur $_cur,v
 			rm $_cur
 			;;
 		esac
@@ -1070,7 +1070,7 @@ backup_file()
 				cp -p $_cur $_back
 			fi
 			cp -p $_file $_cur
-			chown root:operator $_cur
+			chown root:wheel $_cur
 			;;
 		remove)
 			mv -f $_cur $_back

external/mit/xorg/share/fonts/Makefile.mkfontscale

@@ -14,12 +14,11 @@ _MAKEFILE_MKFONTSCALE_=1
 MKFONTSCALEDIR!=	cd ${NETBSDSRCDIR}/external/mit/xorg/tools/mkfontscale && ${PRINTOBJDIR}
 MKFONTSCALE=	${MKFONTSCALEDIR}/mkfontscale
 
-#__MINIX: gname=operator instead of wheel
 afterinstall: create.fonts.dir create.fonts.scale
 .if ${MKUNPRIVED} != "no"
-	echo ".${FILESDIR}/fonts.dir type=file mode=0444 uname=root gname=operator" \
+	echo ".${FILESDIR}/fonts.dir type=file mode=0444 uname=root gname=wheel" \
 	    | ${METALOG.add}
-	echo ".${FILESDIR}/fonts.scale type=file mode=0444 uname=root gname=operator" \
+	echo ".${FILESDIR}/fonts.scale type=file mode=0444 uname=root gname=wheel" \
 	    | ${METALOG.add}
 .endif
 	${_MKMSG_INSTALL} ${DESTDIR}${FILESDIR}/encodings.dir

minix/commands/MAKEDEV/MAKEDEV.sh

@@ -191,7 +191,7 @@ for dev in ${DEVICES}
 do
 	# Reset the defaults
 	uname=root
-	gname=operator
+	gname=wheel
 	permissions=600
 
 	case ${dev} in

minix/commands/term/Makefile

@@ -1,5 +1,3 @@
 PROG=	term
-BINGRP= uucp
-BINMODE= 2755
 
 .include <bsd.prog.mk>

minix/drivers/storage/ramdisk/Makefile

@@ -190,9 +190,9 @@ etc/master.passwd: ${NETBSDSRCDIR}/etc/master.passwd
 	${TOOL_PWD_MKDB} -V 0 -p -d . etc/master.passwd
 
 proto.dev.mtree:
-	@echo ". type=dir uname=root gname=operator mode=0755" \
+	@echo ". type=dir uname=root gname=wheel mode=0755" \
 		>${.TARGET}.tmp && \
-	echo "./dev type=dir uname=root gname=operator mode=0755" \
+	echo "./dev type=dir uname=root gname=wheel mode=0755" \
 		>>${.TARGET}.tmp && \
 	${NETBSDSRCDIR}/minix/commands/MAKEDEV/MAKEDEV.sh -m -r \
 		>> ${.TARGET}.tmp && mv ${.TARGET}.tmp ${.TARGET}

minix/fs/hgfs/hgfs.8

@@ -32,7 +32,7 @@ The default is root (the number \fB0\fR).
 .TP
 \fBgid=\fInumber\fR
 Likewise, sets the group ID for all files and directories.
-The default is operator (the number \fB0\fR).
+The default is wheel (the number \fB0\fR).
 .TP
 \fBfmask=\fInumber\fR
 This option sets the file permission mask of regular files. It is specified as

minix/fs/isofs/mount.c

@@ -24,7 +24,7 @@ int fs_mount(dev_t dev, unsigned int __unused flags,
 	root_node->fn_mode = v_pri.inode_root->i_stat.st_mode;
 	root_node->fn_size = v_pri.inode_root->i_stat.st_size;
 	root_node->fn_uid = SYS_UID; /* Always root */
-	root_node->fn_gid = SYS_GID; /* operator */
+	root_node->fn_gid = SYS_GID; /* wheel */
 	root_node->fn_dev = NO_DEV;
 
 	*res_flags = RES_NOFLAGS;

minix/fs/vbfs/vbfs.8

@@ -35,7 +35,7 @@ The default is root (the number \fB0\fR).
 .TP
 \fBgid=\fInumber\fR
 Likewise, sets the group ID for all files and directories.
-The default is operator (the number \fB0\fR).
+The default is wheel (the number \fB0\fR).
 .TP
 \fBfmask=\fInumber\fR
 This option sets the file permission mask of regular files. It is specified as

minix/include/minix/rs.h

@@ -13,11 +13,13 @@ Interface to the reincarnation server
 
 #define SERVICE_LOGIN	"service"	/* passwd file entry for services */
 
-/* The following definition should be kept in sync with the actual /etc/passwd
- * value for SERVICE_LOGIN for now, and removed altogether once we are able to
- * obtain its value dynamically everywhere.
+/* The following definition should be kept in sync with the actual
+ * /etc/master.passwd value for SERVICE_LOGIN for now, and removed altogether
+ * once we are able to obtain its value dynamically everywhere.  The value has
+ * been chosen so as to avoid creating conflicts with future NetBSD additions
+ * to the password files, although one can never be sure.
  */
-#define SERVICE_UID		12		/* user ID for services */
+#define SERVICE_UID		999		/* user ID for services */
 
 /* RSS definitions. */
 #define RSS_NR_IRQ		16

minix/servers/rs/main.c

@@ -442,7 +442,7 @@ static int sef_cb_init_fresh(int UNUSED(type), sef_init_info_t *UNUSED(info))
       panic("unable to clone current RS instance: %d", s);
   }
 
-  /* Fork a new RS instance with root:operator. */
+  /* Fork a new RS instance with root:wheel. */
   pid = srv_fork(0, 0);
   if(pid < 0) {
       panic("unable to fork a new RS instance: %d", pid);