Use DynamicUser instead of static users

To allow this, we need a more lenient policy for owning the service's
name on the system bus.

data/dbus/org.learningequality.Kolibri.Daemon.conf.in

@@ -1,13 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
 <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
-  <!-- Only @KOLIBRI_USER@ can own the service -->
-  <policy user="@KOLIBRI_USER@">
-    <allow own="@KOLIBRI_DAEMON_SERVICE@" />
-  </policy>
-
   <!-- Any user can call into the service -->
   <policy context="default">
+    <allow own="@KOLIBRI_DAEMON_SERVICE@" />
     <allow send_destination="@KOLIBRI_DAEMON_SERVICE@" send_interface="org.freedesktop.DBus.Introspectable" />
     <allow send_destination="@KOLIBRI_DAEMON_SERVICE@" send_interface="org.freedesktop.DBus.Properties" />
     <allow send_destination="@KOLIBRI_DAEMON_SERVICE@" send_interface="org.learningequality.Kolibri.Daemon" />

data/dbus/org.learningequality.Kolibri.Daemon.service.in

@@ -1,5 +1,5 @@
 [D-BUS Service]
 Name=@KOLIBRI_DAEMON_SERVICE@
 Exec=/bin/false
-User=@KOLIBRI_USER@
+User=root
 SystemdService=dbus-@[email protected]

data/meson.build

@@ -1,6 +1,4 @@
 subdir('dbus')
 subdir('environment.d')
 subdir('systemd')
-subdir('sysusers.d')
-subdir('tmpfiles.d')
 

data/systemd/dbus-org.learningequality.Kolibri.Daemon.service.in

@@ -6,5 +6,8 @@ ConditionPathExists=/var/lib/flatpak/app/@KOLIBRI_FLATPAK_ID@
 Type=dbus
 BusName=@KOLIBRI_DAEMON_SERVICE@
 ExecStart=@libexecdir@/eos-kolibri-daemon
+DynamicUser=yes
 User=@KOLIBRI_USER@
-PrivateTmp=yes
+RuntimeDirectory=kolibri
+StateDirectory=kolibri
+Environment=HOME=%t/kolibri

meson.build

@@ -51,12 +51,8 @@ dbus_system_conf_dir = join_paths(datadir, 'dbus-1', 'system.d')
 
 kolibri_user = get_option('kolibri_user')
 
-kolibri_user_home = get_option('kolibri_user_home')
-if kolibri_user_home == ''
-    kolibri_user_home = join_paths(get_option('prefix'), get_option('localstatedir'), 'lib', 'kolibri')
-endif
+kolibri_data_dir = join_paths(get_option('prefix'), get_option('localstatedir'), 'lib', 'kolibri', 'data')
 
-kolibri_data_dir = join_paths(kolibri_user_home, 'data')
 kolibri_flatpak_id = get_option('kolibri_flatpak_id')
 kolibri_daemon_service = '@[email protected]'.format(kolibri_flatpak_id)
 
@@ -66,7 +62,6 @@ eos_kolibri_config.set('libexecdir', libexecdir)
 eos_kolibri_config.set('PYTHON', 'python3')
 eos_kolibri_config.set('PYTHON_INSTALL_DIR', python_install_dir)
 eos_kolibri_config.set('KOLIBRI_USER', kolibri_user)
-eos_kolibri_config.set('KOLIBRI_USER_HOME', kolibri_user_home)
 eos_kolibri_config.set('KOLIBRI_DATA_DIR', kolibri_data_dir)
 eos_kolibri_config.set('KOLIBRI_FLATPAK_ID', kolibri_flatpak_id)
 eos_kolibri_config.set('KOLIBRI_DAEMON_SERVICE', kolibri_daemon_service)

meson_options.txt

@@ -33,13 +33,6 @@ option(
     description: 'user to create for the system service'
 )
 
-option(
-    'kolibri_user_home',
-    type: 'string',
-    value: '',
-    description: 'home directory for the system user [default=$localstatedir/lib/kolibri]'
-)
-
 option(
     'kolibri_flatpak_id',
     type: 'string',

src/eos-kolibri-daemon.in

@@ -1,6 +1,10 @@
 #!/bin/sh
 
-: ${KOLIBRI_HOME:="@KOLIBRI_DATA_DIR@"}
+: ${STATE_DIRECTORY:=/var/lib/kolibri}
+
+export KOLIBRI_HOME="${STATE_DIRECTORY}/data"
+
+mkdir -p "${KOLIBRI_HOME}"
 
 @bindir@/flatpak run \
    --no-desktop \

src/eos_kolibri/config.py.in

@@ -1,7 +1,6 @@
 #!/usr/bin/python3
 
+KOLIBRI_DATA_DIR = '@KOLIBRI_DATA_DIR@'
 KOLIBRI_FLATPAK_ID = '@KOLIBRI_FLATPAK_ID@'
 KOLIBRI_SYSTEMD_SERVICE_NAME = 'dbus-@[email protected]'
-
 KOLIBRI_USER = '@KOLIBRI_USER@'
-KOLIBRI_DATA_DIR = '@KOLIBRI_DATA_DIR@'