Add eclass which overrides existing portage mechanisms for UID/GID management. In accordance with http://www.gentoo.org/proj/en/glep/glep-0027.html, this patch adds a mechanism for managing UIDs and GIDs centrally and consistently in a build environment. Users and groups are managed by a tree of files containing key:value pairs as discussed in the GLEP. Examples and more can be found in the profiles/base/accounts/README. CQ-DEPEND=CL:181874,CL:182560 BUG=chromium:205164 TEST=FAIL: create a group with an already-used GID TEST=FAIL: create a group not mentioned in profile/ TEST=FAIL: create a group with a different GID than is specified in profile/ TEST=FAIL: create a group with default GID, and none is specified in profile/ TEST=GOOD: create a group with default GID, profile/ specifies TEST=GOOD: create a group with same GID that profile/ specifies TEST=GOOD: create a group with given GID, and none is specified in profile/ TEST=FAIL: create a user with an already-used UID TEST=FAIL: create a user not mentioned in profile/ TEST=FAIL: create a user with a different UID than is specified in profile/ TEST=FAIL: create a user with default UID, and none is specified in profile/ TEST=GOOD: create a user with default UID (none, or -1), profile/ specifies TEST=GOOD: create a user with same UID that profile/ specifies TEST=GOOD: create a user with given UID, and none is specified in profile/ TEST=lumpy-paladin trybot: http://chromegw/i/chromiumos.tryserver/builders/lumpy-paladin/builds/1487 TEST=x86-generic-full trybot: http://chromegw/i/chromiumos.tryserver/builders/x86-generic-full/builds/1038 TEST=chromiumos-sdk trybot: http://chromegw/i/chromiumos.tryserver/builders/chromiumos-sdk/builds/1032 Change-Id: I2a7013769b1ca44a1cb6253bdd602eea23654192 Reviewed-on: https://chromium-review.googlesource.com/179894 Tested-by: Chris Masone <cmasone@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Chris Masone <cmasone@chromium.org>

commit: 2dfab5affb850a45139e1c556663197a721ea188 [log] [tgz]
author: Chris Masone <cmasone@chromium.org> Tue Dec 10 11:22:29 2013 -0800
committer: chrome-internal-fetch <chrome-internal-fetch@google.com> Fri Jan 24 23:50:48 2014 +0000
tree: 1b4cdf7dc80d8b392f4949541082a2a0a4a15dea
parent: 185699e91a8e7b3ba0d7ff53497b933c8d8533bc [diff]
diff --git a/eclass/user.eclass b/eclass/user.eclass
new file mode 100644
index 0000000..2233cdf
--- /dev/null
+++ b/eclass/user.eclass

@@ -0,0 +1,384 @@
+# Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# @ECLASS: user.eclass
+# @MAINTAINER:
+# The Chromium OS Authors. <chromium-os-dev@chromium.org>
+# @BLURB: user management in ebuilds
+# @DESCRIPTION:
+# Replaces the upstream mechanism of managing users and groups with one that
+# manages the database in ${ROOT}, changing the sysroot database
+# only when the caller creates the user/group during setup.
+
+# Before we manipulate users at all, we want to make sure that
+# passwd/group/shadow is initialized in the first place. That's
+# what baselayout does.
+#
+# We should consider providing a virtual to abstract away this dependency.
+# This would allow CrOS builds to completely specify all users and groups,
+# instead of accepting the assumption (expressed in baselayout, currently)
+# that every build wants groups like wheel, tty and so forth.
+if [ "${PN}" != "baselayout" ]; then
+	DEPEND="sys-apps/baselayout"
+	RDEPEND="sys-apps/baselayout"
+fi
+
+# @FUNCTION: _assert_pkg_ebuild_phase
+# @INTERNAL
+# @USAGE: <calling func name>
+_assert_pkg_ebuild_phase() {
+	case ${EBUILD_PHASE} in
+	setup|preinst|postinst) ;;
+	*)
+		eerror "'$1()' called from '${EBUILD_PHASE}' phase which is not OK:"
+		eerror "You may only call from pkg_{setup,preinst,postinst} functions."
+		eerror "Package fails at QA and at life.  Please file a bug."
+		die "Bad package!  $1 is only for use in some pkg_* functions!"
+	esac
+}
+
+# If an overlay has eclass overrides, but doesn't actually override the
+# user.eclass, we'll have USER_ECLASSDIR pointing to the active overlay's
+# eclass/ dir, but the users and groups templates are still in our profiles/.
+USER_ECLASSDIR_LOCAL=${BASH_SOURCE[0]%/*}
+ACCOUNTS_DIR_LOCAL="${USER_ECLASSDIR_LOCAL}/../profiles/base/accounts/"
+
+# @FUNCTION: _get_value_for_user
+# @INTERNAL
+# @USAGE: <user> <key>
+# @DESCRIPTION:
+# Gets value from appropriate account definition file.
+_get_value_for_user() {
+	local user=$1 key=$2
+	[[ $# -ne 2 ]] && die "usage: _get_value_for_user <user> <key>"
+
+	case ${key} in
+	user|password|uid|gid|gecos|home|shell) ;;
+	*) die "sorry, '${key}' is not a field in the passwd db." ;;
+	esac
+
+	local template="${ACCOUNTS_DIR_LOCAL}/user/${user}"
+	[[ ! -e "${template}" ]] && die "No entry for ${user} at ${template}."
+	awk -F':' -v key="${key}" '$1 == key { print $2 }' "${template}"
+}
+
+# @FUNCTION: _get_value_for_group
+# @INTERNAL
+# @USAGE: <group> <key>
+# @DESCRIPTION:
+# Gets value from appropriate account definition file.
+_get_value_for_group() {
+	local group=$1 key=$2
+	[[ $# -ne 2 ]] && die "usage: _get_value_for_group <group> <key>"
+
+	case ${key} in
+	group|password|gid|users) ;;
+	*) die "sorry, '${key}' is not a field in the group db." ;;
+	esac
+
+	local template="${ACCOUNTS_DIR_LOCAL}/group/${group}"
+	[[ ! -e "${template}" ]] && die "No entry for ${group} at ${template}."
+	awk -F':' -v key="${key}" '$1 == key { print $2 }' "${template}"
+}
+
+# @FUNCTION: _portable_grab_lock
+# @INTERNAL
+# @USAGE: <lockfile>
+# @DESCRIPTION:
+# Grabs a lock on <lockfile> in a race-free, portable manner.
+# We need to use this mechanism in order to be compatible with the shadow utils
+# (groupadd, useradd, etc).
+_portable_grab_lock() {
+	local lockfile=$1
+	local lockfile_1="${lockfile}.${BASHPID}"
+	touch "${lockfile_1}"
+	until ln "${lockfile_1}" "${lockfile}" &> /dev/null; do
+		sleep 1
+	done
+	rm "${lockfile_1}" || die "Failed to lock ${lockfile}."
+}
+
+# @FUNCTION: _write_entry_to_db()
+# @INTERNAL
+# @USAGE: <entry> <database> <root>
+# @DESCRIPTION:
+# Writes an entry to the specified database under the specified root.
+_write_entry_to_db() {
+	local entry=$1 db=$2 root=$3
+
+	[[ $# -ne 3 ]] && die "usage: _write_entry_to_db <entry> <database> <root>"
+
+	case ${db} in
+	passwd|group) ;;
+	*) die "sorry, database '${db}' not supported." ;;
+	esac
+
+	local dbfile=$(readlink -e "${root}/etc/${db}")
+	[[ ! -e "${dbfile}" ]] && die "${db} under ${root} does not exist."
+
+	 # Use the same lock file as the shadow utils.
+	local lockfile="${dbfile}.lock"
+	_portable_grab_lock "${lockfile}"
+
+	echo "${entry}" >> "${dbfile}" || die "Could not write ${entry} to ${dbfile}."
+
+	rm "${lockfile}" || die "Failed to release lock on ${lockfile}."
+}
+
+# @FUNCTION: egetent
+# @USAGE: <database> <key>
+# @DESCRIPTION:
+# Provides getent-like functionality for databases under ${ROOT}.
+#
+# Supported databases: group passwd
+egetent() {
+	local db=$1 key=$2
+
+	[[ $# -ne 2 ]] && die "usage: egetent <database> <key>"
+
+	case ${db} in
+	passwd|group) ;;
+	*) die "sorry, database '${db}' not yet supported; file a bug" ;;
+	esac
+
+	local dbfile=$(readlink -e "${ROOT}/etc/${db}")
+	[[ ! -e "${dbfile}" ]] && die "${db} under ${ROOT} does not exist."
+	local lockfile="${dbfile}.lock"
+	_portable_grab_lock "${lockfile}"
+
+	awk -F':' -v key="${key}" \
+		'($1 == key || $3 == key) { print }' \
+		"${ROOT}/etc/${db}" 2>/dev/null
+
+	rm "${lockfile}" || die "Failed to release lock on ${lockfile}."
+}
+
+# @FUNCTION: enewuser
+# @USAGE: <user> [uid] [shell] [homedir] [groups]
+# @DESCRIPTION:
+# Same as enewgroup, you are not required to understand how to properly add
+# a user to the system.  The only required parameter is the username.
+# Default uid is (pass -1 for this) next available, default shell is
+# /bin/false, default homedir is /dev/null, and there are no default groups.
+enewuser() {
+	_assert_pkg_ebuild_phase ${FUNCNAME}
+
+	# get the username
+	local euser=$1; shift
+	if [[ -z ${euser} ]] ; then
+		eerror "No username specified !"
+		die "Cannot call enewuser without a username"
+	fi
+
+	# lets see if the username already exists
+	if [[ -n $(egetent passwd "${euser}") ]] ; then
+		return 0
+	fi
+
+	# Ensure username exists in profile.
+	if [[ -z $(_get_value_for_user "${euser}" user) ]] ; then
+		die "'${euser}' does not exist in profile!"
+	fi
+	einfo "Adding user '${euser}' to your system ..."
+
+	# Handle uid. Passing no UID is functionally equivalent to passing -1.
+	local provided_uid=$(_get_value_for_user "${euser}" uid)
+	local euid=$1; shift
+	if [[ -z ${euid} ]] ; then
+		euid=-1
+	elif [[ ${euid} -lt -1 ]] ; then
+		eerror "Userid given but is not greater than 0 !"
+		die "${euid} is not a valid UID."
+	fi
+	# Now, ${euid} is set and >= -1.
+	if [[ -n ${provided_uid} ]] ; then
+		# If profile has UID and caller specified '' or -1, use profile.
+		# If profile has UID and caller specified different, barf.
+		# If profile has UID and caller specified same, OK.
+		if [[ ${euid} == -1 ]] ; then
+			euid=${provided_uid}
+		elif [[ ${euid} != ${provided_uid} ]] ; then
+			eerror "Userid differs from the profile!"
+			die "${euid} != ${provided_uid} from profile."
+			# else...they're already equal, so do nothing.
+		fi
+	else
+		# If profile has no UID and caller did not specify, barf.
+		if [[ ${euid} == -1 ]] ; then
+			die "No UID specified in profile!"
+		fi
+		# If profile has no entry w/UID and caller specified one, OK.
+	fi
+
+	if [[ -n $(egetent passwd ${euid}) ]] ; then
+		eerror "UID ${euid} already taken!"
+		die "${euid} already taken in $(egetent passwd ${euid})"
+	fi
+	einfo " - Userid: ${euid}"
+
+	# handle shell
+	local eshell=$1; shift
+	if [[ -n ${eshell} && ${eshell} != "-1" ]] ; then
+		if [[ ${eshell} == */false || ${eshell} == */nologin ]] ; then
+			eerror "Do not specify ${eshell} yourself, use -1"
+			die "Pass '-1' as the shell parameter"
+		fi
+	else
+		eshell=$(_get_value_for_user "${euser}" shell)
+		${eshell:=/bin/false}
+	fi
+	if [[ ${eshell} != */false && ${eshell} != */nologin ]] ; then
+		if [[ ! -e ${ROOT}${eshell} ]] ; then
+			eerror "A shell was specified but it does not exist !"
+			die "${eshell} does not exist in ${ROOT}"
+		fi
+	fi
+	einfo " - Shell: ${eshell}"
+
+	# handle homedir
+	local ehome=$1; shift
+	if [[ -z ${ehome} || ${ehome} == "-1" ]] ; then
+		ehome=$(_get_value_for_user "${euser}" home)
+	fi
+	einfo " - Home: ${ehome}"
+
+	# Grab groups for later handling.
+	local egroups=$1; shift
+
+	# Check groups.
+	local g egroups_arr
+	IFS="," read -r -a egroups_arr <<<"${egroups}"
+	shift
+	for g in "${egroups_arr[@]}" ; do
+		enewgroup "${g}"
+	done
+	einfo " - Groups: ${egroups:-(none)}"
+
+	local comment
+	if [[ $# -gt 0 ]] ; then
+		die "extra arguments no longer supported; please file a bug."
+	else
+		comment=$(_get_value_for_user "${euser}" gecos)
+		einfo " - GECOS: ${comment}"
+	fi
+
+	local epassword=$(_get_value_for_user "${euser}" password)
+	: ${epassword:="!"}
+	local entry="${euser}:${epassword}:${euid}:${euid}:${comment}:${ehome}:${eshell}"
+	if [[ ${EBUILD_PHASE} == "setup" ]] ; then
+		_write_entry_to_db "${entry}" passwd /
+	fi
+	_write_entry_to_db "${entry}" passwd "${ROOT}"
+
+	if [[ ! -e ${ROOT}/${ehome} ]] ; then
+		einfo " - Creating ${ehome} in ${ROOT}"
+		mkdir -p "${ROOT}/${ehome}"
+		chown "${euser}" "${ROOT}/${ehome}"
+		chmod 755 "${ROOT}/${ehome}"
+	fi
+}
+
+# @FUNCTION: enewgroup
+# @USAGE: <group> [gid]
+# @DESCRIPTION:
+# This function does not require you to understand how to properly add a
+# group to the system.  Just give it a group name to add and enewgroup will
+# do the rest.  You may specify the gid for the group or allow the group to
+# allocate the next available one.
+enewgroup() {
+	_assert_pkg_ebuild_phase ${FUNCNAME}
+
+	# Get the group.
+	local egroup=$1; shift
+	if [[ -z ${egroup} ]] ; then
+		eerror "No group specified !"
+		die "Cannot call enewgroup without a group"
+	fi
+
+	# See if group already exists.
+	if [[ -n $(egetent group "${egroup}") ]] ; then
+		return 0
+	fi
+	# Ensure group exists in profile.
+	if [[ -z $(_get_value_for_group "${egroup}" group) ]] ; then
+		die "Config for ${egroup} not present in profile!"
+	fi
+	einfo "Adding group '${egroup}' to your system ..."
+
+	# handle gid
+	local provided_gid=$(_get_value_for_group "${egroup}" gid)
+	local egid=$1; shift
+	if [[ -z ${egid} ]] ; then
+		# If caller specified nothing and profile has GID, use profile.
+		# If caller specified nothing and profile has no GID, barf.
+		if [[ ! -z ${provided_gid} ]] ; then
+			egid=${provided_gid}
+		else
+			die "No gid provided in PROFILE or in args!"
+		fi
+	else
+		if [[ ${egid} -lt 0 ]] ; then
+			eerror "Groupid given but is not greater than 0 !"
+			die "${egid} is not a valid GID"
+		fi
+
+		# If caller specified GID and profile has no GID, OK.
+		# If caller specified GID and profile has entry with same, OK.
+		if [[ -z ${provided_gid} || ${egid} -eq ${provided_gid} ]] ; then
+			provided_gid=${egid}
+		fi
+
+		# If caller specified GID but profile has different, barf.
+		if [[ ${egid} -ne ${provided_gid} ]] ; then
+			eerror "${egid} conflicts with provided ${provided_gid}!"
+			die "${egid} conflicts with provided ${provided_gid}!"
+		fi
+	fi
+	if [[ -n $(egetent group ${egid}) ]] ; then
+		eerror "Groupid ${egid} already taken!"
+		die "${egid} already taken in $(egetent group ${egid})"
+	fi
+	einfo " - Groupid: ${egid}"
+
+	# Handle extra.
+	if [[ $# -gt 0 ]] ; then
+		die "extra arguments no longer supported; please file a bug"
+	fi
+
+	# Allow group passwords, if profile asks for it.
+	local epassword=$(_get_value_for_group "${egroup}" password)
+	: ${epassword:="!"}
+	einfo " - Password entry: ${epassword}"
+
+	# Pre-populate group with users.
+	local eusers=$(_get_value_for_group "${egroup}" users)
+	einfo " - User list: ${eusers}"
+
+	# Add the group.
+	local entry="${egroup}:${epassword}:${egid}:${eusers}"
+	if [[ ${EBUILD_PHASE} == "setup" ]] ; then
+		_write_entry_to_db "${entry}" group /
+	fi
+	_write_entry_to_db "${entry}" group "${ROOT}"
+	einfo "Done with group: '${egroup}'."
+
+}
+
+# @FUNCTION: egethome
+# @USAGE: <user>
+# @DESCRIPTION:
+# Gets the home directory for the specified user.
+egethome() {
+	[[ $# -eq 1 ]] || die "usage: egethome <user>"
+	egetent passwd "$1" | cut -d: -f6
+}
+
+# @FUNCTION: egetshell
+# @USAGE: <user>
+# @DESCRIPTION:
+# Gets the shell for the specified user.
+egetshell() {
+	[[ $# -eq 1 ]] || die "usage: egetshell <user>"
+	egetent passwd "$1" | cut -d: -f7
+}

diff --git a/profiles/base/accounts/README b/profiles/base/accounts/README
new file mode 100644
index 0000000..caa6ac3
--- /dev/null
+++ b/profiles/base/accounts/README

@@ -0,0 +1,58 @@
+In accordance with http://www.gentoo.org/proj/en/glep/glep-0027.html,
+Chromium OS has implemented a mechanism that allows users and groups
+to be managed stably and centrally for a given build profile. Each
+user and group is defined in a file underneath the appropriate
+profiles/base/accounts/ subdirectory.
+
+For example, the 'chronos' user is defined as follows in a file at
+profiles/base/accounts/user/chronos:
+  user:chronos
+  password:*
+  uid:1000
+  gid:1000
+  gecos:system_user
+  home:/home/chronos/user
+  shell:/bin/bash
+
+The 'cras' group is defined in a similarly constructed file at
+profiles/base/accounts/group/cras:
+  group:cras
+  password:!
+  gid:220
+  users:chronos,power
+
+Notice how the membership of the group is provided in the group
+definition, even though traditionally this is done at user-creation
+time.
+
+The password field can be set to one of the following:
+  ! - The account is locked and may not be logged into (This is the default).
+  * - No password yet, but the account has the ability to have one added,
+      so this should be used for accounts that people expect to have a password
+      set for, or want to otherwise login as remotely.
+  x - The password is shadowed but the account is for an internal feature;
+      people should not set a password themselves.
+  An encrypted password as per crypt(3).
+
+---------
+Choosing UIDs and GIDs
+
+Every UID on CrOS has an associated GID with the same value. The
+opposite does not hold true, however.
+
+CrOS system daemon UIDs (and associated GIDs) range from 200-299. If
+you're creating a new user, pick the first UID in this range that is
+not currently used, and create both a user and a group with this ID.
+
+FUSE-based filesystem daemons have UID/GIDs that range from 300-399.
+If you're adding a daemon that will be talking to cros_disks and
+managing some kind of volumes (archives mounted as volumes, external
+disks, network-mounted storage, etc.) then you should create a user
+and group with IDs in this range
+
+Groups that have no associated user should be given GIDs in the 400 range.
+
+The 'chronos' user, which all user-facing processes in CrOS run as, is
+UID/GID 1000.  There is also a special user/group that has access to
+many resources owned by chronos, called 'chronos-access', which has
+the UID/GID 1001.

diff --git a/profiles/base/accounts/display-accts.py b/profiles/base/accounts/display-accts.py
new file mode 100755
index 0000000..333fcf4
--- /dev/null
+++ b/profiles/base/accounts/display-accts.py

@@ -0,0 +1,149 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2014 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+"""Pretty print (and check) a set of group/user accounts"""
+
+from __future__ import print_function
+
+import collections
+import glob
+import os
+import sys
+
+
+# Objects to hold group/user accounts.
+Group = collections.namedtuple('Group', ['group', 'password', 'gid', 'users'])
+User = collections.namedtuple('User', ['user', 'password', 'uid', 'gid',
+                                       'gecos', 'home', 'shell'])
+
+
+def _ParseAccount(content, obj, defaults):
+  """Parse the raw data in |content| and return a new |obj|"""
+  d = defaults.copy()
+
+  for line in content.splitlines():
+    if not line or line.startswith('#'):
+      continue
+
+    key, val = line.split(':')
+    if key not in obj._fields:
+      raise ValueError('unknown key: %s' % key)
+    d[key] = val
+
+  missing_keys = set(obj._fields) - set(d.keys())
+  if missing_keys:
+    raise ValueError('missing keys: %s' % ' '.join(missing_keys))
+
+  return obj(**d)
+
+
+def ParseGroup(content):
+  """Parse |content| as a Group object"""
+  defaults = {
+      'password': '!',
+      'users': '',
+  }
+  return _ParseAccount(content, Group, defaults)
+
+
+def ParseUser(content):
+  """Parse |content| as a User object"""
+  defaults = {
+      'gecos': '',
+      'home': '/dev/null',
+      'password': '!',
+      'shell': '/bin/false',
+  }
+  return _ParseAccount(content, User, defaults)
+
+
+def AlignWidths(arr):
+  """Calculate a set of widths for alignment
+
+  Args:
+    arr: An array of collections.namedtuple objects
+
+  Returns:
+    A dict whose fields have the max length
+  """
+  d = {}
+  for f in arr[0]._fields:
+    d[f] = 0
+
+  for a in arr:
+    for f in a._fields:
+      d[f] = max(d[f], len(getattr(a, f)))
+
+  return d
+
+
+def DisplayAccounts(accts, order):
+  """Display |accts| as a table using |order| for field ordering
+
+  Args:
+    accts: An array of collections.namedtuple objects
+    order: The order in which to display the members
+  """
+  obj = type(accts[0])
+  header_obj = obj(**dict([(k, (v if v else k).upper()) for k, v in order]))
+  keys = [k for k, _ in order]
+  sorter = lambda x: int(getattr(x, keys[0]))
+
+  widths = AlignWidths([header_obj] + accts)
+  def p(obj):
+    for k in keys:
+      print('%-*s ' % (widths[k], getattr(obj, k)), end='')
+    print()
+
+  for a in [header_obj] + sorted(accts, key=sorter):
+    p(a)
+
+
+def main(args):
+  if not args:
+    accounts_dir = os.path.dirname(os.path.realpath(__file__))
+    args = (glob.glob(os.path.join(accounts_dir, 'group', '*')) +
+            glob.glob(os.path.join(accounts_dir, 'user', '*')))
+
+  groups = []
+  users = []
+  for f in args:
+    try:
+      content = open(f).read()
+      if 'group:' in content:
+        groups.append(ParseGroup(content))
+      else:
+        users.append(ParseUser(content))
+    except ValueError as e:
+      print('error: %s: %s' % (f, e))
+      return os.EX_DATAERR
+
+  if groups:
+    order = (
+        ('gid', ''),
+        ('group', ''),
+        ('password', 'pass'),
+        ('users', ''),
+    )
+    DisplayAccounts(groups, order)
+
+  if users:
+    if groups:
+      print()
+    order = (
+        ('uid', ''),
+        ('gid', ''),
+        ('user', ''),
+        ('shell', ''),
+        ('home', ''),
+        ('password', 'pass'),
+        ('gecos', ''),
+    )
+    DisplayAccounts(users, order)
+
+
+if __name__ == '__main__':
+  exit(main(sys.argv[1:]))

diff --git a/profiles/base/accounts/group/adm b/profiles/base/accounts/group/adm
new file mode 100644
index 0000000..fed3200
--- /dev/null
+++ b/profiles/base/accounts/group/adm

@@ -0,0 +1,3 @@
+group:adm
+gid:4
+users:root,adm,daemon

diff --git a/profiles/base/accounts/group/audio b/profiles/base/accounts/group/audio
new file mode 100644
index 0000000..f907580
--- /dev/null
+++ b/profiles/base/accounts/group/audio

@@ -0,0 +1,3 @@
+group:audio
+gid:18
+users:cras,chronos

diff --git a/profiles/base/accounts/group/avahi b/profiles/base/accounts/group/avahi
new file mode 100644
index 0000000..ddb6e3d
--- /dev/null
+++ b/profiles/base/accounts/group/avahi

@@ -0,0 +1,3 @@
+group:avahi
+gid:238
+users:

diff --git a/profiles/base/accounts/group/avfs b/profiles/base/accounts/group/avfs
new file mode 100644
index 0000000..ed18dbc
--- /dev/null
+++ b/profiles/base/accounts/group/avfs

@@ -0,0 +1,3 @@
+group:avfs
+gid:301
+users:

diff --git a/profiles/base/accounts/group/bin b/profiles/base/accounts/group/bin
new file mode 100644
index 0000000..5919335
--- /dev/null
+++ b/profiles/base/accounts/group/bin

@@ -0,0 +1,3 @@
+group:bin
+gid:1
+users:root,bin,daemon

diff --git a/profiles/base/accounts/group/bluetooth b/profiles/base/accounts/group/bluetooth
new file mode 100644
index 0000000..f8296a2
--- /dev/null
+++ b/profiles/base/accounts/group/bluetooth

@@ -0,0 +1,3 @@
+group:bluetooth
+gid:218
+users:

diff --git a/profiles/base/accounts/group/brltty b/profiles/base/accounts/group/brltty
new file mode 100644
index 0000000..81caa23
--- /dev/null
+++ b/profiles/base/accounts/group/brltty

@@ -0,0 +1,3 @@
+group:brltty
+gid:240
+users:chronos

diff --git a/profiles/base/accounts/group/cdrom b/profiles/base/accounts/group/cdrom
new file mode 100644
index 0000000..22e7cea
--- /dev/null
+++ b/profiles/base/accounts/group/cdrom

@@ -0,0 +1,3 @@
+group:cdrom
+gid:19
+users:

diff --git a/profiles/base/accounts/group/cdrw b/profiles/base/accounts/group/cdrw
new file mode 100644
index 0000000..52f4b04
--- /dev/null
+++ b/profiles/base/accounts/group/cdrw

@@ -0,0 +1,3 @@
+group:cdrw
+gid:80
+users:

diff --git a/profiles/base/accounts/group/chaps b/profiles/base/accounts/group/chaps
new file mode 100644
index 0000000..a871b1d
--- /dev/null
+++ b/profiles/base/accounts/group/chaps

@@ -0,0 +1,3 @@
+group:chaps
+gid:223
+users:

diff --git a/profiles/base/accounts/group/chronos b/profiles/base/accounts/group/chronos
new file mode 100644
index 0000000..7497b67
--- /dev/null
+++ b/profiles/base/accounts/group/chronos

@@ -0,0 +1,3 @@
+group:chronos
+gid:1000
+users:

diff --git a/profiles/base/accounts/group/chronos-access b/profiles/base/accounts/group/chronos-access
new file mode 100644
index 0000000..ee0ccd8
--- /dev/null
+++ b/profiles/base/accounts/group/chronos-access

@@ -0,0 +1,3 @@
+group:chronos-access
+gid:1001
+users:root,ipsec,chronos,ntfs-3g,avfs,fuse-exfat,chaps

diff --git a/profiles/base/accounts/group/console b/profiles/base/accounts/group/console
new file mode 100644
index 0000000..27199fb
--- /dev/null
+++ b/profiles/base/accounts/group/console

@@ -0,0 +1,3 @@
+group:console
+gid:17
+users:

diff --git a/profiles/base/accounts/group/cras b/profiles/base/accounts/group/cras
new file mode 100644
index 0000000..a1c7634
--- /dev/null
+++ b/profiles/base/accounts/group/cras

@@ -0,0 +1,3 @@
+group:cras
+gid:220
+users:chronos,power

diff --git a/profiles/base/accounts/group/cromo b/profiles/base/accounts/group/cromo
new file mode 100644
index 0000000..d4945c4
--- /dev/null
+++ b/profiles/base/accounts/group/cromo

@@ -0,0 +1,3 @@
+group:cromo
+gid:210
+users:

diff --git a/profiles/base/accounts/group/cros-disks b/profiles/base/accounts/group/cros-disks
new file mode 100644
index 0000000..91a5d1a
--- /dev/null
+++ b/profiles/base/accounts/group/cros-disks

@@ -0,0 +1,3 @@
+group:cros-disks
+gid:213
+users:

diff --git a/profiles/base/accounts/group/daemon b/profiles/base/accounts/group/daemon
new file mode 100644
index 0000000..6635c2e
--- /dev/null
+++ b/profiles/base/accounts/group/daemon

@@ -0,0 +1,3 @@
+group:daemon
+gid:2
+users:root,bin,daemon

diff --git a/profiles/base/accounts/group/daemon-store b/profiles/base/accounts/group/daemon-store
new file mode 100644
index 0000000..ce4a369
--- /dev/null
+++ b/profiles/base/accounts/group/daemon-store

@@ -0,0 +1,3 @@
+group:daemon-store
+gid:400
+users:chaps

diff --git a/profiles/base/accounts/group/debugd b/profiles/base/accounts/group/debugd
new file mode 100644
index 0000000..280db86
--- /dev/null
+++ b/profiles/base/accounts/group/debugd

@@ -0,0 +1,3 @@
+group:debugd
+gid:216
+users:

diff --git a/profiles/base/accounts/group/debugd-logs b/profiles/base/accounts/group/debugd-logs
new file mode 100644
index 0000000..fecb2c2
--- /dev/null
+++ b/profiles/base/accounts/group/debugd-logs

@@ -0,0 +1,3 @@
+group:debugd-logs
+gid:235
+users:

diff --git a/profiles/base/accounts/group/debugfs-access b/profiles/base/accounts/group/debugfs-access
new file mode 100644
index 0000000..fe5a755
--- /dev/null
+++ b/profiles/base/accounts/group/debugfs-access

@@ -0,0 +1,3 @@
+group:debugfs-access
+gid:236
+users:

diff --git a/profiles/base/accounts/group/devbroker b/profiles/base/accounts/group/devbroker
new file mode 100644
index 0000000..71ab509
--- /dev/null
+++ b/profiles/base/accounts/group/devbroker

@@ -0,0 +1,3 @@
+group:devbroker
+gid:230
+users:

diff --git a/profiles/base/accounts/group/devbroker-access b/profiles/base/accounts/group/devbroker-access
new file mode 100644
index 0000000..1e9cfb8
--- /dev/null
+++ b/profiles/base/accounts/group/devbroker-access

@@ -0,0 +1,3 @@
+group:devbroker-access
+gid:403
+users:chronos

diff --git a/profiles/base/accounts/group/dhcp b/profiles/base/accounts/group/dhcp
new file mode 100644
index 0000000..ad4d80b
--- /dev/null
+++ b/profiles/base/accounts/group/dhcp

@@ -0,0 +1,3 @@
+group:dhcp
+gid:224
+users:

diff --git a/profiles/base/accounts/group/disk b/profiles/base/accounts/group/disk
new file mode 100644
index 0000000..813756f
--- /dev/null
+++ b/profiles/base/accounts/group/disk

@@ -0,0 +1,3 @@
+group:disk
+gid:6
+users:root,adm

diff --git a/profiles/base/accounts/group/floppy b/profiles/base/accounts/group/floppy
new file mode 100644
index 0000000..84473fc
--- /dev/null
+++ b/profiles/base/accounts/group/floppy

@@ -0,0 +1,3 @@
+group:floppy
+gid:11
+users:root

diff --git a/profiles/base/accounts/group/fuse-exfat b/profiles/base/accounts/group/fuse-exfat
new file mode 100644
index 0000000..7db3415
--- /dev/null
+++ b/profiles/base/accounts/group/fuse-exfat

@@ -0,0 +1,3 @@
+group:fuse-exfat
+gid:302
+users:

diff --git a/profiles/base/accounts/group/gpsd b/profiles/base/accounts/group/gpsd
new file mode 100644
index 0000000..f98489b
--- /dev/null
+++ b/profiles/base/accounts/group/gpsd

@@ -0,0 +1,3 @@
+group:gpsd
+gid:242
+users:gpsd

diff --git a/profiles/base/accounts/group/i2c b/profiles/base/accounts/group/i2c
new file mode 100644
index 0000000..bb6fadd
--- /dev/null
+++ b/profiles/base/accounts/group/i2c

@@ -0,0 +1,3 @@
+group:i2c
+gid:404
+users:power

diff --git a/profiles/base/accounts/group/input b/profiles/base/accounts/group/input
new file mode 100644
index 0000000..9d2b39b
--- /dev/null
+++ b/profiles/base/accounts/group/input

@@ -0,0 +1,3 @@
+group:input
+gid:222
+users:cras,xorg,power

diff --git a/profiles/base/accounts/group/ipsec b/profiles/base/accounts/group/ipsec
new file mode 100644
index 0000000..0011837
--- /dev/null
+++ b/profiles/base/accounts/group/ipsec

@@ -0,0 +1,3 @@
+group:ipsec
+gid:212
+users:

diff --git a/profiles/base/accounts/group/kmem b/profiles/base/accounts/group/kmem
new file mode 100644
index 0000000..87dcd30
--- /dev/null
+++ b/profiles/base/accounts/group/kmem

@@ -0,0 +1,3 @@
+group:kmem
+gid:9
+users:

diff --git a/profiles/base/accounts/group/kvm b/profiles/base/accounts/group/kvm
new file mode 100644
index 0000000..f68d1b3
--- /dev/null
+++ b/profiles/base/accounts/group/kvm

@@ -0,0 +1,3 @@
+group:kvm
+gid:409
+users:

diff --git a/profiles/base/accounts/group/logs-access b/profiles/base/accounts/group/logs-access
new file mode 100644
index 0000000..920a2fa
--- /dev/null
+++ b/profiles/base/accounts/group/logs-access

@@ -0,0 +1,3 @@
+group:logs-access
+gid:401
+users:debugd-logs

diff --git a/profiles/base/accounts/group/lp b/profiles/base/accounts/group/lp
new file mode 100644
index 0000000..b9e64c7
--- /dev/null
+++ b/profiles/base/accounts/group/lp

@@ -0,0 +1,3 @@
+group:lp
+gid:7
+users:lp

diff --git a/profiles/base/accounts/group/man b/profiles/base/accounts/group/man
new file mode 100644
index 0000000..d7c2921
--- /dev/null
+++ b/profiles/base/accounts/group/man

@@ -0,0 +1,3 @@
+group:man
+gid:15
+users:

diff --git a/profiles/base/accounts/group/mem b/profiles/base/accounts/group/mem
new file mode 100644
index 0000000..1c48989
--- /dev/null
+++ b/profiles/base/accounts/group/mem

@@ -0,0 +1,3 @@
+group:mem
+gid:8
+users:

diff --git a/profiles/base/accounts/group/messagebus b/profiles/base/accounts/group/messagebus
new file mode 100644
index 0000000..67b6eae
--- /dev/null
+++ b/profiles/base/accounts/group/messagebus

@@ -0,0 +1,3 @@
+group:messagebus
+gid:201
+users:

diff --git a/profiles/base/accounts/group/modem b/profiles/base/accounts/group/modem
new file mode 100644
index 0000000..6b437d5
--- /dev/null
+++ b/profiles/base/accounts/group/modem

@@ -0,0 +1,3 @@
+group:modem
+gid:241
+users:modem

diff --git a/profiles/base/accounts/group/mtp b/profiles/base/accounts/group/mtp
new file mode 100644
index 0000000..cf20a1f
--- /dev/null
+++ b/profiles/base/accounts/group/mtp

@@ -0,0 +1,3 @@
+group:mtp
+gid:226
+users:

diff --git a/profiles/base/accounts/group/netdev b/profiles/base/accounts/group/netdev
new file mode 100644
index 0000000..98d87b7
--- /dev/null
+++ b/profiles/base/accounts/group/netdev

@@ -0,0 +1,3 @@
+group:netdev
+gid:408
+users:

diff --git a/profiles/base/accounts/group/news b/profiles/base/accounts/group/news
new file mode 100644
index 0000000..194f5b3
--- /dev/null
+++ b/profiles/base/accounts/group/news

@@ -0,0 +1,3 @@
+group:news
+gid:13
+users:news

diff --git a/profiles/base/accounts/group/nfqueue b/profiles/base/accounts/group/nfqueue
new file mode 100644
index 0000000..7d43610
--- /dev/null
+++ b/profiles/base/accounts/group/nfqueue

@@ -0,0 +1,3 @@
+group:nfqueue
+gid:232
+users:

diff --git a/profiles/base/accounts/group/nobody b/profiles/base/accounts/group/nobody
new file mode 100644
index 0000000..f19800b
--- /dev/null
+++ b/profiles/base/accounts/group/nobody

@@ -0,0 +1,3 @@
+group:nobody
+gid:65534
+users:

diff --git a/profiles/base/accounts/group/nogroup b/profiles/base/accounts/group/nogroup
new file mode 100644
index 0000000..53ab2a2
--- /dev/null
+++ b/profiles/base/accounts/group/nogroup

@@ -0,0 +1,3 @@
+group:nogroup
+gid:65533
+users:

diff --git a/profiles/base/accounts/group/ntfs-3g b/profiles/base/accounts/group/ntfs-3g
new file mode 100644
index 0000000..3c6eb85
--- /dev/null
+++ b/profiles/base/accounts/group/ntfs-3g

@@ -0,0 +1,3 @@
+group:ntfs-3g
+gid:300
+users:

diff --git a/profiles/base/accounts/group/ntp b/profiles/base/accounts/group/ntp
new file mode 100644
index 0000000..5a4019c
--- /dev/null
+++ b/profiles/base/accounts/group/ntp

@@ -0,0 +1,3 @@
+group:ntp
+gid:203
+users:

diff --git a/profiles/base/accounts/group/openvpn b/profiles/base/accounts/group/openvpn
new file mode 100644
index 0000000..cb535bb
--- /dev/null
+++ b/profiles/base/accounts/group/openvpn

@@ -0,0 +1,3 @@
+group:openvpn
+gid:217
+users:

diff --git a/profiles/base/accounts/group/p2p b/profiles/base/accounts/group/p2p
new file mode 100644
index 0000000..692bd47
--- /dev/null
+++ b/profiles/base/accounts/group/p2p

@@ -0,0 +1,3 @@
+group:p2p
+gid:239
+users:

diff --git a/profiles/base/accounts/group/pkcs11 b/profiles/base/accounts/group/pkcs11
new file mode 100644
index 0000000..bdd0a2f
--- /dev/null
+++ b/profiles/base/accounts/group/pkcs11

@@ -0,0 +1,3 @@
+group:pkcs11
+gid:208
+users:root,ipsec,chronos,chaps,wpa

diff --git a/profiles/base/accounts/group/polkituser b/profiles/base/accounts/group/polkituser
new file mode 100644
index 0000000..2f6ca59
--- /dev/null
+++ b/profiles/base/accounts/group/polkituser

@@ -0,0 +1,3 @@
+group:polkituser
+gid:206
+users:

diff --git a/profiles/base/accounts/group/portage b/profiles/base/accounts/group/portage
new file mode 100644
index 0000000..7f940c7
--- /dev/null
+++ b/profiles/base/accounts/group/portage

@@ -0,0 +1,3 @@
+group:portage
+gid:250
+users:portage

diff --git a/profiles/base/accounts/group/power b/profiles/base/accounts/group/power
new file mode 100644
index 0000000..a6a8f62
--- /dev/null
+++ b/profiles/base/accounts/group/power

@@ -0,0 +1,3 @@
+group:power
+gid:228
+users:

diff --git a/profiles/base/accounts/group/proxystate b/profiles/base/accounts/group/proxystate
new file mode 100644
index 0000000..6adf3a9
--- /dev/null
+++ b/profiles/base/accounts/group/proxystate

@@ -0,0 +1,3 @@
+group:proxystate
+gid:227
+users:

diff --git a/profiles/base/accounts/group/qdlservice b/profiles/base/accounts/group/qdlservice
new file mode 100644
index 0000000..987ab3b
--- /dev/null
+++ b/profiles/base/accounts/group/qdlservice

@@ -0,0 +1,3 @@
+group:qdlservice
+gid:209
+users:

diff --git a/profiles/base/accounts/group/radvd b/profiles/base/accounts/group/radvd
new file mode 100644
index 0000000..aaca60f
--- /dev/null
+++ b/profiles/base/accounts/group/radvd

@@ -0,0 +1,3 @@
+group:radvd
+gid:243
+users:radvd

diff --git a/profiles/base/accounts/group/root b/profiles/base/accounts/group/root
new file mode 100644
index 0000000..1bdc28d
--- /dev/null
+++ b/profiles/base/accounts/group/root

@@ -0,0 +1,3 @@
+group:root
+gid:0
+users:root

diff --git a/profiles/base/accounts/group/serial b/profiles/base/accounts/group/serial
new file mode 100644
index 0000000..3a90092
--- /dev/null
+++ b/profiles/base/accounts/group/serial

@@ -0,0 +1,3 @@
+group:serial
+gid:402
+users:chronos,uucp

diff --git a/profiles/base/accounts/group/shill-crypto b/profiles/base/accounts/group/shill-crypto
new file mode 100644
index 0000000..51eb83d
--- /dev/null
+++ b/profiles/base/accounts/group/shill-crypto

@@ -0,0 +1,3 @@
+group:shill-crypto
+gid:237
+users:

diff --git a/profiles/base/accounts/group/sshd b/profiles/base/accounts/group/sshd
new file mode 100644
index 0000000..101406e
--- /dev/null
+++ b/profiles/base/accounts/group/sshd

@@ -0,0 +1,3 @@
+group:sshd
+gid:204
+users:

diff --git a/profiles/base/accounts/group/sys b/profiles/base/accounts/group/sys
new file mode 100644
index 0000000..d9829de
--- /dev/null
+++ b/profiles/base/accounts/group/sys

@@ -0,0 +1,3 @@
+group:sys
+gid:3
+users:root,bin,adm

diff --git a/profiles/base/accounts/group/syslog b/profiles/base/accounts/group/syslog
new file mode 100644
index 0000000..a539bbf
--- /dev/null
+++ b/profiles/base/accounts/group/syslog

@@ -0,0 +1,3 @@
+group:syslog
+gid:202
+users:

diff --git a/profiles/base/accounts/group/tape b/profiles/base/accounts/group/tape
new file mode 100644
index 0000000..8cb36e2
--- /dev/null
+++ b/profiles/base/accounts/group/tape

@@ -0,0 +1,3 @@
+group:tape
+gid:26
+users:root

diff --git a/profiles/base/accounts/group/tcpdump b/profiles/base/accounts/group/tcpdump
new file mode 100644
index 0000000..6145872
--- /dev/null
+++ b/profiles/base/accounts/group/tcpdump

@@ -0,0 +1,3 @@
+group:tcpdump
+gid:215
+users:

diff --git a/profiles/base/accounts/group/tlsdate b/profiles/base/accounts/group/tlsdate
new file mode 100644
index 0000000..472f995
--- /dev/null
+++ b/profiles/base/accounts/group/tlsdate

@@ -0,0 +1,3 @@
+group:tlsdate
+gid:234
+users:

diff --git a/profiles/base/accounts/group/tlsdate-dbus b/profiles/base/accounts/group/tlsdate-dbus
new file mode 100644
index 0000000..f7f5606
--- /dev/null
+++ b/profiles/base/accounts/group/tlsdate-dbus

@@ -0,0 +1,3 @@
+group:tlsdate-dbus
+gid:233
+users:

diff --git a/profiles/base/accounts/group/tor b/profiles/base/accounts/group/tor
new file mode 100644
index 0000000..dcbec00
--- /dev/null
+++ b/profiles/base/accounts/group/tor

@@ -0,0 +1,3 @@
+group:tor
+gid:214
+users:

diff --git a/profiles/base/accounts/group/tpmd b/profiles/base/accounts/group/tpmd
new file mode 100644
index 0000000..764c64e
--- /dev/null
+++ b/profiles/base/accounts/group/tpmd

@@ -0,0 +1,3 @@
+group:tpmd
+gid:225
+users:

diff --git a/profiles/base/accounts/group/tss b/profiles/base/accounts/group/tss
new file mode 100644
index 0000000..0cefb42
--- /dev/null
+++ b/profiles/base/accounts/group/tss

@@ -0,0 +1,3 @@
+group:tss
+gid:207
+users:root,chaps

diff --git a/profiles/base/accounts/group/tty b/profiles/base/accounts/group/tty
new file mode 100644
index 0000000..32263af
--- /dev/null
+++ b/profiles/base/accounts/group/tty

@@ -0,0 +1,3 @@
+group:tty
+gid:5
+users:xorg,power,brltty

diff --git a/profiles/base/accounts/group/usb b/profiles/base/accounts/group/usb
new file mode 100644
index 0000000..4492812
--- /dev/null
+++ b/profiles/base/accounts/group/usb

@@ -0,0 +1,3 @@
+group:usb
+gid:85
+users:mtp,brltty

diff --git a/profiles/base/accounts/group/users b/profiles/base/accounts/group/users
new file mode 100644
index 0000000..fd42ca1
--- /dev/null
+++ b/profiles/base/accounts/group/users

@@ -0,0 +1,3 @@
+group:users
+gid:100
+users:games

diff --git a/profiles/base/accounts/group/utmp b/profiles/base/accounts/group/utmp
new file mode 100644
index 0000000..49e5428
--- /dev/null
+++ b/profiles/base/accounts/group/utmp

@@ -0,0 +1,3 @@
+group:utmp
+gid:406
+users:

diff --git a/profiles/base/accounts/group/uucp b/profiles/base/accounts/group/uucp
new file mode 100644
index 0000000..5fe9821
--- /dev/null
+++ b/profiles/base/accounts/group/uucp

@@ -0,0 +1,3 @@
+group:uucp
+gid:14
+users:uucp,gpsd

diff --git a/profiles/base/accounts/group/video b/profiles/base/accounts/group/video
new file mode 100644
index 0000000..3aca68a
--- /dev/null
+++ b/profiles/base/accounts/group/video

@@ -0,0 +1,3 @@
+group:video
+gid:27
+users:root,chronos,xorg

diff --git a/profiles/base/accounts/group/watchdog b/profiles/base/accounts/group/watchdog
new file mode 100644
index 0000000..a0c2e77
--- /dev/null
+++ b/profiles/base/accounts/group/watchdog

@@ -0,0 +1,3 @@
+group:watchdog
+gid:229
+users:

diff --git a/profiles/base/accounts/group/wheel b/profiles/base/accounts/group/wheel
new file mode 100644
index 0000000..c3d2d62
--- /dev/null
+++ b/profiles/base/accounts/group/wheel

@@ -0,0 +1,3 @@
+group:wheel
+gid:10
+users:root

diff --git a/profiles/base/accounts/group/wpa b/profiles/base/accounts/group/wpa
new file mode 100644
index 0000000..46cfcb5
--- /dev/null
+++ b/profiles/base/accounts/group/wpa

@@ -0,0 +1,3 @@
+group:wpa
+gid:219
+users:root

diff --git a/profiles/base/accounts/group/xorg b/profiles/base/accounts/group/xorg
new file mode 100644
index 0000000..248b8be
--- /dev/null
+++ b/profiles/base/accounts/group/xorg

@@ -0,0 +1,3 @@
+group:xorg
+gid:231
+users:

diff --git a/profiles/base/accounts/user/adm b/profiles/base/accounts/user/adm
new file mode 100644
index 0000000..f2304b5
--- /dev/null
+++ b/profiles/base/accounts/user/adm

@@ -0,0 +1,6 @@
+user:adm
+uid:3
+gid:4
+gecos:adm
+home:/var/adm
+shell:/bin/false

diff --git a/profiles/base/accounts/user/avahi b/profiles/base/accounts/user/avahi
new file mode 100644
index 0000000..c408c50
--- /dev/null
+++ b/profiles/base/accounts/user/avahi

@@ -0,0 +1,6 @@
+user:avahi
+uid:238
+gid:238
+gecos:avahi-daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/avfs b/profiles/base/accounts/user/avfs
new file mode 100644
index 0000000..7d25b65
--- /dev/null
+++ b/profiles/base/accounts/user/avfs

@@ -0,0 +1,6 @@
+user:avfs
+uid:301
+gid:301
+gecos:FUSE-based virtual FS daemon for archive files
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/bin b/profiles/base/accounts/user/bin
new file mode 100644
index 0000000..41c90e3
--- /dev/null
+++ b/profiles/base/accounts/user/bin

@@ -0,0 +1,6 @@
+user:bin
+uid:1
+gid:1
+gecos:bin
+home:/bin
+shell:/bin/false

diff --git a/profiles/base/accounts/user/bluetooth b/profiles/base/accounts/user/bluetooth
new file mode 100644
index 0000000..0603134
--- /dev/null
+++ b/profiles/base/accounts/user/bluetooth

@@ -0,0 +1,6 @@
+user:bluetooth
+uid:218
+gid:218
+gecos:bluez
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/brltty b/profiles/base/accounts/user/brltty
new file mode 100644
index 0000000..af2c739
--- /dev/null
+++ b/profiles/base/accounts/user/brltty

@@ -0,0 +1,6 @@
+user:brltty
+uid:240
+gid:240
+gecos:braille displays
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/chaps b/profiles/base/accounts/user/chaps
new file mode 100644
index 0000000..003ca71
--- /dev/null
+++ b/profiles/base/accounts/user/chaps

@@ -0,0 +1,6 @@
+user:chaps
+uid:223
+gid:223
+gecos:chaps PKCS11 daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/chronos b/profiles/base/accounts/user/chronos
new file mode 100644
index 0000000..205c8f2
--- /dev/null
+++ b/profiles/base/accounts/user/chronos

@@ -0,0 +1,7 @@
+user:chronos
+password:*
+uid:1000
+gid:1000
+gecos:system_user
+home:/home/chronos/user
+shell:/bin/bash

diff --git a/profiles/base/accounts/user/chronos-access b/profiles/base/accounts/user/chronos-access
new file mode 100644
index 0000000..fd9d64b
--- /dev/null
+++ b/profiles/base/accounts/user/chronos-access

@@ -0,0 +1,6 @@
+user:chronos-access
+uid:1001
+gid:1001
+gecos:non-chronos user with access to chronos data
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/cras b/profiles/base/accounts/user/cras
new file mode 100644
index 0000000..5aa7b29
--- /dev/null
+++ b/profiles/base/accounts/user/cras

@@ -0,0 +1,6 @@
+user:cras
+uid:220
+gid:220
+gecos:CrOS audio video daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/cromo b/profiles/base/accounts/user/cromo
new file mode 100644
index 0000000..8812863
--- /dev/null
+++ b/profiles/base/accounts/user/cromo

@@ -0,0 +1,6 @@
+user:cromo
+uid:210
+gid:210
+gecos:CrOS modem manager
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/cros-disks b/profiles/base/accounts/user/cros-disks
new file mode 100644
index 0000000..ac17410
--- /dev/null
+++ b/profiles/base/accounts/user/cros-disks

@@ -0,0 +1,6 @@
+user:cros-disks
+uid:213
+gid:213
+gecos:CrOS disk managing daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/daemon b/profiles/base/accounts/user/daemon
new file mode 100644
index 0000000..2b4b5fe
--- /dev/null
+++ b/profiles/base/accounts/user/daemon

@@ -0,0 +1,6 @@
+user:daemon
+uid:2
+gid:2
+gecos:daemon
+home:/sbin
+shell:/bin/false

diff --git a/profiles/base/accounts/user/debugd b/profiles/base/accounts/user/debugd
new file mode 100644
index 0000000..ebdc620
--- /dev/null
+++ b/profiles/base/accounts/user/debugd

@@ -0,0 +1,6 @@
+user:debugd
+uid:216
+gid:216
+gecos:debug daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/debugd-logs b/profiles/base/accounts/user/debugd-logs
new file mode 100644
index 0000000..748de67
--- /dev/null
+++ b/profiles/base/accounts/user/debugd-logs

@@ -0,0 +1,6 @@
+user:debugd-logs
+uid:235
+gid:235
+gecos:access to unprivileged debugd logs
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/debugfs-access b/profiles/base/accounts/user/debugfs-access
new file mode 100644
index 0000000..a944623
--- /dev/null
+++ b/profiles/base/accounts/user/debugfs-access

@@ -0,0 +1,6 @@
+user:debugfs-access
+uid:236
+gid:236
+gecos:access to debugfs
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/devbroker b/profiles/base/accounts/user/devbroker
new file mode 100644
index 0000000..f09f55d
--- /dev/null
+++ b/profiles/base/accounts/user/devbroker

@@ -0,0 +1,6 @@
+user:devbroker
+uid:230
+gid:230
+gecos:permission_broker
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/dhcp b/profiles/base/accounts/user/dhcp
new file mode 100644
index 0000000..0f05c3a
--- /dev/null
+++ b/profiles/base/accounts/user/dhcp

@@ -0,0 +1,6 @@
+user:dhcp
+uid:224
+gid:224
+gecos:dhcpcd DHCP client
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/fuse-exfat b/profiles/base/accounts/user/fuse-exfat
new file mode 100644
index 0000000..dd72d35
--- /dev/null
+++ b/profiles/base/accounts/user/fuse-exfat

@@ -0,0 +1,6 @@
+user:fuse-exfat
+uid:302
+gid:302
+gecos:FUSE-based exfat FS daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/gpsd b/profiles/base/accounts/user/gpsd
new file mode 100644
index 0000000..82b1f04
--- /dev/null
+++ b/profiles/base/accounts/user/gpsd

@@ -0,0 +1,6 @@
+user:gpsd
+uid:242
+gid:242
+gecos:GPS daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/halt b/profiles/base/accounts/user/halt
new file mode 100644
index 0000000..415005c
--- /dev/null
+++ b/profiles/base/accounts/user/halt

@@ -0,0 +1,6 @@
+user:halt
+uid:7
+gid:0
+gecos:halt
+home:/sbin
+shell:/sbin/halt

diff --git a/profiles/base/accounts/user/input b/profiles/base/accounts/user/input
new file mode 100644
index 0000000..50c6f93
--- /dev/null
+++ b/profiles/base/accounts/user/input

@@ -0,0 +1,6 @@
+user:input
+uid:222
+gid:222
+gecos:dev/input/event access
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/ipsec b/profiles/base/accounts/user/ipsec
new file mode 100644
index 0000000..4cd53af
--- /dev/null
+++ b/profiles/base/accounts/user/ipsec

@@ -0,0 +1,6 @@
+user:ipsec
+uid:212
+gid:212
+gecos:strongswan, other ipsec VPNs
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/lp b/profiles/base/accounts/user/lp
new file mode 100644
index 0000000..e36ee85
--- /dev/null
+++ b/profiles/base/accounts/user/lp

@@ -0,0 +1,6 @@
+user:lp
+uid:4
+gid:7
+gecos:lp
+home:/var/spool/lpd
+shell:/bin/false

diff --git a/profiles/base/accounts/user/man b/profiles/base/accounts/user/man
new file mode 100644
index 0000000..d9bd70a
--- /dev/null
+++ b/profiles/base/accounts/user/man

@@ -0,0 +1,6 @@
+user:man
+uid:13
+gid:15
+gecos:added by portage for man
+home:/usr/share/man
+shell:/bin/false

diff --git a/profiles/base/accounts/user/messagebus b/profiles/base/accounts/user/messagebus
new file mode 100644
index 0000000..50c104b
--- /dev/null
+++ b/profiles/base/accounts/user/messagebus

@@ -0,0 +1,6 @@
+user:messagebus
+uid:201
+gid:201
+gecos:dbus daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/modem b/profiles/base/accounts/user/modem
new file mode 100644
index 0000000..c28e339
--- /dev/null
+++ b/profiles/base/accounts/user/modem

@@ -0,0 +1,6 @@
+user:modem
+uid:241
+gid:241
+gecos:modem manager
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/mtp b/profiles/base/accounts/user/mtp
new file mode 100644
index 0000000..89cc28f
--- /dev/null
+++ b/profiles/base/accounts/user/mtp

@@ -0,0 +1,6 @@
+user:mtp
+uid:226
+gid:226
+gecos:libmtp
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/news b/profiles/base/accounts/user/news
new file mode 100644
index 0000000..a7f87f2
--- /dev/null
+++ b/profiles/base/accounts/user/news

@@ -0,0 +1,6 @@
+user:news
+uid:9
+gid:13
+gecos:news
+home:/var/spool/news
+shell:/bin/false

diff --git a/profiles/base/accounts/user/nfqueue b/profiles/base/accounts/user/nfqueue
new file mode 100644
index 0000000..5d0fb40
--- /dev/null
+++ b/profiles/base/accounts/user/nfqueue

@@ -0,0 +1,6 @@
+user:nfqueue
+uid:232
+gid:232
+gecos:netfilter-queue
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/nobody b/profiles/base/accounts/user/nobody
new file mode 100644
index 0000000..43b3d7a
--- /dev/null
+++ b/profiles/base/accounts/user/nobody

@@ -0,0 +1,6 @@
+user:nobody
+uid:65534
+gid:65534
+gecos:nobody
+home:/var/empty
+shell:/bin/false

diff --git a/profiles/base/accounts/user/ntfs-3g b/profiles/base/accounts/user/ntfs-3g
new file mode 100644
index 0000000..a1c1d5c
--- /dev/null
+++ b/profiles/base/accounts/user/ntfs-3g

@@ -0,0 +1,6 @@
+user:ntfs-3g
+uid:300
+gid:300
+gecos:NTFS FUSE-based filesystem daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/ntp b/profiles/base/accounts/user/ntp
new file mode 100644
index 0000000..e753c92
--- /dev/null
+++ b/profiles/base/accounts/user/ntp

@@ -0,0 +1,6 @@
+user:ntp
+uid:203
+gid:203
+gecos:ntp, perhaps unused
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/openvpn b/profiles/base/accounts/user/openvpn
new file mode 100644
index 0000000..f8fe426
--- /dev/null
+++ b/profiles/base/accounts/user/openvpn

@@ -0,0 +1,6 @@
+user:openvpn
+uid:217
+gid:217
+gecos:openvpn
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/operator b/profiles/base/accounts/user/operator
new file mode 100644
index 0000000..a15ed04
--- /dev/null
+++ b/profiles/base/accounts/user/operator

@@ -0,0 +1,6 @@
+user:operator
+uid:11
+gid:0
+gecos:operator
+home:/root
+shell:/bin/bash

diff --git a/profiles/base/accounts/user/p2p b/profiles/base/accounts/user/p2p
new file mode 100644
index 0000000..da0d61f
--- /dev/null
+++ b/profiles/base/accounts/user/p2p

@@ -0,0 +1,6 @@
+user:p2p
+uid:239
+gid:239
+gecos:p2p autoupdate helpers
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/pkcs11 b/profiles/base/accounts/user/pkcs11
new file mode 100644
index 0000000..7a37d50
--- /dev/null
+++ b/profiles/base/accounts/user/pkcs11

@@ -0,0 +1,6 @@
+user:pkcs11
+uid:208
+gid:208
+gecos:PKCS11 clients
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/polkituser b/profiles/base/accounts/user/polkituser
new file mode 100644
index 0000000..672ae18
--- /dev/null
+++ b/profiles/base/accounts/user/polkituser

@@ -0,0 +1,6 @@
+user:polkituser
+uid:206
+gid:206
+gecos:policykit, perhaps unused
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/portage b/profiles/base/accounts/user/portage
new file mode 100644
index 0000000..2de43ed
--- /dev/null
+++ b/profiles/base/accounts/user/portage

@@ -0,0 +1,6 @@
+user:portage
+uid:250
+gid:250
+gecos:portage
+home:/var/tmp/portage
+shell:/bin/false

diff --git a/profiles/base/accounts/user/power b/profiles/base/accounts/user/power
new file mode 100644
index 0000000..87167a3
--- /dev/null
+++ b/profiles/base/accounts/user/power

@@ -0,0 +1,6 @@
+user:power
+uid:228
+gid:228
+gecos:power management daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/proxystate b/profiles/base/accounts/user/proxystate
new file mode 100644
index 0000000..4b826c4
--- /dev/null
+++ b/profiles/base/accounts/user/proxystate

@@ -0,0 +1,6 @@
+user:proxystate
+uid:227
+gid:227
+gecos:proxy monitoring
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/qdlservice b/profiles/base/accounts/user/qdlservice
new file mode 100644
index 0000000..2684391
--- /dev/null
+++ b/profiles/base/accounts/user/qdlservice

@@ -0,0 +1,6 @@
+user:qdlservice
+uid:209
+gid:209
+gecos:QDLService
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/radvd b/profiles/base/accounts/user/radvd
new file mode 100644
index 0000000..29f8bc2
--- /dev/null
+++ b/profiles/base/accounts/user/radvd

@@ -0,0 +1,6 @@
+user:radvd
+uid:243
+gid:243
+gecos:router advertisement daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/root b/profiles/base/accounts/user/root
new file mode 100644
index 0000000..9ebfb3d
--- /dev/null
+++ b/profiles/base/accounts/user/root

@@ -0,0 +1,7 @@
+user:root
+password:*
+uid:0
+gid:0
+gecos:root
+home:/root
+shell:/bin/bash

diff --git a/profiles/base/accounts/user/shill-crypto b/profiles/base/accounts/user/shill-crypto
new file mode 100644
index 0000000..e036f0c
--- /dev/null
+++ b/profiles/base/accounts/user/shill-crypto

@@ -0,0 +1,6 @@
+user:shill-crypto
+uid:237
+gid:237
+gecos:shill's crypto-util
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/shutdown b/profiles/base/accounts/user/shutdown
new file mode 100644
index 0000000..a47e4c0
--- /dev/null
+++ b/profiles/base/accounts/user/shutdown

@@ -0,0 +1,6 @@
+user:shutdown
+uid:6
+gid:0
+gecos:shutdown
+home:/sbin
+shell:/sbin/shutdown

diff --git a/profiles/base/accounts/user/sshd b/profiles/base/accounts/user/sshd
new file mode 100644
index 0000000..4695ece
--- /dev/null
+++ b/profiles/base/accounts/user/sshd

@@ -0,0 +1,6 @@
+user:sshd
+uid:204
+gid:204
+gecos:ssh daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/sync b/profiles/base/accounts/user/sync
new file mode 100644
index 0000000..5e59da0
--- /dev/null
+++ b/profiles/base/accounts/user/sync

@@ -0,0 +1,6 @@
+user:sync
+uid:5
+gid:0
+gecos:sync
+home:/sbin
+shell:/bin/sync

diff --git a/profiles/base/accounts/user/syslog b/profiles/base/accounts/user/syslog
new file mode 100644
index 0000000..7242ec3
--- /dev/null
+++ b/profiles/base/accounts/user/syslog

@@ -0,0 +1,6 @@
+user:syslog
+uid:202
+gid:202
+gecos:rsyslog
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/tcpdump b/profiles/base/accounts/user/tcpdump
new file mode 100644
index 0000000..68c40d7
--- /dev/null
+++ b/profiles/base/accounts/user/tcpdump

@@ -0,0 +1,6 @@
+user:tcpdump
+uid:215
+gid:215
+gecos:tcpdump --with-user
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/tlsdate b/profiles/base/accounts/user/tlsdate
new file mode 100644
index 0000000..10bfbab
--- /dev/null
+++ b/profiles/base/accounts/user/tlsdate

@@ -0,0 +1,6 @@
+user:tlsdate
+uid:234
+gid:234
+gecos:tlsdate, secure network time daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/tlsdate-dbus b/profiles/base/accounts/user/tlsdate-dbus
new file mode 100644
index 0000000..4576242
--- /dev/null
+++ b/profiles/base/accounts/user/tlsdate-dbus

@@ -0,0 +1,6 @@
+user:tlsdate-dbus
+uid:233
+gid:233
+gecos:tlsdate-dbus-announce
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/tor b/profiles/base/accounts/user/tor
new file mode 100644
index 0000000..7cd6575
--- /dev/null
+++ b/profiles/base/accounts/user/tor

@@ -0,0 +1,6 @@
+user:tor
+uid:214
+gid:214
+gecos:tor, perhaps unused
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/tpmd b/profiles/base/accounts/user/tpmd
new file mode 100644
index 0000000..a8816a3
--- /dev/null
+++ b/profiles/base/accounts/user/tpmd

@@ -0,0 +1,6 @@
+user:tpmd
+uid:225
+gid:225
+gecos:TPM daemon
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/tss b/profiles/base/accounts/user/tss
new file mode 100644
index 0000000..5af1004
--- /dev/null
+++ b/profiles/base/accounts/user/tss

@@ -0,0 +1,6 @@
+user:tss
+uid:207
+gid:207
+gecos:trousers, TPM and TSS operations
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/uucp b/profiles/base/accounts/user/uucp
new file mode 100644
index 0000000..17731b2
--- /dev/null
+++ b/profiles/base/accounts/user/uucp

@@ -0,0 +1,6 @@
+user:uucp
+uid:10
+gid:14
+gecos:uucp
+home:/var/spool/uucp
+shell:/bin/false

diff --git a/profiles/base/accounts/user/watchdog b/profiles/base/accounts/user/watchdog
new file mode 100644
index 0000000..2fbd245
--- /dev/null
+++ b/profiles/base/accounts/user/watchdog

@@ -0,0 +1,6 @@
+user:watchdog
+uid:229
+gid:229
+gecos:daisydog
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/wpa b/profiles/base/accounts/user/wpa
new file mode 100644
index 0000000..2d88516
--- /dev/null
+++ b/profiles/base/accounts/user/wpa

@@ -0,0 +1,6 @@
+user:wpa
+uid:219
+gid:219
+gecos:wpa_supplicant
+home:/dev/null
+shell:/bin/false

diff --git a/profiles/base/accounts/user/xorg b/profiles/base/accounts/user/xorg
new file mode 100644
index 0000000..1b52701
--- /dev/null
+++ b/profiles/base/accounts/user/xorg

@@ -0,0 +1,6 @@
+user:xorg
+uid:231
+gid:231
+gecos:Xorg
+home:/dev/null
+shell:/bin/false
commit	2dfab5affb850a45139e1c556663197a721ea188	[log] [tgz]
author	Chris Masone <cmasone@chromium.org>	Tue Dec 10 11:22:29 2013 -0800
committer	chrome-internal-fetch <chrome-internal-fetch@google.com>	Fri Jan 24 23:50:48 2014 +0000
tree	1b4cdf7dc80d8b392f4949541082a2a0a4a15dea
parent	185699e91a8e7b3ba0d7ff53497b933c8d8533bc [diff]