Re: [oe-core][RFC] xuser-account: convert to standard-user-account

[Randolph Sapp <rs@ti.com>]

On Mon Feb 9, 2026 at 6:25 PM CST, Randolph Sapp via lists.openembedded.org wrote:
> From: Randolph Sapp <rs@ti.com>
>
> Change this single xuser account template into a generic
> standard-user-account that uses distro level variables for
> configuration.
>
> This allows for seamless configuration of multiple out-of-box scripts
> and tests across layers without having to implicitly hope that the
> username or groups haven't been changed by a bbappend or recipe
> override.
>
> This was proposed specifically to remove some issues highlighted in:
> https://lists.openembedded.org/g/openembedded-core/message/230665
>
> Signed-off-by: Randolph Sapp <rs@ti.com>
> ---
>
> I'm thinking about adding something like REQUIRED_STANDARD_USER_GROUPS and
> REQUIRED_STANDARD_USER_SYSTEM_GROUPS checks to the features_check class so
> recipes can indicate when they will fail due to bad distro configs. Please let
> me know what you all think.
>
>  meta-selftest/files/static-group              |  3 +-
>  meta-selftest/files/static-passwd             |  3 +-
>  .../distro/include/default-distrovars.inc     | 12 ++++++
>  meta/conf/distro/include/maintainers.inc      |  2 +-
>  meta/recipes-graphics/wayland/weston-init.bb  | 13 +++----
>  .../x11-common/xserver-nodm-init_3.0.bb       |  7 ++--
>  .../user-creation/files/system-xuser.conf     | 11 ------
>  .../standard-user-account_0.1.bb              | 38 +++++++++++++++++++
>  .../user-creation/xuser-account_0.1.bb        | 30 ---------------
>  scripts/sstate-sysroot-cruft.sh               |  6 +--
>  10 files changed, 65 insertions(+), 60 deletions(-)
>  delete mode 100644 meta/recipes-support/user-creation/files/system-xuser.conf
>  create mode 100644 meta/recipes-support/user-creation/standard-user-account_0.1.bb
>  delete mode 100644 meta/recipes-support/user-creation/xuser-account_0.1.bb
>
> diff --git a/meta-selftest/files/static-group b/meta-selftest/files/static-group
> index 3fca4aa5c9..8bdf362ed7 100644
> --- a/meta-selftest/files/static-group
> +++ b/meta-selftest/files/static-group
> @@ -20,12 +20,11 @@ pulse:x:520:
>  bind:x:521:
>  builder:x:522:
>  weston-launch:x:524:
> -weston:x:525:
> +user:x:525:
>  wayland:x:526:
>  render:x:527:
>  sgx:x:528:
>  ptest:x:529:
> -xuser:x:530:
>  seat:x:531:
>  audio:x:532:
>  nogroup:x:65534:
> diff --git a/meta-selftest/files/static-passwd b/meta-selftest/files/static-passwd
> index cc6c5acd5c..b309dad101 100644
> --- a/meta-selftest/files/static-passwd
> +++ b/meta-selftest/files/static-passwd
> @@ -16,6 +16,5 @@ pulse:x:520:520::/:/bin/nologin
>  bind:x:521:521::/:/bin/nologin
>  builder:x:522:522::/:/bin/nologin
>  _apt:x:523:523::/:/bin/nologin
> -weston:x:525:525::/:/bin/nologin
>  ptest:x:529:529::/:/bin/nologin
> -xuser:x:530:530::/:/bin/nologin
> +user:x:530:530::/:/bin/nologin

Ignore the discrepancy between the user group gid and user uid. Will address
that before the actual submission. I'm looking for comments about this concept
and execution.

Personally, I'm not crazy about needing both a runtime dependency and build
time dependency just so recipes can use the install command with the target
user and group. If anyone has comments about a clean way to work around that let
me know. This is kind of a weird crossover between distro and image features,
where it's difficult to assume anything.

- Randolph

> diff --git a/meta/conf/distro/include/default-distrovars.inc b/meta/conf/distro/include/default-distrovars.inc
> index bbd936efa6..63c7a11c7e 100644
> --- a/meta/conf/distro/include/default-distrovars.inc
> +++ b/meta/conf/distro/include/default-distrovars.inc
> @@ -64,3 +64,15 @@ KERNEL_IMAGETYPES ??= "${KERNEL_IMAGETYPE}"
>  # the variable to be empty.
>  # Git example url: git://git.yoctoproject.org/yocto-firewall-test;protocol=git;rev=master;branch=master
>  CONNECTIVITY_CHECK_URIS ?= "https://www.yoctoproject.org/connectivity.html"
> +
> +# The STANDARD_USER_NAME is the default underprivileged user account name.
> +# The STANDARD_USER_GROUPS is a space delimited list of user groups that account
> +# should belong to, and STANDARD_USER_SYSTEM_GROUPS is the same but for system
> +# groups.
> +#
> +# Please take note that not all tooling currently supports changing these
> +# variables. Scripts like sstate-sysroot-cruft.sh and reproducible builds expect
> +# these values to be the defaults listed below.
> +STANDARD_USER_NAME ??= "user"
> +STANDARD_USER_GROUPS ??= ""
> +STANDARD_USER_SYSTEM_GROUPS ??= "video render tty audio input shutdown disk wayland"
> diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
> index b231daf485..6f595f6d02 100644
> --- a/meta/conf/distro/include/maintainers.inc
> +++ b/meta/conf/distro/include/maintainers.inc
> @@ -808,6 +808,7 @@ RECIPE_MAINTAINER:pn-spirv-tools = "Jose Quaresma <quaresma.jose@gmail.com>"
>  RECIPE_MAINTAINER:pn-sqlite3 = "Unassigned <unassigned@yoctoproject.org>"
>  RECIPE_MAINTAINER:pn-squashfs-tools = "Robert Yang <liezhi.yang@windriver.com>"
>  RECIPE_MAINTAINER:pn-ssh-pregen-hostkeys = "Richard Purdie <richard.purdie@linuxfoundation.org>"
> +RECIPE_MAINTAINER:pn-standard-user-account = "Unassigned <unassigned@yoctoproject.org>"
>  RECIPE_MAINTAINER:pn-startup-notification = "Unassigned <unassigned@yoctoproject.org>"
>  RECIPE_MAINTAINER:pn-strace = "Robert Yang <liezhi.yang@windriver.com>"
>  RECIPE_MAINTAINER:pn-stress-ng = "Unassigned <unassigned@yoctoproject.org>"
> @@ -934,7 +935,6 @@ RECIPE_MAINTAINER:pn-xserver-xf86-config = "Unassigned <unassigned@yoctoproject.
>  RECIPE_MAINTAINER:pn-xserver-xorg = "Unassigned <unassigned@yoctoproject.org>"
>  RECIPE_MAINTAINER:pn-xset = "Unassigned <unassigned@yoctoproject.org>"
>  RECIPE_MAINTAINER:pn-xtrans = "Unassigned <unassigned@yoctoproject.org>"
> -RECIPE_MAINTAINER:pn-xuser-account = "Unassigned <unassigned@yoctoproject.org>"
>  RECIPE_MAINTAINER:pn-xvinfo = "Unassigned <unassigned@yoctoproject.org>"
>  RECIPE_MAINTAINER:pn-xwayland = "Unassigned <unassigned@yoctoproject.org>"
>  RECIPE_MAINTAINER:pn-xwininfo = "Unassigned <unassigned@yoctoproject.org>"
> diff --git a/meta/recipes-graphics/wayland/weston-init.bb b/meta/recipes-graphics/wayland/weston-init.bb
> index 29cfba0833..98ce3d0d58 100644
> --- a/meta/recipes-graphics/wayland/weston-init.bb
> +++ b/meta/recipes-graphics/wayland/weston-init.bb
> @@ -26,8 +26,8 @@ PACKAGECONFIG[use-pixman] = ",,"
>  
>  DEFAULTBACKEND ??= ""
>  DEFAULTBACKEND:qemuall ?= "drm"
> -WESTON_USER ??= "weston"
> -WESTON_USER_HOME ??= "/home/${WESTON_USER}"
> +WESTON_USER = "${STANDARD_USER_NAME}"
> +WESTON_USER_HOME = "/home/${WESTON_USER}"
>  
>  do_install() {
>  	# Install weston-start script
> @@ -83,15 +83,14 @@ do_install() {
>  
>  INHIBIT_UPDATERCD_BBCLASS = "${@oe.utils.conditional('VIRTUAL-RUNTIME_init_manager', 'systemd', '1', '', d)}"
>  
> -inherit update-rc.d systemd useradd
> -
> -USERADD_PACKAGES = "${PN}"
> +inherit update-rc.d systemd
>  
>  # rdepends on weston which depends on virtual/egl
>  #
>  require ${THISDIR}/required-distro-features.inc
>  
> -RDEPENDS:${PN} = "weston kbd ${@bb.utils.contains('PACKAGECONFIG', 'xwayland', 'weston-xwayland', '', d)}"
> +DEPENDS += "standard-user-account"
> +RDEPENDS:${PN} = "weston kbd standard-user-account ${@bb.utils.contains('PACKAGECONFIG', 'xwayland', 'weston-xwayland', '', d)}"
>  
>  INITSCRIPT_NAME = "weston"
>  INITSCRIPT_PARAMS = "start 9 5 2 . stop 20 0 1 6 ."
> @@ -109,5 +108,3 @@ FILES:${PN} += "\
>  CONFFILES:${PN} += "${sysconfdir}/xdg/weston/weston.ini ${sysconfdir}/default/weston"
>  
>  SYSTEMD_SERVICE:${PN} = "weston.service weston.socket"
> -USERADD_PARAM:${PN} = "--home ${WESTON_USER_HOME} --shell /bin/sh --user-group -G video,input,render,seat,wayland ${WESTON_USER}"
> -GROUPADD_PARAM:${PN} = "-r wayland; -r render; -r seat"
> diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
> index 169269eefb..31bd75aeda 100644
> --- a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
> +++ b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
> @@ -38,8 +38,8 @@ do_install() {
>      BLANK_ARGS="${@bb.utils.contains('PACKAGECONFIG', 'blank', '', '-s 0 -dpms', d)}"
>      NO_CURSOR_ARG="${@bb.utils.contains('PACKAGECONFIG', 'nocursor', '-nocursor', '', d)}"
>      if [ "${ROOTLESS_X}" = "1" ] ; then
> -        XUSER_HOME="/home/xuser"
> -        XUSER="xuser"
> +        XUSER_HOME="/home/${STANDARD_USER_NAME}"
> +        XUSER="${STANDARD_USER_NAME}"
>          install -D capability.conf ${D}${sysconfdir}/security/capability.conf
>          sed -i "s:@USER@:${XUSER}:" ${D}${sysconfdir}/security/capability.conf
>      else
> @@ -62,7 +62,8 @@ do_install() {
>      fi
>  }
>  
> -RDEPENDS:${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'xuser-account libcap libcap-bin', '', d)}"
> +DEPENDS += "${@oe.utils.conditional('ROOTLESS_X', '1','standard-user-account', '', d)}"
> +RDEPENDS:${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'standard-user-account libcap libcap-bin', '', d)}"
>  
>  INITSCRIPT_NAME = "xserver-nodm"
>  INITSCRIPT_PARAMS = "start 9 5 . stop 20 0 1 2 3 6 ."
> diff --git a/meta/recipes-support/user-creation/files/system-xuser.conf b/meta/recipes-support/user-creation/files/system-xuser.conf
> deleted file mode 100644
> index d42e3d1f50..0000000000
> --- a/meta/recipes-support/user-creation/files/system-xuser.conf
> +++ /dev/null
> @@ -1,11 +0,0 @@
> -<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
> - "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
> -<busconfig>
> -    <policy user="xuser">
> -        <allow send_destination="net.connman"/>
> -        <allow send_destination="net.connman.vpn"/>
> -        <allow send_destination="org.ofono"/>
> -        <allow send_destination="org.bluez"/>
> -    </policy>
> -</busconfig>
> -
> diff --git a/meta/recipes-support/user-creation/standard-user-account_0.1.bb b/meta/recipes-support/user-creation/standard-user-account_0.1.bb
> new file mode 100644
> index 0000000000..1aa1e71bc3
> --- /dev/null
> +++ b/meta/recipes-support/user-creation/standard-user-account_0.1.bb
> @@ -0,0 +1,38 @@
> +SUMMARY = "Creates a standard user account"
> +LICENSE = "MIT"
> +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
> +
> +inherit allarch useradd
> +
> +do_compile[noexec] = "1"
> +do_compile[noexec] = "1"
> +do_install[noexec] = "1"
> +
> +COMMON_ARGS = "--create-home --user-group"
> +
> +python __anonymous() {
> +    common_args = d.getVar("COMMON_ARGS") or ""
> +    user = d.getVar("STANDARD_USER_NAME") or ""
> +    pn = d.getVar("PN") or ""
> +
> +    unique_groups = sorted(set((d.getVar("STANDARD_USER_GROUPS") or "").split()))
> +    unique_system_groups = sorted(set((d.getVar("STANDARD_USER_SYSTEM_GROUPS") or "").split()))
> +
> +    if unique_groups or unique_system_groups:
> +        joined_groups = ','.join(unique_groups + unique_system_groups)
> +        d.setVar(f"USERADD_PARAM:{pn}", f"{common_args} --groups {joined_groups} {user}")
> +
> +        # make sure all the groups exist
> +        groupadd_str = ""
> +        for group in unique_groups:
> +            groupadd_str += f" {group} ;"
> +        for group in unique_system_groups:
> +            groupadd_str += f" --system {group} ;"
> +        d.setVar(f"GROUPADD_PARAM:{pn}", f"{groupadd_str}")
> +}
> +
> +# default case, and a requirement to satisfy the parser check
> +USERADD_PARAM:${PN} = "${COMMON_ARGS} ${STANDARD_USER_NAME}"
> +USERADD_PACKAGES = "${PN}"
> +
> +ALLOW_EMPTY:${PN} = "1"
> diff --git a/meta/recipes-support/user-creation/xuser-account_0.1.bb b/meta/recipes-support/user-creation/xuser-account_0.1.bb
> deleted file mode 100644
> index 04f506e7a3..0000000000
> --- a/meta/recipes-support/user-creation/xuser-account_0.1.bb
> +++ /dev/null
> @@ -1,30 +0,0 @@
> -SUMMARY = "Creates an 'xuser' account used for running X11"
> -LICENSE = "MIT"
> -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
> -
> -SRC_URI = "file://system-xuser.conf"
> -
> -inherit allarch useradd
> -
> -S = "${UNPACKDIR}"
> -
> -do_configure() {
> -    :
> -}
> -
> -do_compile() {
> -    :
> -}
> -
> -do_install() {
> -    install -D -m 0644 ${UNPACKDIR}/system-xuser.conf ${D}${sysconfdir}/dbus-1/system.d/system-xuser.conf
> -}
> -
> -FILES:${PN} = "${sysconfdir}/dbus-1/system.d/system-xuser.conf"
> -
> -USERADD_PACKAGES = "${PN}"
> -USERADD_PARAM:${PN} = "--create-home \
> -                       --groups video,tty,audio,input,shutdown,disk \
> -                       --user-group xuser"
> -
> -ALLOW_EMPTY:${PN} = "1"
> diff --git a/scripts/sstate-sysroot-cruft.sh b/scripts/sstate-sysroot-cruft.sh
> index b2002badfb..5e1ae9c535 100755
> --- a/scripts/sstate-sysroot-cruft.sh
> +++ b/scripts/sstate-sysroot-cruft.sh
> @@ -127,9 +127,9 @@ WHITELIST="${WHITELIST} \
>  # generated by useradd.bbclass
>  WHITELIST="${WHITELIST} \
>    [^/]*/home \
> -  [^/]*/home/xuser \
> -  [^/]*/home/xuser/.bashrc \
> -  [^/]*/home/xuser/.profile \
> +  [^/]*/home/user \
> +  [^/]*/home/user/.bashrc \
> +  [^/]*/home/user/.profile \
>    [^/]*/home/builder \
>    [^/]*/home/builder/.bashrc \
>    [^/]*/home/builder/.profile \