system: better wwwonly bootstrap

This also has an issue with the post-update rc.syshook if
the wwwonly is not found.  But: after a boot it is ensured
and should not be missing thereafter.

The package post-install would ensure it previously, but
we don't want to also chain the php bootstrap through this
just to get the call stack in the right order.

May need further adjusting but also no need to rush this
into a stable release at the moment.

+POST_INSTALL

@@ -1,29 +1,3 @@
-PW=/usr/sbin/pw
-USER=%%CORE_USER%%
-GROUP=%%CORE_GROUP%%
-UID=%%CORE_UID%%
-GID=%%CORE_GID%%
-
-PW_ARG=add
-if ${PW} groupshow ${GROUP} >/dev/null 2>&1; then
-    PW_ARG=mod
-fi
-
-echo "Creating group '${GROUP}' with gid '${GID}'"
-${PW} group${PW_ARG} ${GROUP} -g ${GID}
-
-PW_ARG=add
-if ${PW} usershow ${USER} >/dev/null 2>&1; then
-    PW_ARG=mod
-fi
-
-echo "Creating user '${USER}' with uid '${UID}'"
-${PW} user${PW_ARG} ${USER} -u ${UID} -g ${GID} -c "World Wide Web Only" -d /nonexistent -s /usr/sbin/nologin
-
-if [ -n "${CORE_USER_GROUP_ONLY}" ]; then
-	exit 0
-fi
-
 echo "Updating /etc/shells"
 cp /etc/shells /etc/shells.bak
 (grep -v /usr/local/sbin/opnsense-shell /etc/shells.bak; \

+PRE_DEINSTALL

@@ -1,7 +1,3 @@
-if [ -n "${CORE_USER_GROUP_ONLY}" ]; then
-	exit 0
-fi
-
 /usr/local/etc/rc.d/configd stop
 
 echo "Resetting root shell"

Makefile

@@ -253,8 +253,6 @@ manifest:
 	@echo "comment: \"${CORE_COMMENT}\""
 	@echo "desc: \"${CORE_HASH}\""
 	@echo "maintainer: \"${CORE_MAINTAINER}\""
-	@echo "users: [ \"${CORE_USER}\" ]"
-	@echo "groups: [ \"${CORE_GROUP}\" ]"
 	@echo "www: \"${CORE_WWW}\""
 	@echo "message: \"${CORE_MESSAGE}\""
 	@echo "categories: [ \"sysutils\", \"www\" ]"

src/etc/rc.subr.d/php

@@ -25,11 +25,30 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 
-# XXX Eventually we could try to ensure the user from here as it would
-# avoid our bootstrap worries regarding using a predefined non-root user
-# that does not even exist on the system which can prevent the GUI from
-# starting or changing ownership staying root.
-OWNER="$(opnsense-version -R CORE_USER):wheel"
+OWNERSHIP=$(opnsense-version -R 'CORE_GROUP=CORE_GID:CORE_USER=CORE_UID')
+OWNERGRP=${OWNERSHIP%:*}
+OWNERUSR=${OWNERSHIP##*:}
+
+PW=/usr/sbin/pw
+GROUP=${OWNERGRP%=*}
+GID=${OWNERGRP##*=}
+USER=${OWNERUSR%=*}
+UID=${OWNERUSR##*=}
+OWNER="${USER}:wheel"
+
+PW_ARG=add
+if ${PW} groupshow ${GROUP} >/dev/null 2>&1; then
+    PW_ARG=mod
+fi
+
+${PW} group${PW_ARG} ${GROUP} -g ${GID}
+
+PW_ARG=add
+if ${PW} usershow ${USER} >/dev/null 2>&1; then
+    PW_ARG=mod
+fi
+
+${PW} user${PW_ARG} ${USER} -u ${UID} -g ${GID} -c "World Wide Web Only" -d /nonexistent -s /usr/sbin/nologin
 
 # set up required output directories for various PHP components
 for PHPDIR in cache sessions tmp; do

src/etc/rc.subr.d/recover

@@ -63,7 +63,6 @@ www:*:80:
 u2f:*:116:
 ntpd:*:123:
 _ypldap:*:160:
-%%CORE_GROUP%%:*:%%CORE_GID%%:
 hast:*:845:
 tests:*:977:
 nogroup:*:65533:
@@ -97,7 +96,6 @@ auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologi
 www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
 ntpd:*:123:123::0:0:NTP Daemon:/var/db/ntp:/usr/sbin/nologin
 _ypldap:*:160:160::0:0:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
-%%CORE_USER%%:*:%%CORE_UID%%:%%CORE_GID%%::0:0:World Wide Web Only:/nonexistent:/usr/sbin/nologin
 hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin
 tests:*:977:977::0:0:Unprivileged user for tests:/nonexistent:/usr/sbin/nologin
 nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
@@ -234,8 +232,6 @@ function recover_ports()
     $tempfile = fopen($tempname, 'w');
     $luacount = 0;
 
-    putenv('CORE_USER_GROUP_ONLY=yes');
-
     foreach ($pkgs as $pkg) {
         $raw = exec('/usr/local/sbin/pkg-static info --raw --raw-format json-compact ' . $pkg);
         $info = json_decode($raw, true);

src/sbin/opnsense-version

@@ -143,7 +143,7 @@ if [ -n "${DO_RAW}" ]; then
 		exit 0
 	fi
 
-	OUTPUT=$(echo "${FILE}" | sed -e 's=\([A-Z][A-Z_]*\)=$\1=g')
+	OUTPUT=$(echo "${FILE}" | sed -e 's=\(CORE_[A-Z_]*\)=${\1}=g' -e 's=\(PLUGIN_[A-Z_]*\)=${\1}=g')
 	TARGET=nop
 fi