[sonic-host-services] Add comprehensive user management daemon (userd)

SONiC needed a centralized user management daemon that can:
- Monitor CONFIG_DB for user configuration changes
- Manage local system users based on SONiC configuration
- Provide role-based access control with predefined groups
- Handle SSH key management with proper security
- Integrate with PAM for authentication policies
- Support efficient change detection to minimize system calls

**1. User Management Daemon (userd):**
- Implemented C++ daemon using SWSS framework for CONFIG_DB integration
- Added comprehensive user lifecycle management (create/update/delete/enable/disable)
- Implemented role-based group assignment (administrator, operator roles)
- Added SSH key management with proper file permissions and ownership
- Used posix_spawn() for secure command execution without shell interpretation
- Added efficient change detection using UserInfo comparison to avoid unnecessary system calls
- Integrated PAM faillock configuration using Jinja2 templates

**2. Build System Integration:**
- Added CMakeLists.txt for C++ compilation with SWSS dependencies
- Created debian packaging with proper control files and dependencies
- Added systemd service configuration for userd daemon
- Integrated Makefile for building and installation

**3. Security Features:**
- Secure password handling using system's native hashing methods
- Proper file permissions for SSH keys (600) and directories (700)
- Role-based group assignments with predefined security groups
- PAM faillock integration for login attempt limiting
- Input validation and sanitization for all user operations

**4. Testing Framework:**
- Added comprehensive unit tests for userd functionality
- Integration tests for CONFIG_DB interaction
- User lifecycle testing with proper cleanup
- SSH key management testing
- Role-based access control validation

Author: manoharan-nexthop

data/templates/faillock.conf.j2

@@ -0,0 +1,27 @@
+# PAM faillock configuration managed by userd
+# Do not edit manually - changes will be overwritten
+
+# Global settings
+dir = /var/run/faillock
+audit
+silent
+no_log_info
+
+{% if security_policies %}
+# Role-based security policies
+{% for role, policy in security_policies.items() %}
+{% if policy.max_login_attempts %}
+# {{ role }} role settings
+deny = {{ policy.max_login_attempts }}
+unlock_time = 900  # 15 minutes
+{% endif %}
+{% endfor %}
+{% else %}
+# Default settings when no policies are configured
+deny = 5
+unlock_time = 900
+{% endif %}
+
+# Additional settings
+fail_interval = 900
+root_unlock_time = 900

userd/Makefile

@@ -0,0 +1,26 @@
+# Makefile for sonic-host-userd
+
+.PHONY: all clean install build-cpp
+
+# Default target
+all: build-cpp
+
+# Build C++ components
+build-cpp:
+	mkdir -p build
+	cd build && cmake ../src && make
+
+# Clean build artifacts
+clean:
+	rm -rf build
+
+# Install (called by debian packaging)
+install: build-cpp
+	mkdir -p $(DESTDIR)/usr/local/bin
+	cp build/userd $(DESTDIR)/usr/local/bin/userd
+	chmod +x $(DESTDIR)/usr/local/bin/userd
+
+# For development/testing
+install-local: build-cpp
+	sudo cp build/userd /usr/local/bin/userd
+	sudo chmod +x /usr/local/bin/userd

userd/debian/changelog

@@ -0,0 +1,5 @@
+sonic-host-userd (1.0-1) UNRELEASED; urgency=low
+
+  * Initial release
+
+ -- SONiC Maintainers <[email protected]>  Mon, 11 Aug 2025 08:00:00 +0000

userd/debian/compat

@@ -0,0 +1 @@
+11

userd/debian/control

@@ -0,0 +1,11 @@
+Source: sonic-host-userd
+Maintainer: SONiC Maintainers <[email protected]>
+Section: misc
+Priority: optional
+Standards-Version: 0.1
+Build-Depends: debhelper (>=11), cmake, g++, pkg-config, libcrypt-dev, nlohmann-json3-dev, libswsscommon-dev
+
+Package: sonic-host-userd
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, sonic-host-services-data, libswsscommon
+Description: SONiC host userd binary

userd/debian/copyright

@@ -0,0 +1,20 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: sonic-host-userd
+Source: https://github.com/Azure/sonic-buildimage
+
+Files: *
+Copyright: 2025 Microsoft Corporation
+License: Apache-2.0
+
+License: Apache-2.0
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.

userd/debian/install

@@ -0,0 +1 @@
+build/userd /usr/local/bin/

userd/debian/rules

@@ -0,0 +1,20 @@
+#!/usr/bin/make -f
+
+%:
+	dh $@
+
+override_dh_auto_build:
+	dh_auto_build
+	# Build C++ components
+	make build-cpp
+
+override_dh_auto_install:
+	dh_auto_install
+	# Install C++ components
+	make install DESTDIR=$(CURDIR)/debian/sonic-host-userd
+
+override_dh_installsystemd:
+	dh_installsystemd --no-start --name=sonic-host-userd
+
+override_dh_usrlocal:
+	# Skip dh_usrlocal since we're intentionally installing to /usr/local/bin

userd/debian/sonic-host-userd.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=User management daemon
+Requires=config-setup.service
+After=config-setup.service
+BindsTo=sonic.target
+After=sonic.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/userd
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=sonic.target

userd/src/CMakeLists.txt

@@ -0,0 +1,31 @@
+cmake_minimum_required(VERSION 3.10)
+project(sonic-host-userd)
+
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+
+# Include directories (SONiC standard paths)
+include_directories(/usr/include/swss)
+include_directories(/usr/include)
+
+# Compiler flags
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall -Wextra -Werror")
+set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -g -O0")
+set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -O2")
+
+# Add executable
+add_executable(userd userd.cpp)
+
+# Link libraries
+target_link_libraries(userd
+    swsscommon
+    pthread
+    crypt
+)
+
+# Install target
+install(TARGETS userd
+    RUNTIME DESTINATION /usr/local/bin
+)
+
+