New Fedora 22 Change proposal: systemd-sysusers

Lennart Poettering mzerqung at 0pointer.de
Thu Jul 10 12:56:58 UTC 2014 

On Thu, 10.07.14 17:16, William (william at firstyear.id.au) wrote:

> On Thu, 2014-07-10 at 08:17 +0300, Oron Peled wrote:
> > A non-API related question...
> 
> > 
> > Generally, I prefer the explicit systemd settings over home directory
> > with "magical" effects, but I wonder if anyone is aware of existing
> > system users which carry more complex semantics.
> 
> Perhaps look at the amanda backup system? That uses the home directory
> location quite deeply in its setup .... 
> 
> Additionally, This doesn't seem to be hugely clear some of the effects
> of what you want to achieve. Perhaps the answers to these questions can
> be put on the wiki to clear up some initial concerns I have as a
> sysadmin. 
> 
> * Files in systemd's sysusers configuration directory will be used as a
> data source to create /etc/passwd and /etc/shadow.

Also, /etc/group and /etc/gshadow.

> Under what conditions are these two files created / touched? 

Three triggers:

1. When the "systemd-sysusers" tool is invoked from an RPM scriplet,
   which I hope can be made the default in Fedora for all packages
   needing system users.

2. At boot on systems which are set up in a "golden master" scheme,
   where a single /usr is used for a number of instances which each have
   their own /etc and /var. Similar, on "stateless" systems which boot
   up with tmpfs on /etc and /var, and hence start from scracth every
   single time. Note though that Fedora is not set up for this fully yet
   (though it actually works prettty good already, with the two
   exceptions in the basic OS being PAM and dbus-1, which react quite
   allergic to an unpopulated /etc).

3. Similar to 2, but people who instantiate new systems from the same
   /usr in an "offline" scheme, where they don't delay user creation to
   the next reboot.

Note however, that sysusers will only do something if any of the
specified users is actually missing. We arevery careful in not touching
the file system if all users already exist. Also, if the disk is
read-only sysusers is automatically skipped at boot.

At a later time I will propose fixing Fedora to make the "stateless" +
"golden master" schemes just work. But I am not ready to discuss this in
full now.

> When I install a package and add a file to this sysuser directory, is
> only that user added to passwd and shadow? 

For each user you create with sysusers a matching group will be created
too, should it be missing. 

> Is there a way to disable or remove a system user from being added
> to /etc/shadow? 

No. What's the usecase? Does this currently exist for the RPM scriptlet
case?

> Are changes to shadow/passwd made by a user respected / preserved (IE to
> a user account)? 

Yes. Always. sysuers will never touch existing users, it will only add
in missing ones, with secure defaults (i.e. as disabled accounts, with
no login possible). For exmple, if you assign a shell or a password to
one of those system users, then that's totally OK, sysusers will stay
away from that, never reset it, never touch it.

> What happens if a human edits the system account generated by systemd,
> do the changes get lost?

Nope, what the admin changes will take effect. The only thing that might
happen that if you delete a user it might be recreated the next time
sysusers runs.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the devel mailing list