New Fedora 22 Change proposal: systemd-sysusers

Sat Jul 12 04:40:32 UTC 2014

On Wed, Jul 9, 2014 at 12:25 PM, Miloslav Trmač <mitr at redhat.com> wrote:
> (This is all rather beside the point: fixing those particular things won’t eliminate any of the problems of triplicate implementations and splintered knowledge.  But to spread the awareness of the area…)
>
> ----- Original Message -----
>> On Wed, Jul 9, 2014, at 07:30 AM, Miloslav Trmač wrote:
>>
>> > * validates names incorrectly
>>
>> We're talking about the equivalent of lu_name_allowed() from libuser?
> Yes.
>
>> But the usernames specified here are only for system users, they're not
>> derived from dynamic input, so it seems to me we can be even more
>> restrictive safely.
> True; to that extent this is not such a pressing problem.
>
>> Can you be more specific about the name validation?
> The binding maximum length constraint is from the utmp format (UT_NAMESIZE - 1); LOGIN_NAME_MAX is an upper bound but not binding, and this has already ended up in systemd-sysuser’s documentation essentially promising to do the impossible/unsafe by using the non-binding maximum length.
>
>> > > * breaks the configurable [UG]ID_MIN logic
>> > (http://fedoraproject.org/wiki/Features/1000SystemAccounts, and yes, that
>> > is actually used and needed)
>>
>> It *does* read that file since:
>> http://cgit.freedesktop.org/systemd/systemd/commit/?id=f7dc3ab9f43b67abcbd34062b9352ab42debec49
>> This predates sysusers, but I'm assuming you mean the bug here is that
>> it's read at build time and instead should be dynamic?
>
> Yes.
>
>> > * is likely to break various readers software by not updating the shadow
>> > files
>>
>> There was a discussion of that upstream, it's on the TODO.  I agree with
>> Lennart here that it seems nicer to just not have entries at all,
>
> On a typical system _no_ accounts are misssing from the shadow files, so tools and admins’ scripts are not designed and rigorously tested to handle this.  (Early in its history, system-config-users had a _lot_ of problems with shadow/non-shadow mismatches.)

Until you introduce NIS, NIS+, LDAP, or Samba. style LDAP.

system-config-users had a lot of issues, in my experience, because it
would fail to *resolve* mismatches created by other badly, badly
written tools.

> Note also that if a tool needs to edit _one_ field within the shadow file, it needs to add some values for all the other fields (or at least the mandatory ones), and it’s not always obvious what value to use.  So it’s actually much clearer for the system tools, which already know the default values of the fields based on their own configuration, to pre-create the shadow entries with the correct default values.  (Though this applies especially to real users rather than passwordless system accounts.)

If any modern tool is not using 'usermod' or 'lusermod' directly, to
avoid problems with atomic operations by other tools, than I certainly
don't want to see it current Fedora relases.

>> In that case, I don't see significant
>> complexity or cost to having multiple readers/writers.
>
> The cost to write the new code in systemd-sysusers is already way larger than what would have been necessary to just call useradd, so it is inefficient by that measure already.  Then add this discussion, and making any future changes in the design more costly (like your proposal for /usr/lib/passwd - one more implementation is one more place to patch; every future change would be all that much harder)
>     Mirek

This.....