Thank you both for your response. It's appreciated.
>
> * Files in systemd's sysusers configuration directory will be used as a
> data source to create /etc/passwd and /etc/shadow.
Also, /etc/group and /etc/gshadow.
> Under what conditions are these two files created / touched?
Three triggers:
1. When the "systemd-sysusers" tool is invoked from an RPM scriplet,
which I hope can be made the default in Fedora for all packages
needing system users.
2. At boot on systems which are set up in a "golden master" scheme,
where a single /usr is used for a number of instances which each have
their own /etc and /var. Similar, on "stateless" systems which boot
up with tmpfs on /etc and /var, and hence start from scracth every
single time. Note though that Fedora is not set up for this fully yet
(though it actually works prettty good already, with the two
exceptions in the basic OS being PAM and dbus-1, which react quite
allergic to an unpopulated /etc).
3. Similar to 2, but people who instantiate new systems from the same
/usr in an "offline" scheme, where they don't delay user creation to
the next reboot.
Note however, that sysusers will only do something if any of the
specified users is actually missing. We arevery careful in not touching
the file system if all users already exist. Also, if the disk is
read-only sysusers is automatically skipped at boot.
At a later time I will propose fixing Fedora to make the "stateless" +
"golden master" schemes just work. But I am not ready to discuss this in
full now.
> When I install a package and add a file to this sysuser directory, is
> only that user added to passwd and shadow?
For each user you create with sysusers a matching group will be created
too, should it be missing.
> Is there a way to disable or remove a system user from being added
> to /etc/shadow?
No. What's the usecase? Does this currently exist for the RPM scriptlet
case?
ATM there is no use case, but there will surely be one person who will
cry out if this is unavailable. I would rather have it clearly stated on
a wiki / FAQ, so that when someone in the future asks for this, there is
a clear answer stated. I'm a fan of documenting and covering these edge
cases is all :)
> Are changes to shadow/passwd made by a user respected / preserved (IE to
> a user account)?
Yes. Always. sysuers will never touch existing users, it will only add
in missing ones, with secure defaults (i.e. as disabled accounts, with
no login possible). For exmple, if you assign a shell or a password to
one of those system users, then that's totally OK, sysusers will stay
away from that, never reset it, never touch it.
> What happens if a human edits the system account generated by systemd,
> do the changes get lost?
Nope, what the admin changes will take effect. The only thing that might
happen that if you delete a user it might be recreated the next time
sysusers runs.
Thanks for all your answers. Do you mind adding them to an section on
https://fedoraproject.org/wiki/Changes/SystemdSysusers So that others
can benefit from them?