fedora-atomic discussion point: /usr/lib/passwd

Colin Walters walters at verbum.org
Fri Apr 11 06:33:59 UTC 2014

For the fedora-atomic work, the only not-in-Fedora package is 
shadow-utils because it requires a patch, that still lives in my 
walters/rpm-ostree COPR.

Patch is linked from my post here:

Also, some discussion in the glibc bug:

What I'd like to open is a discussion about whether /usr/lib/passwd is 
the right thing long term.  I think it'd be very useful to support it 
short term, but it's not perfect.

The main case where it breaks is when you have a daemon that runs as 
non-root and saves state, so you give it its own system user, but not a 
reserved uid.  Daemons in this class will have their uids effectively 
ordered by package installation order =/

One way to fix this that goes with my general direction of moving 
things out of %post into systemd: a dynamic uid reservation system that 
saves state persistently.  

Crudely, this would be ExecStartPre=/usr/sbin/useradd -r ...
except we'd wrap that with something that checked whether the user 
existed first.

Then /etc/passwd would still be local system-persistent state, and 
OSTree still wouldn't need to run a %post.  I think though it'd be good 
to still use /usr/lib/passwd in this model for daemons that *don't* 
save state persistently, like dbus.  No need to pollute /etc/passwd 
with them.

(Note, we'd also need to teach %systemd_preun to run some kind of 
ExecUninstall=, or skip spawning subprocesses and teach systemd how to 
modify the user database directly)


More information about the devel mailing list