New Fedora 22 Change proposal: systemd-sysusers
Miloslav Trmač
mitr at redhat.com
Wed Jul 9 14:30:27 UTC 2014
----- Original Message -----
> Hi, for Atomic I'd like to investigate the new systemd-sysusers, so I
> wrote up a Change:
>
> https://fedoraproject.org/wiki/Changes/SystemdSysusers
A move to something more declarative makes sense (whether in systemd or through some kind of long-expected declarative rpm facility doesn’t matter to me much.)
The sysusers tool _really_ needs to use an existing API to manage the user database, though. As it is, the implementation
* validates names incorrectly
* breaks the configurable [UG]ID_MIN logic (http://fedoraproject.org/wiki/Features/1000SystemAccounts, and yes, that is actually used and needed)
* is likely to break various readers software by not updating the shadow files
* doesn’t do any auditing.
We are currently already in a bad position by having two major implementations of maintaining the critical databases, we absolutely don’t want any more.
At this point this means systemd-sysuers should either run the executables from shadow-utils, or link to libuser. (Or, I suppose, use accountsservice, but that ends up calling shadow-utils.).
The plan is to have a single implementation, living around sssd. (Jakub knows more.) Either of two API points above are planned to use the sssd implementation, so can be relied on long-term.
Mirek
More information about the devel
mailing list