New Fedora 22 Change proposal: systemd-sysusers

Thu Jul 10 23:35:29 UTC 2014

Thank you both for your response. It's appreciated. 

> > 
> > * Files in systemd's sysusers configuration directory will be used as a
> > data source to create /etc/passwd and /etc/shadow.
> 
> Also, /etc/group and /etc/gshadow.
> 
> > Under what conditions are these two files created / touched? 
> 
> Three triggers:
> 
> 1. When the "systemd-sysusers" tool is invoked from an RPM scriplet,
>    which I hope can be made the default in Fedora for all packages
>    needing system users.
> 
> 2. At boot on systems which are set up in a "golden master" scheme,
>    where a single /usr is used for a number of instances which each have
>    their own /etc and /var. Similar, on "stateless" systems which boot
>    up with tmpfs on /etc and /var, and hence start from scracth every
>    single time. Note though that Fedora is not set up for this fully yet
>    (though it actually works prettty good already, with the two
>    exceptions in the basic OS being PAM and dbus-1, which react quite
>    allergic to an unpopulated /etc).
> 
> 3. Similar to 2, but people who instantiate new systems from the same
>    /usr in an "offline" scheme, where they don't delay user creation to
>    the next reboot.
> 
> Note however, that sysusers will only do something if any of the
> specified users is actually missing. We arevery careful in not touching
> the file system if all users already exist. Also, if the disk is
> read-only sysusers is automatically skipped at boot.
> 
> At a later time I will propose fixing Fedora to make the "stateless" +
> "golden master" schemes just work. But I am not ready to discuss this in
> full now.
> 
> > When I install a package and add a file to this sysuser directory, is
> > only that user added to passwd and shadow? 
> 
> For each user you create with sysusers a matching group will be created
> too, should it be missing. 
> 
> > Is there a way to disable or remove a system user from being added
> > to /etc/shadow? 
> 
> No. What's the usecase? Does this currently exist for the RPM scriptlet
> case?

ATM there is no use case, but there will surely be one person who will
cry out if this is unavailable. I would rather have it clearly stated on
a wiki / FAQ, so that when someone in the future asks for this, there is
a clear answer stated. I'm a fan of documenting and covering these edge
cases is all :)

> 
> > Are changes to shadow/passwd made by a user respected / preserved (IE to
> > a user account)? 
> 
> Yes. Always. sysuers will never touch existing users, it will only add
> in missing ones, with secure defaults (i.e. as disabled accounts, with
> no login possible). For exmple, if you assign a shell or a password to
> one of those system users, then that's totally OK, sysusers will stay
> away from that, never reset it, never touch it.
> 
> > What happens if a human edits the system account generated by systemd,
> > do the changes get lost?
> 
> Nope, what the admin changes will take effect. The only thing that might
> happen that if you delete a user it might be recreated the next time
> sysusers runs.
> 

Thanks for all your answers. Do you mind adding them to an section on
https://fedoraproject.org/wiki/Changes/SystemdSysusers So that others
can benefit from them?