New Fedora 22 Change proposal: systemd-sysusers

Fri Jul 11 03:04:12 UTC 2014

On Fri, Jul 11, 2014 at 09:05:29AM +0930, William wrote:
> 
> Thank you both for your response. It's appreciated. 
> 
> > > 
> > > * Files in systemd's sysusers configuration directory will be used as a
> > > data source to create /etc/passwd and /etc/shadow.
> > 
> > Also, /etc/group and /etc/gshadow.
> > 
> > > Under what conditions are these two files created / touched? 
> > 
> > Three triggers:
> > 
> > 1. When the "systemd-sysusers" tool is invoked from an RPM scriplet,
> >    which I hope can be made the default in Fedora for all packages
> >    needing system users.
> > 
> > 2. At boot on systems which are set up in a "golden master" scheme,
> >    where a single /usr is used for a number of instances which each have
> >    their own /etc and /var. Similar, on "stateless" systems which boot
> >    up with tmpfs on /etc and /var, and hence start from scracth every
> >    single time. Note though that Fedora is not set up for this fully yet
> >    (though it actually works prettty good already, with the two
> >    exceptions in the basic OS being PAM and dbus-1, which react quite
> >    allergic to an unpopulated /etc).
> > 
> > 3. Similar to 2, but people who instantiate new systems from the same
> >    /usr in an "offline" scheme, where they don't delay user creation to
> >    the next reboot.
> > 
> > Note however, that sysusers will only do something if any of the
> > specified users is actually missing. We arevery careful in not touching
> > the file system if all users already exist. Also, if the disk is
> > read-only sysusers is automatically skipped at boot.
> > 
> > At a later time I will propose fixing Fedora to make the "stateless" +
> > "golden master" schemes just work. But I am not ready to discuss this in
> > full now.
> > 
> > > When I install a package and add a file to this sysuser directory, is
> > > only that user added to passwd and shadow? 
> > 
> > For each user you create with sysusers a matching group will be created
> > too, should it be missing. 
> > 
> > > Is there a way to disable or remove a system user from being added
> > > to /etc/shadow? 
> > 
> > No. What's the usecase? Does this currently exist for the RPM scriptlet
> > case?
> 
> ATM there is no use case, but there will surely be one person who will
> cry out if this is unavailable. I would rather have it clearly stated on
> a wiki / FAQ, so that when someone in the future asks for this, there is
> a clear answer stated. I'm a fan of documenting and covering these edge
> cases is all :)
http://cgit.freedesktop.org/systemd/systemd/commit/?id=938a560b76 adds
the usual semantics of etc-overrides-run-overrides-lib.

> > > Are changes to shadow/passwd made by a user respected / preserved (IE to
> > > a user account)? 
> > 
> > Yes. Always. sysuers will never touch existing users, it will only add
> > in missing ones, with secure defaults (i.e. as disabled accounts, with
> > no login possible). For exmple, if you assign a shell or a password to
> > one of those system users, then that's totally OK, sysusers will stay
> > away from that, never reset it, never touch it.
> > 
> > > What happens if a human edits the system account generated by systemd,
> > > do the changes get lost?
> > 
> > Nope, what the admin changes will take effect. The only thing that might
> > happen that if you delete a user it might be recreated the next time
> > sysusers runs.
> > 
> 
> Thanks for all your answers. Do you mind adding them to an section on
> https://fedoraproject.org/wiki/Changes/SystemdSysusers So that others
> can benefit from them?
It is now described in the man page, which is linked from the wiki page.

Zbyszek