New Fedora 22 Change proposal: systemd-sysusers

[Scott Schmit]

On Thu, Jul 10, 2014 at 08:17:07AM +0300, Oron Peled wrote:
> On Thursday 10 July 2014 01:49:41 Lennart Poettering wrote:
> > Please understand that we are not duplicating "adduser" here. Already in
> > the name of the tool we wanted to make clear thtat this is abotu system
> > users, nothing else. The file format we defined has been reduced to the
> > minimum possible, in order to make it difficult for people to use it for
> > anything else than this.
> 
> There are cases where a home directory of system users carry some semantics.
> 
> Two examples from the top of my head:
>  * Some tftpd implementations use it as the base path (and chroot into it)
>  * Some anonymous ftpd implementation have similar use (chroot into ~ftp)

Another interesting use case is gitolite: it's a system user that needs:
- a shell (/bin/sh in Fedora) -- otherwise sshd won't allow login
  (/sbin/nologin) or login fails (/sbin/login)
- a home directory (/var/lib/gitolite in Fedora) -- so sshd can use
  ~/.ssh/authorized_keys to work out who's allowed to use the service &
  what they're allowed to do

sshd prevents users from ever getting the default shell due to the
configuration of authorized_keys.  However, it doesn't need/want a
password allowing standard login (though the admin will do "su -
gitolite" from root for initial setup or version migration).

See http://gitolite.com/gitolite/how.html for more details on how
gitolite's ssh authentication works.

-- 
Scott Schmit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3891 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140719/34c1fbda/attachment.bin>