New Fedora 22 Change proposal: systemd-sysusers
Scott Schmit
i.grok at comcast.net
Sat Jul 19 18:21:42 UTC 2014
On Thu, Jul 10, 2014 at 08:17:07AM +0300, Oron Peled wrote:
> On Thursday 10 July 2014 01:49:41 Lennart Poettering wrote:
> > Please understand that we are not duplicating "adduser" here. Already in
> > the name of the tool we wanted to make clear thtat this is abotu system
> > users, nothing else. The file format we defined has been reduced to the
> > minimum possible, in order to make it difficult for people to use it for
> > anything else than this.
>
> There are cases where a home directory of system users carry some semantics.
>
> Two examples from the top of my head:
> * Some tftpd implementations use it as the base path (and chroot into it)
> * Some anonymous ftpd implementation have similar use (chroot into ~ftp)
Another interesting use case is gitolite: it's a system user that needs:
- a shell (/bin/sh in Fedora) -- otherwise sshd won't allow login
(/sbin/nologin) or login fails (/sbin/login)
- a home directory (/var/lib/gitolite in Fedora) -- so sshd can use
~/.ssh/authorized_keys to work out who's allowed to use the service &
what they're allowed to do
sshd prevents users from ever getting the default shell due to the
configuration of authorized_keys. However, it doesn't need/want a
password allowing standard login (though the admin will do "su -
gitolite" from root for initial setup or version migration).
See http://gitolite.com/gitolite/how.html for more details on how
gitolite's ssh authentication works.
--
Scott Schmit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3891 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140719/34c1fbda/attachment.bin>
More information about the devel
mailing list