[systemd-devel] sysusers and login.defs checks

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Wed Jul 23 09:06:41 PDT 2014 

On Wed, Jul 23, 2014 at 05:30:53PM +0200, Kay Sievers wrote:
> On Wed, Jul 23, 2014 at 5:17 PM, Zbigniew Jędrzejewski-Szmek
> <zbyszek at in.waw.pl> wrote:
> > On Wed, Jul 23, 2014 at 04:55:59PM +0200, Kay Sievers wrote:
> >> On Wed, Jul 23, 2014 at 4:28 PM, Zbigniew Jędrzejewski-Szmek
> >> <zbyszek at in.waw.pl> wrote:
> >>
> >> > Anyway, I think that /etc/login.defs support is made out to be something
> >> > much more complicated than it really is. IMHO we should:
> >> >
> >> > - read /etc/login.defs and fall back to the compiled in value
> >> > - use whatever result we get in coredump, journald, and sysusers
> >> >
> >> > It's not like the implementation would be hard, intrusive, or slow. It'd be
> >> > probably +3 lines in one or two places.
> >>
> >> It is not about the effort *how* to do it, it is *why*. And I still
> >> don't think we should have dynamic configuration options for this, it
> >> is all just a huge mess that needs to be limited to the bare minimum,
> >> it is just too broken as a concept to be supported that way.
> >>
> >> > If we come up with additional heuristics or rules to determine human
> >> > accounts, we can safely add them in a backwards compatible way.
> >>
> >> We cannot do any normal user queries from journald, so none of the
> >> metadata like the primary group is easily for a user is available.
> > I know.
> >
> >> Sysusers is, and probably always will be, limited to the classic
> >> passwd, group file. Maybe we can just read the files ourselves and
> >> find out that a certain uid is a normal user? Like:
> >>   - uid >= "1000" --> normal user
> >>   - lookup uid in passwd
> >>   - user not found --> normal user
> >>   - user < 1000 && group == "users" --> normal user
> >>   - everything else would be a system user
> > But please add to this (at the top)
> >     - parse SYS_GID_MIN and SYS_GID_MAX from /etc/login.defs and if
> >       found and users falls within --> system user
> >
> > This is safe as soon as /etc is accessible and provides backwards
> > compatibillity.
> 
> Well, the point is to make the rules in this broken model simpler, not
> more complicated as they already are. :)
> 
> If we would read login.defs, we should probably not do any magic
> heuristics. And at the moment, I still think we should ignore
> login.defs.
If we find it, then certainly, it should override other considerations.

> > Also, I'd modify
> >     - user < 1000 && group == "users" --> normal user
> > to
> >     - group == "users" --> normal user
> > not to make things too complicated.
> >
> > I see another angry chicken and broken egg problem now:
> > - We want to get rid of /etc/login.defs, *but*
> > - we read /etc/login.defs at compilation time.
> > This means that we probably should stop looking at that file during
> > compilation time and stick to an internal default, possibly allowing
> > overriding with ./configure switch.
> 
> Maybe, yes. It was just to init the build sys with the current distro defaults.
Right, but it makes login.defs even more entrenched.

Zbyszek

More information about the systemd-devel mailing list