[systemd-devel] [PATCH] sysusers: allow overrides in /etc and /run
"Jóhann B. Guðmundsson"
johannbg at gmail.com
Thu Jul 10 11:43:26 PDT 2014
On 07/10/2014 04:47 PM, Zbigniew Jędrzejewski-Szmek wrote:
> On Thu, Jul 10, 2014 at 02:59:10PM +0000, "Jóhann B. Guðmundsson" wrote:
>> On 07/10/2014 12:51 PM, Zbigniew Jędrzejewski-Szmek wrote:
>>> An administrator might want to block a certain sysusers config file from
>>> being executed, e.g. to block the creation of a certain user.
>>> ---
>>> src/sysusers/sysusers.c | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
>>> index 129493a1e7..68c552d24a 100644
>>> --- a/src/sysusers/sysusers.c
>>> +++ b/src/sysusers/sysusers.c
>>> @@ -62,6 +62,8 @@ typedef struct Item {
>>> static char *arg_root = NULL;
>>> static const char conf_file_dirs[] =
>>> + "/etc/sysusers.d\0"
>>> + "/run/sysusers.d\0"
>>> "/usr/local/lib/sysusers.d\0"
>>> "/usr/lib/sysusers.d\0"
>>> #ifdef HAVE_SPLIT_USR
>> How does this handle multiple users and if I as an administrator I
>> wanted to block some users from being created I simply would not
>> have installed the component that created him in the first place no?
> Let's say that mydatabase.rpm wants to use mydatabaseuser, and creates
> the user using sysusers.d, and has a config file which contains
> user = mydatabaseuser.
> You as an admin know this, but want to use a different user for
> whatever reason.
We need to know that reason as in what exactly is the problem
administrators is trying to solve by doing that and is that problem not
already solved with containers or sandboxed application?
> So you provide the config file, but sysusers will
> still create the user. This is not harmful usually, but can lead
> e.g. to confusion, if you or the other admin later sees that this
> user exists. So you might do 'ln -s /dev/null /etc/sysusers.d/mydatabase.conf',
> to avoid that.
Surely "Sandboxed applications" when designed was not strictly intended
for GNOME or limited to Gnome existing on the machine for it to be used
mean surely I should be able to download/install/run the "Sandboxed
applications postgresql" which I fetched directly from postgresql
upstream and it's community and deploy it on my server
As I said before aren't we wasting time solving problems for packaging
formats that are becoming obsolete if things continue to progress in
sandboxed/containerized future?
I have to ask at this point is there something that is preventing us to
introduce type container unit?
JBG
More information about the systemd-devel
mailing list