[systemd-devel] [PATCH] sysusers: allow overrides in /etc and /run

Thu Jul 10 11:43:26 PDT 2014

On 07/10/2014 04:47 PM, Zbigniew Jędrzejewski-Szmek wrote:
> On Thu, Jul 10, 2014 at 02:59:10PM +0000, "Jóhann B. Guðmundsson" wrote:
>> On 07/10/2014 12:51 PM, Zbigniew Jędrzejewski-Szmek wrote:
>>> An administrator might want to block a certain sysusers config file from
>>> being executed, e.g. to block the creation of a certain user.
>>> ---
>>>   src/sysusers/sysusers.c | 2 ++
>>>   1 file changed, 2 insertions(+)
>>>
>>> diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
>>> index 129493a1e7..68c552d24a 100644
>>> --- a/src/sysusers/sysusers.c
>>> +++ b/src/sysusers/sysusers.c
>>> @@ -62,6 +62,8 @@ typedef struct Item {
>>>   static char *arg_root = NULL;
>>>   static const char conf_file_dirs[] =
>>> +        "/etc/sysusers.d\0"
>>> +        "/run/sysusers.d\0"
>>>           "/usr/local/lib/sysusers.d\0"
>>>           "/usr/lib/sysusers.d\0"
>>>   #ifdef HAVE_SPLIT_USR
>> How does this handle multiple users and if I as an administrator I
>> wanted to block some users from being created I simply would not
>> have installed the component that created him in the first place no?
> Let's say that mydatabase.rpm wants to use mydatabaseuser, and creates
> the user using sysusers.d, and has a config file which contains
>    user = mydatabaseuser.
> You as an admin know this, but want to use a different user for
> whatever reason.

We need to know that reason as in what exactly is the problem 
administrators is trying to solve by doing that and is that problem not 
already solved with containers or sandboxed application?

>   So you provide the config file, but sysusers will
> still create the user. This is not harmful usually, but can lead
> e.g. to confusion, if you or the other admin later sees that this
> user exists. So you might do 'ln -s /dev/null /etc/sysusers.d/mydatabase.conf',
> to avoid that.

Surely "Sandboxed applications" when designed was not strictly intended 
for GNOME or limited to Gnome existing on the machine for it to be used 
mean surely I should be able to download/install/run the "Sandboxed 
applications postgresql" which I fetched directly from postgresql 
upstream and it's community and deploy it on my server

As I said before aren't we wasting time solving problems for packaging 
formats that are becoming obsolete if things continue to progress in 
sandboxed/containerized future?

I have to ask at this point is there something that is preventing us to 
introduce type container unit?

JBG