[systemd-devel] sysusers and login.defs checks

Lennart Poettering lennart at poettering.net
Mon Jul 21 06:43:13 PDT 2014 

On Sun, 20.07.14 22:31, Colin Guthrie (gmane at colin.guthr.ie) wrote:

> Hi,
> 
> We're still using 500 as our [UG]ID_MIN in /etc/login.defs, but I'm
> looking to change that to be more in line with what everyone else seems
> to do.
> 
> One thing I found while looking at the sysusers code was that the only
> values read from /etc/login.defs were SYSTEM_[UG]ID_MAX and they were
> only read a compile (or rather configure) time, not at runtime.

Yeah, that's an intended design decision.

> While I appreciate sysusers is intended primarily for bootstrapping
> /etc, I guess the general consensus is to move package pre/post scripts
> over to use sysusers instead anyway. Thus the tool should really check
> /etc/login.defs at runtime if it's present before falling back to its
> defaults. Those defaults could be set from a compile time check of
> login.defs too.

I am pretty strongly against this. Making this administrator
configurable apepars very wrong, this really should be a decision for
the distribution vendor, and that's it.  We shouldn't design a system
that comes to completely different results if you boot it up with and
without /etc populated...

Also, the specific configuration file contains more configuration
options that are obsolete, than configuration options that aren't. From
chfn settings, to pam_console support, to the ability to override the
timezone or erase characters. Yuck!

I am fully aware that many distributions are transitioning from from 500
system users to 1000 system users, but I also don't see how this
transition would be made any easier by keeping a user configuration file
around for this. I mean, ultimately you will still have the problem that
in the range 500-999 you might end uo with both users interleaved with
each other... The best thing to do is in this case is live with it, and
make sure we never bind strictly security-relevant decisions to the
boundary, but only use it as a hint...

> So, I propose the following:
> 
> 1. Modify configure to check /etc/login.defs for SYSTEM_[UG]ID_MAX but
> fall back to [UG]ID_MIN-1 if not found.
> 2. Modify sysusers.c to do the same check at runtime
> 
> If I cook up a patch will that be accepted?

I am totally not convinced that this would be a good idea, sorry.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list