[systemd-devel] sysusers and login.defs checks

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Wed Jul 23 08:17:23 PDT 2014


On Wed, Jul 23, 2014 at 04:55:59PM +0200, Kay Sievers wrote:
> On Wed, Jul 23, 2014 at 4:28 PM, Zbigniew Jędrzejewski-Szmek
> <zbyszek at in.waw.pl> wrote:
> 
> > Anyway, I think that /etc/login.defs support is made out to be something
> > much more complicated than it really is. IMHO we should:
> >
> > - read /etc/login.defs and fall back to the compiled in value
> > - use whatever result we get in coredump, journald, and sysusers
> >
> > It's not like the implementation would be hard, intrusive, or slow. It'd be
> > probably +3 lines in one or two places.
> 
> It is not about the effort *how* to do it, it is *why*. And I still
> don't think we should have dynamic configuration options for this, it
> is all just a huge mess that needs to be limited to the bare minimum,
> it is just too broken as a concept to be supported that way.
> 
> > If we come up with additional heuristics or rules to determine human
> > accounts, we can safely add them in a backwards compatible way.
> 
> We cannot do any normal user queries from journald, so none of the
> metadata like the primary group is easily for a user is available.
I know.

> Sysusers is, and probably always will be, limited to the classic
> passwd, group file. Maybe we can just read the files ourselves and
> find out that a certain uid is a normal user? Like:
>   - uid >= "1000" --> normal user
>   - lookup uid in passwd
>   - user not found --> normal user
>   - user < 1000 && group == "users" --> normal user
>   - everything else would be a system user
But please add to this (at the top)
    - parse SYS_GID_MIN and SYS_GID_MAX from /etc/login.defs and if
      found and users falls within --> system user

This is safe as soon as /etc is accessible and provides backwards
compatibillity.

Also, I'd modify 
    - user < 1000 && group == "users" --> normal user
to
    - group == "users" --> normal user
not to make things too complicated.

I see another angry chicken and broken egg problem now:
- We want to get rid of /etc/login.defs, *but*
- we read /etc/login.defs at compilation time.
This means that we probably should stop looking at that file during
compilation time and stick to an internal default, possibly allowing
overriding with ./configure switch.

Zbyszek


More information about the systemd-devel mailing list