[systemd-devel] sysusers and login.defs checks

Kay Sievers kay at vrfy.org
Wed Jul 23 08:30:53 PDT 2014 

On Wed, Jul 23, 2014 at 5:17 PM, Zbigniew Jędrzejewski-Szmek
<zbyszek at in.waw.pl> wrote:
> On Wed, Jul 23, 2014 at 04:55:59PM +0200, Kay Sievers wrote:
>> On Wed, Jul 23, 2014 at 4:28 PM, Zbigniew Jędrzejewski-Szmek
>> <zbyszek at in.waw.pl> wrote:
>>
>> > Anyway, I think that /etc/login.defs support is made out to be something
>> > much more complicated than it really is. IMHO we should:
>> >
>> > - read /etc/login.defs and fall back to the compiled in value
>> > - use whatever result we get in coredump, journald, and sysusers
>> >
>> > It's not like the implementation would be hard, intrusive, or slow. It'd be
>> > probably +3 lines in one or two places.
>>
>> It is not about the effort *how* to do it, it is *why*. And I still
>> don't think we should have dynamic configuration options for this, it
>> is all just a huge mess that needs to be limited to the bare minimum,
>> it is just too broken as a concept to be supported that way.
>>
>> > If we come up with additional heuristics or rules to determine human
>> > accounts, we can safely add them in a backwards compatible way.
>>
>> We cannot do any normal user queries from journald, so none of the
>> metadata like the primary group is easily for a user is available.
> I know.
>
>> Sysusers is, and probably always will be, limited to the classic
>> passwd, group file. Maybe we can just read the files ourselves and
>> find out that a certain uid is a normal user? Like:
>>   - uid >= "1000" --> normal user
>>   - lookup uid in passwd
>>   - user not found --> normal user
>>   - user < 1000 && group == "users" --> normal user
>>   - everything else would be a system user
> But please add to this (at the top)
>     - parse SYS_GID_MIN and SYS_GID_MAX from /etc/login.defs and if
>       found and users falls within --> system user
>
> This is safe as soon as /etc is accessible and provides backwards
> compatibillity.

Well, the point is to make the rules in this broken model simpler, not
more complicated as they already are. :)

If we would read login.defs, we should probably not do any magic
heuristics. And at the moment, I still think we should ignore
login.defs.

> Also, I'd modify
>     - user < 1000 && group == "users" --> normal user
> to
>     - group == "users" --> normal user
> not to make things too complicated.
>
> I see another angry chicken and broken egg problem now:
> - We want to get rid of /etc/login.defs, *but*
> - we read /etc/login.defs at compilation time.
> This means that we probably should stop looking at that file during
> compilation time and stick to an internal default, possibly allowing
> overriding with ./configure switch.

Maybe, yes. It was just to init the build sys with the current distro defaults.

Kay

More information about the systemd-devel mailing list