[systemd-devel] sysusers and login.defs checks
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Wed Jul 23 09:06:41 PDT 2014
On Wed, Jul 23, 2014 at 05:30:53PM +0200, Kay Sievers wrote:
> On Wed, Jul 23, 2014 at 5:17 PM, Zbigniew Jędrzejewski-Szmek
> <zbyszek at in.waw.pl> wrote:
> > On Wed, Jul 23, 2014 at 04:55:59PM +0200, Kay Sievers wrote:
> >> On Wed, Jul 23, 2014 at 4:28 PM, Zbigniew Jędrzejewski-Szmek
> >> <zbyszek at in.waw.pl> wrote:
> >>
> >> > Anyway, I think that /etc/login.defs support is made out to be something
> >> > much more complicated than it really is. IMHO we should:
> >> >
> >> > - read /etc/login.defs and fall back to the compiled in value
> >> > - use whatever result we get in coredump, journald, and sysusers
> >> >
> >> > It's not like the implementation would be hard, intrusive, or slow. It'd be
> >> > probably +3 lines in one or two places.
> >>
> >> It is not about the effort *how* to do it, it is *why*. And I still
> >> don't think we should have dynamic configuration options for this, it
> >> is all just a huge mess that needs to be limited to the bare minimum,
> >> it is just too broken as a concept to be supported that way.
> >>
> >> > If we come up with additional heuristics or rules to determine human
> >> > accounts, we can safely add them in a backwards compatible way.
> >>
> >> We cannot do any normal user queries from journald, so none of the
> >> metadata like the primary group is easily for a user is available.
> > I know.
> >
> >> Sysusers is, and probably always will be, limited to the classic
> >> passwd, group file. Maybe we can just read the files ourselves and
> >> find out that a certain uid is a normal user? Like:
> >> - uid >= "1000" --> normal user
> >> - lookup uid in passwd
> >> - user not found --> normal user
> >> - user < 1000 && group == "users" --> normal user
> >> - everything else would be a system user
> > But please add to this (at the top)
> > - parse SYS_GID_MIN and SYS_GID_MAX from /etc/login.defs and if
> > found and users falls within --> system user
> >
> > This is safe as soon as /etc is accessible and provides backwards
> > compatibillity.
>
> Well, the point is to make the rules in this broken model simpler, not
> more complicated as they already are. :)
>
> If we would read login.defs, we should probably not do any magic
> heuristics. And at the moment, I still think we should ignore
> login.defs.
If we find it, then certainly, it should override other considerations.
> > Also, I'd modify
> > - user < 1000 && group == "users" --> normal user
> > to
> > - group == "users" --> normal user
> > not to make things too complicated.
> >
> > I see another angry chicken and broken egg problem now:
> > - We want to get rid of /etc/login.defs, *but*
> > - we read /etc/login.defs at compilation time.
> > This means that we probably should stop looking at that file during
> > compilation time and stick to an internal default, possibly allowing
> > overriding with ./configure switch.
>
> Maybe, yes. It was just to init the build sys with the current distro defaults.
Right, but it makes login.defs even more entrenched.
Zbyszek
More information about the systemd-devel
mailing list