[systemd-devel] Using sysusers to setup a new system

Jérémy Rosen jeremy.rosen at smile.fr
Tue Dec 26 10:45:12 UTC 2017 

Hello Sébastian

On 23/12/2017 00:33, Sébastien Luttringer wrote:
> Hello,
>
> On the way to rely on /systemd-sysusers/ to create *all* users in a 
> fresh Arch Linux installation, I'm stuck with two issues[1][2].
> The key idea was to rely on /systemd-users/ to create them all and 
> start with empty passwd/group/shadow/gshadow files[3].
> So, we moved all base user definitions in a /sysusers.d/arch.conf/ 
> file; or better into the package which require them.
>
> The first issue[1] is to be able to define the root user shell. 
> Currently, /sysusers.d///basic.conf/ provides a nologin shell, which 
> prevent root to login and execute commands (even via sudo). We cannot 
> override the /sysusers.d///basic.conf/ with a crafted version because 
> /systemd-sysusers/ doesn't support a shell definition in its format.
> As a consequence, I added back root to passwd/group/shadow/gshadow[4].
> So, what's the strategy about this? Should root user be an exception 
> and be defined somewhere else than others users because it requires a 
> valid shell?
>
sysusers is meant to create only system users, not human users... as 
such, it doesn't allow you to set the shell, because system users should 
never have a shell. Human users are usually created via some distro tool 
at install time (adduser & co)

that's for the philosophical explanation of why you are doing something 
that is not meant to be done... now let's be a bit more practical...

root is a very special user in many ways, and one of them is that it is 
both a human and a system user... As such I would tend to think that the 
proper way to deal with it is to either hardcode it in passwd/group or 
to create it at install time.

Not really what you wanted to hear, I know, but root is really special, 
and will need special-casing whatever solution you take...

> The second issue[2] is about the lp group defined in 
> /sysusers.d///basic.conf/. Because the /cups/ Arch package set rights 
> on files based on the lp group it needs a static gid (pacman 
> requirement). lp defined in /sysusers.d///basic.conf/ is without 
> gid[5], so what's the best way to override it?
>

hmm, tricky... I see a couple of answers

1) open a RFE on github asking that the lp group be defined in a 
base-lp.conf file, so it can be separately overriden (ideally with a patch)
2) just override the systemd-provided basic.conf with arch's version. 
You are the distro maintainer, so it's ok to do that.
3) if you don't want to just replace basic.conf, you can create an 
archbasic.conf file that would override just the lp group (in case of 
double definition the lexicographycally first entry wins, and arch 
starts with an a )
     That will cause warnings, but that might be ok, depending on what 
your exact constraints are..

Cheers
Jeremy


> Cheers,
>
> Sébastien "Seblu" Luttringer
>
> [1] https://bugs.archlinux.org/task/56017
> [2] https://bugs.archlinux.org/task/56818
> [3] https://bugs.archlinux.org/task/45196
> [4] I love it when a plan comes together ©
> [5] https://bugs.archlinux.org/task/55793
>
>
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- 
SMILE <http://www.smile.eu/>

20 rue des Jardins
92600 Asnières-sur-Seine

	
*Jérémy ROSEN*
Architecte technique
Responsable de l'expertise Smile-ECS

email jeremy.rosen at smile.fr <mailto:jeremy.rosen at smile.fr>
phone +33141402967
url http://www.smile.eu

Twitter <https://twitter.com/GroupeSmile> Facebook 
<https://www.facebook.com/smileopensource> LinkedIn 
<https://www.linkedin.com/company/smile> Github 
<https://github.com/Smile-SA>


Découvrez l’univers Smile, rendez-vous sur smile.eu 
<http://smile.eu/?utm_source=signature&utm_medium=email&utm_campaign=signature>

eco Pour la planète, n'imprimez ce mail que si c'est nécessaire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20171226/a2f84485/attachment.html>

More information about the systemd-devel mailing list