[systemd-devel] Using sysusers to setup a new system
Lennart Poettering
lennart at poettering.net
Tue Dec 26 11:41:58 UTC 2017
On Sa, 23.12.17 00:33, Sébastien Luttringer (seblu at seblu.net) wrote:
> The first issue[1] is to be able to define the root user shell.
> Currently, sysusers.d/basic.conf provides a nologin shell, which prevent root
> to login and execute commands (even via sudo). We cannot override the
> sysusers.d/basic.conf with a crafted version because systemd-sysusers doesn't
> support a shell definition in its format.
> As a consequence, I added back root to passwd/group/shadow/gshadow[4].
> So, what's the strategy about this? Should root user be an exception and be
> defined somewhere else than others users because it requires a valid
> shell?
Hmm, so sysusers.d as the name suggests is intended for system users,
i.e. the users daemon run as which usually have /usr/bin/nologin as
shell. The "root" user is a bit weird in that regard as it kinda is
both a user humans log into, and a user that daemons run as. Right now
we don't really support the part about "human users logging in" in
sysusers.d and I am not sure if we should, but maybe it would be OK to
have a new "p" stanza or so, that allows setting the root
password. But then again, it's a bit strange having the root pw stored
at some place literally...
Note that "systemd-firstboot" is supposed to be a tool for
provisioning an OS image with basic settings before first boot,
including with a root pw. Maybe just using that would be preferable?
> The second issue[2] is about the lp group defined in sysusers.d/basic.conf.
> Because the cups Arch package set rights on files based on the lp group it
> needs a static gid (pacman requirement). lp defined in sysusers.d/basic.conf is
> without gid[5], so what's the best way to override it?
Hmm, you should be able to simply drop-in a second file with a more
strict definition. sysusers.d should probably merge entries like this,
and not complain unless things are directly contradicting. If it does
complain about it we should probably fix that. In that case, please
file a bug.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list