[systemd-devel] Best Practices with homectl ↔ passwd/groups/shadow ?

[Divine Eguzouwa]

Is it wise to use only `homectl` to manage human users *without* reciprocal
entries in /etc/passwd, /etc/group, or /etc/shadow?

$ systemd-analyze security wireplumber --user

| NAME                  | Description    | Exposure    |

| ----------------------| -------------- | ----------- |

| ❌ User=/DynamicUser= | Service runs.. | 0.4         |

→ Overall exposure level for wireplumber.service...


$ systemctl edit wireplumber.service --user
### Editing
/home/me/.config/systemd/user/wireplumber.service.d/override.conf
### Anything between here and the comment below will become the contents of
the...

[Service]

User=%u

Group=%g

### Edits below this comment will be discarded
...

$ systemctl daemon-reload --user

$ systemctl restart wireplumber.service --user
$ journalctl -r --unit=wireplumber --user
systemd[851]: Failed to start Multimedia Service Session Manager.
systemd[851]: wireplumber.service: Failed with result 'exit-code'.
systemd[851]: wireplumber.service: Start request repeated too quickly.
systemd[851]: wireplumber.service: Scheduled restart job, restart counter
is at 5.
systemd[851]: wireplumber.service: Failed with result 'exit-code'.
systemd[851]: wireplumber.service: Main process exited, code=exited,
status=216/GROUP
(eplumber)[11087]: wireplumber.service: Failed at step GROUP spawning
/usr/bin/wireplumber: Operation not permitted
*(eplumber)[11087]: wireplumber.service: Failed to determine supplementary
groups: Operation not permitted*
systemd[851]: Started Multimedia Service Session Manager.



homectl should already know of this user's supplementary groups, unless
homectl is searching for them in `/etc/groups` instead?

--D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240729/fcd4d4fd/attachment.htm>