On Thu, 10.07.14 17:16, William (william@xxxxxxxxxxxxxxx) wrote: > On Thu, 2014-07-10 at 08:17 +0300, Oron Peled wrote: > > A non-API related question... > > > > > Generally, I prefer the explicit systemd settings over home directory > > with "magical" effects, but I wonder if anyone is aware of existing > > system users which carry more complex semantics. > > Perhaps look at the amanda backup system? That uses the home directory > location quite deeply in its setup .... > > Additionally, This doesn't seem to be hugely clear some of the effects > of what you want to achieve. Perhaps the answers to these questions can > be put on the wiki to clear up some initial concerns I have as a > sysadmin. > > * Files in systemd's sysusers configuration directory will be used as a > data source to create /etc/passwd and /etc/shadow. Also, /etc/group and /etc/gshadow. > Under what conditions are these two files created / touched? Three triggers: 1. When the "systemd-sysusers" tool is invoked from an RPM scriplet, which I hope can be made the default in Fedora for all packages needing system users. 2. At boot on systems which are set up in a "golden master" scheme, where a single /usr is used for a number of instances which each have their own /etc and /var. Similar, on "stateless" systems which boot up with tmpfs on /etc and /var, and hence start from scracth every single time. Note though that Fedora is not set up for this fully yet (though it actually works prettty good already, with the two exceptions in the basic OS being PAM and dbus-1, which react quite allergic to an unpopulated /etc). 3. Similar to 2, but people who instantiate new systems from the same /usr in an "offline" scheme, where they don't delay user creation to the next reboot. Note however, that sysusers will only do something if any of the specified users is actually missing. We arevery careful in not touching the file system if all users already exist. Also, if the disk is read-only sysusers is automatically skipped at boot. At a later time I will propose fixing Fedora to make the "stateless" + "golden master" schemes just work. But I am not ready to discuss this in full now. > When I install a package and add a file to this sysuser directory, is > only that user added to passwd and shadow? For each user you create with sysusers a matching group will be created too, should it be missing. > Is there a way to disable or remove a system user from being added > to /etc/shadow? No. What's the usecase? Does this currently exist for the RPM scriptlet case? > Are changes to shadow/passwd made by a user respected / preserved (IE to > a user account)? Yes. Always. sysuers will never touch existing users, it will only add in missing ones, with secure defaults (i.e. as disabled accounts, with no login possible). For exmple, if you assign a shell or a password to one of those system users, then that's totally OK, sysusers will stay away from that, never reset it, never touch it. > What happens if a human edits the system account generated by systemd, > do the changes get lost? Nope, what the admin changes will take effect. The only thing that might happen that if you delete a user it might be recreated the next time sysusers runs. Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
