On Fri, Jul 11, 2014 at 09:05:29AM +0930, William wrote: > > Thank you both for your response. It's appreciated. > > > > > > > * Files in systemd's sysusers configuration directory will be used as a > > > data source to create /etc/passwd and /etc/shadow. > > > > Also, /etc/group and /etc/gshadow. > > > > > Under what conditions are these two files created / touched? > > > > Three triggers: > > > > 1. When the "systemd-sysusers" tool is invoked from an RPM scriplet, > > which I hope can be made the default in Fedora for all packages > > needing system users. > > > > 2. At boot on systems which are set up in a "golden master" scheme, > > where a single /usr is used for a number of instances which each have > > their own /etc and /var. Similar, on "stateless" systems which boot > > up with tmpfs on /etc and /var, and hence start from scracth every > > single time. Note though that Fedora is not set up for this fully yet > > (though it actually works prettty good already, with the two > > exceptions in the basic OS being PAM and dbus-1, which react quite > > allergic to an unpopulated /etc). > > > > 3. Similar to 2, but people who instantiate new systems from the same > > /usr in an "offline" scheme, where they don't delay user creation to > > the next reboot. > > > > Note however, that sysusers will only do something if any of the > > specified users is actually missing. We arevery careful in not touching > > the file system if all users already exist. Also, if the disk is > > read-only sysusers is automatically skipped at boot. > > > > At a later time I will propose fixing Fedora to make the "stateless" + > > "golden master" schemes just work. But I am not ready to discuss this in > > full now. > > > > > When I install a package and add a file to this sysuser directory, is > > > only that user added to passwd and shadow? > > > > For each user you create with sysusers a matching group will be created > > too, should it be missing. > > > > > Is there a way to disable or remove a system user from being added > > > to /etc/shadow? > > > > No. What's the usecase? Does this currently exist for the RPM scriptlet > > case? > > ATM there is no use case, but there will surely be one person who will > cry out if this is unavailable. I would rather have it clearly stated on > a wiki / FAQ, so that when someone in the future asks for this, there is > a clear answer stated. I'm a fan of documenting and covering these edge > cases is all :) http://cgit.freedesktop.org/systemd/systemd/commit/?id=938a560b76 adds the usual semantics of etc-overrides-run-overrides-lib. > > > Are changes to shadow/passwd made by a user respected / preserved (IE to > > > a user account)? > > > > Yes. Always. sysuers will never touch existing users, it will only add > > in missing ones, with secure defaults (i.e. as disabled accounts, with > > no login possible). For exmple, if you assign a shell or a password to > > one of those system users, then that's totally OK, sysusers will stay > > away from that, never reset it, never touch it. > > > > > What happens if a human edits the system account generated by systemd, > > > do the changes get lost? > > > > Nope, what the admin changes will take effect. The only thing that might > > happen that if you delete a user it might be recreated the next time > > sysusers runs. > > > > Thanks for all your answers. Do you mind adding them to an section on > https://fedoraproject.org/wiki/Changes/SystemdSysusers So that others > can benefit from them? It is now described in the man page, which is linked from the wiki page. Zbyszek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
