Wiki - https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers Discussion thread - https://discussion.fedoraproject.org/t/f42-change-proposal-rpm-support-for-systemd-sysusers-d-system-wide/140621 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == RPM supports creating users and groups according to configuration provided in sysusers.d snippets shipped in package payload. The goal of the proposal is to fully integrate this RPM functionality in Fedora. == Owner == * Name: Michal Sekletar, Zbigniew Jędrzejewski-Szmek, Panu Matilainen * Email: msekleta@xxxxxxxxxx, zbyszek@xxxxxxxxx, pmatilai@xxxxxxxxxx == Detailed Description == This proposal consists of two parts. The first is to make sure that rpm functionality is fully enabled in Fedora. The second is to update packaging guidelines and raise awareness about the new simpler user creation method for rpm packages. The goal is a fully declarative system user and group management in all RPMs. Over time we should be able to drop all manual `useradd`/`groupadd` invocations or use of `%sysusers_create_compat` macro in rpm scriptlets. Support for sysusers was added in rpm 4.19.0. Support for group membership (`m` lines) was added in rpm 4.20.0. Support for locked-down users (`u!` lines) was added for rpm 4.21.0. The rpm package has patches to disable user/group creation ([https://src.fedoraproject.org/rpms/rpm/blob/rawhide/f/rpm-4.18.92-disable-sysusers.patch rpm-4.18.92-disable-sysusers.patch]) and make user/group dependencies weak ([https://src.fedoraproject.org/rpms/rpm/blob/rawhide/f/rpm-4.19.91-weak-user-group.patch rpm-4.19.91-weak-user-group.patch]). == Feedback == [https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/IKWECWMBWN2IDKLHK3Q2TZKVSVFTXUNA/#U4BF4ETCFNMMXY6NGRV5Y7ABTZDXQYNY| Discussion] about idea to submit the proposal on fedora-devel list. == Benefit to Fedora == * Declarative system user and group management by packages * Potential for spec file simplification, concretely, removal of relevant part of %pre scripts in some packages. * Ability to query what user and groups are provided by given package as well as ability to have dependencies on users/groups from different packages. * Make use of native rpm functionality in favor of current %sysusers_compat_create. == Scope == * Proposal owners: ** Change rpm so that it generates hard dependency between packages A and B in case B depends on user or group provided by package A. Rpm currently has downstream patch so that only weak dependencies are generated. ** Make sure that previous change in rpm doesn't cause package dependency loops during system installation. ** Work on fix for shadow-utils so that useradd and groupadd work correctly in chroot on SELinux enabled systems (shadow-utils [https://github.com/shadow-maint/shadow/issues/940| issue].) * Other developers: ** We would welcome any help with shadow-utils [https://github.com/shadow-maint/shadow/issues/940| issue]. * Release engineering: N/A (not needed for this Change) * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: == Upgrade/compatibility impact == There is no upgrade/compatibility impact. == How To Test == * Select rpm package that creates system user/group account in %pre * Remove part of %pre scriptlet that handles user/group creation * Create equivalent [https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html| sysusers.d] configuration file and ship it as part of rpm payload under /usr/lib/sysusers.d/. * Rebuild the package * Verify that package has been built correctly and it has rpm provides for installed user account and group (e.g. `user(foo) = ABUNCHOFHEXHERE`, `group(bar) = ADIFFERNTBUNCHOFHEXHERE`). Use `rpm -qP $package | awk '/(user|group)\(/ {print $3}' | base64 -d` and check that the output looks reasonable. * Verify that you can install the package and installed files have correct ownership. == User Experience == There shouldn't be any user observable change to previous state. Potential packaging related benefits are mostly of interest to package maintainers. == Dependencies == None == Contingency Plan == * Contingency mechanism: If we are not confident by mass-rebuild that we can deliver the feature we will postpone its delivery to later Fedora release. There are no explicit rollback/cleanup actions that need to taken. * Contingency deadline: Mass Rebuild of RPMs on Wed 2025-01-15. * Blocks release? No == Documentation == [https://github.com/rpm-software-management/rpm/blob/master/docs/manual/users_and_groups.md#users-and-groups| sysusers.d support in RPM]. == Release Notes == N/A -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue