Hi, the current handling of system accounts on openSUSE is a little bit "chaotic". We have aaa_base creating a lot of standard users, but nobody knows if they are still needed at all. Same for groups. Additional, we have some accounts, which 99,99% of the users will never need (like uucp), but will always be created, including the home directories. And to make the chaos really perfect, we have systemd (/usr/lib/sysusers.d/basic.conf), which creates system users and groups, which partly are also part of aaa_base. That's very confusing and error prune. At end, we also have packages creating users via useradd (which itself is fine and which we don't want to change) and other packages requiring this packages, only because they need that user. Or they create the user a second time with sligthly incompatible data. That's why we thought the last months about a new way how the system account handling could look like. The idea behind this was, that it should always be possible to find out who requires a user and what the original data was, from which the account was created. RPMs, which need a system user or group, only add a (Pre)Requires to the spec file: Requires(pre): user(<name>) Requires(pre): group(<name>) To store the original data, we decided to use the sysusers.d(5) config files from systemd. The advantage is, it's already there, it's already used by the systemd package, and we don't need to re-invent the wheel. Mid-term we think we need some enhancements to the file format (like being able to specify the login shell), but for the start this works fine. To avoid problems with RPM (including the home directory in the filelist with the correct permissions and ownership), the users and groups needs to be created already in the Pre-Install section. But since the config file is only written to disk later, the data needs to be added to the %pre section, too. For this, we created some macros in a package "sysuser-tools". A spec file would contain the following lines: Source1: system-user-uucp.conf BuildRequires: sysuser-tools %package -n system-user-uucp Summary: System user and group uucp %sysusers_requires %build %sysusers_generate_pre %{SOURCE1} uucp %pre -n system-user-uucp -f uucp.pre %files -n system-user-uucp %defattr(-,root,root) %dir %attr(0750,uucp,uucp) %{_sysconfdir}/uucp A full example for many more users/groups and adjusted packages, including aaa_base and filesystem, can be found at: https://build.opensuse.org/project/show/home:kukuk:sysusers Not all system accounts are converted yet, but to start, we don't need to do that. This will be a moving target, but should be easy and quick doable for most system user. And how does this solve our problems? As long as there are packages, which require this user, the RPM creating the account will be pulled in automatically. If you think an account is no longer needed, you can try to deinstall the package creating the account. If this succeeds, you can manually remove the user (userdel -r ...). Should this replace all usages of useradd? We don't think so. There is no reason to do so, except one package creates an account a ot of other packages need, too. Your comments? Any ideas or code for improvement? If not, we will start in about two to three weeks to incorporate that in Factory. Thanks, Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org