Hi, as already announced/discussed two weeks ago on the factory list, we want to make changes to how system users are created and handled. The current handling of system accounts on openSUSE is a little bit "chaotic". We have aaa_base creating a lot of standard users, but nobody knows if they are still needed at all. Same for groups. Additional, we have some accounts, which 99,99% of the users will never need (like uucp), but will always be created, including the home directories. And to make the chaos really perfect, we have systemd (/usr/lib/sysusers.d/basic.conf), which creates system users and groups, which partly are also part of aaa_base. That's very confusing and error prune. I would like to propose the following addition to the "Users and Groups" section (https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups): ==== System users, which are used by a variety of applications, by standard filesystem directories or are standard users which should exist on every Unix compatible system, should be provided by special RPMs. This RPMs provides and the user and groups: ``` Provides: user(<name>) Provides: group(<name>) ``` This RPMs are also responsible to create and provide the home directory. Applications needing a special system user should require them: ``` Requires(pre): user(<name>) Requires(pre): group(<name>) ``` With this, the system users will only be created if they are needed. And an admin can easy find out, if a system user is still required or can be deleted. systemd-sysusers (sysusers.d(5)) is used to create this accounts. This allows to verify how the system account should look like. An example spec file for the uucp system user should contain the following lines: ``` Source1: system-user-uucp.conf BuildRequires: sysuser-tools %package -n system-user-uucp Summary: System user and group uucp %sysusers_requires %build %sysusers_generate_pre %{SOURCE1} uucp %pre -n system-user-uucp -f uucp.pre %files -n system-user-uucp %defattr(-,root,root) %dir %attr(0750,uucp,uucp) %{_sysconfdir}/uucp ``` ==== A reference implementation, which I would submit to Factory if approved, can be found at: https://build.opensuse.org/project/show/home:kukuk:sysusers Not all system accounts are converted yet, but to start, we don't need to do that. This will be a moving target, but should be easy and quick doable for most system user. Should this replace all usages of useradd? We don't think so. There is no reason to do so, except one package creates an account a ot of other packages need, too. Thanks, Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org