Mailinglist Archive: opensuse-factory (562 mails)

< Previous Next >
[opensuse-factory] RFC: new system user handling

Hi,

the current handling of system accounts on openSUSE is a little bit
"chaotic".
We have aaa_base creating a lot of standard users, but nobody knows
if they are still needed at all. Same for groups. Additional, we have
some accounts, which 99,99% of the users will never need (like uucp),
but will always be created, including the home directories.
And to make the chaos really perfect, we have systemd
(/usr/lib/sysusers.d/basic.conf), which creates system users and groups,
which partly are also part of aaa_base. That's very confusing and error
prune.
At end, we also have packages creating users via useradd (which itself
is fine and which we don't want to change) and other packages requiring
this packages, only because they need that user. Or they create the
user a second time with sligthly incompatible data.

That's why we thought the last months about a new way how the system
account handling could look like.

The idea behind this was, that it should always be possible to find
out who requires a user and what the original data was, from which
the account was created.
RPMs, which need a system user or group, only add a (Pre)Requires
to the spec file:
Requires(pre): user(<name>)
Requires(pre): group(<name>)

To store the original data, we decided to use the sysusers.d(5)
config files from systemd. The advantage is, it's already there,
it's already used by the systemd package, and we don't need to
re-invent the wheel. Mid-term we think we need some enhancements
to the file format (like being able to specify the login shell),
but for the start this works fine.

To avoid problems with RPM (including the home directory in the
filelist with the correct permissions and ownership), the users
and groups needs to be created already in the Pre-Install section.
But since the config file is only written to disk later, the data
needs to be added to the %pre section, too. For this, we created
some macros in a package "sysuser-tools".

A spec file would contain the following lines:

Source1: system-user-uucp.conf
BuildRequires: sysuser-tools

%package -n system-user-uucp
Summary: System user and group uucp
%sysusers_requires

%build
%sysusers_generate_pre %{SOURCE1} uucp

%pre -n system-user-uucp -f uucp.pre

%files -n system-user-uucp
%defattr(-,root,root)
%dir %attr(0750,uucp,uucp) %{_sysconfdir}/uucp


A full example for many more users/groups and adjusted packages,
including aaa_base and filesystem, can be found at:

https://build.opensuse.org/project/show/home:kukuk:sysusers

Not all system accounts are converted yet, but to start, we don't need
to do that. This will be a moving target, but should be easy and quick
doable for most system user.


And how does this solve our problems? As long as there are packages,
which require this user, the RPM creating the account will be pulled
in automatically. If you think an account is no longer needed, you can
try to deinstall the package creating the account. If this succeeds, you
can manually remove the user (userdel -r ...).

Should this replace all usages of useradd? We don't think so. There
is no reason to do so, except one package creates an account a ot of
other packages need, too.

Your comments? Any ideas or code for improvement?
If not, we will start in about two to three weeks to incorporate
that in Factory.

Thanks,
Thorsten

--
Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg)
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >