Thank you both for your response. It's appreciated. > > > > * Files in systemd's sysusers configuration directory will be used as a > > data source to create /etc/passwd and /etc/shadow. > > Also, /etc/group and /etc/gshadow. > > > Under what conditions are these two files created / touched? > > Three triggers: > > 1. When the "systemd-sysusers" tool is invoked from an RPM scriplet, > which I hope can be made the default in Fedora for all packages > needing system users. > > 2. At boot on systems which are set up in a "golden master" scheme, > where a single /usr is used for a number of instances which each have > their own /etc and /var. Similar, on "stateless" systems which boot > up with tmpfs on /etc and /var, and hence start from scracth every > single time. Note though that Fedora is not set up for this fully yet > (though it actually works prettty good already, with the two > exceptions in the basic OS being PAM and dbus-1, which react quite > allergic to an unpopulated /etc). > > 3. Similar to 2, but people who instantiate new systems from the same > /usr in an "offline" scheme, where they don't delay user creation to > the next reboot. > > Note however, that sysusers will only do something if any of the > specified users is actually missing. We arevery careful in not touching > the file system if all users already exist. Also, if the disk is > read-only sysusers is automatically skipped at boot. > > At a later time I will propose fixing Fedora to make the "stateless" + > "golden master" schemes just work. But I am not ready to discuss this in > full now. > > > When I install a package and add a file to this sysuser directory, is > > only that user added to passwd and shadow? > > For each user you create with sysusers a matching group will be created > too, should it be missing. > > > Is there a way to disable or remove a system user from being added > > to /etc/shadow? > > No. What's the usecase? Does this currently exist for the RPM scriptlet > case?
ATM there is no use case, but there will surely be one person who will cry out if this is unavailable. I would rather have it clearly stated on a wiki / FAQ, so that when someone in the future asks for this, there is a clear answer stated. I'm a fan of documenting and covering these edge cases is all :) > > > Are changes to shadow/passwd made by a user respected / preserved (IE to > > a user account)? > > Yes. Always. sysuers will never touch existing users, it will only add > in missing ones, with secure defaults (i.e. as disabled accounts, with > no login possible). For exmple, if you assign a shell or a password to > one of those system users, then that's totally OK, sysusers will stay > away from that, never reset it, never touch it. > > > What happens if a human edits the system account generated by systemd, > > do the changes get lost? > > Nope, what the admin changes will take effect. The only thing that might > happen that if you delete a user it might be recreated the next time > sysusers runs. > Thanks for all your answers. Do you mind adding them to an section on https://fedoraproject.org/wiki/Changes/SystemdSysusers So that others can benefit from them? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
