[Rpm-maint] [rpm-software-management/rpm] sysusers.d support applies %attr() ownership before creating sysusers (Issue #3073)

[Martin Pitt]

We are currently [trying to move our project to 
systemd-sysusers](https://github.com/cockpit-project/cockpit/pull/20365), away 
from manual `useradd` calls in the package's `%pre` script. The [rpm 
manual](https://rpm-software-management.github.io/rpm/manual/users_and_groups.html)
 claims 

> Rpm >= 4.19 has native support for declarative user and group creation 
> through integration with systemd’s 
> [sysusers.d](https://www.freedesktop.org/software/systemd/man/sysusers.d.html)
>  format. Packagers will only need to package a sysusers.d file for their 
> custom users and groups in /usr/lib/sysusers.d and rpm will take care of the 
> rest.

I tried that on current Fedora 40 (rpm-4.19.1.1-1.fc40.x86_64), and an initial 
version with a [clean 
approach](https://github.com/travier/cockpit/commit/5de9a7a54bc179156c4484582171a96e142df811)
 just adds `%{_sysusersdir}/cockpit-ws.conf` file to the rpm. The diff doesn't 
show the existing

    attr(4750, root, cockpit-wsinstance) %{_libexecdir}/cockpit-session

in the spec which makes use of the dynamic group.

The rpm build does create the "magic" provides:

```
# rpm -q --provides cockpit-ws
cockpit-ws = 316.dev27+g1dc9d3b8f-1.fc40
cockpit-ws(x86-64) = 316.dev27+g1dc9d3b8f-1.fc40
config(cockpit-ws) = 316.dev27+g1dc9d3b8f-1.fc40
group(cockpit-ws)
group(cockpit-wsinstance)
user(cockpit-ws) = 
dSBjb2NrcGl0LXdzIC0gIlVzZXIgZm9yIGNvY2twaXQgd2ViIHNlcnZpY2UiIC0A
user(cockpit-wsinstance) = 
dSBjb2NrcGl0LXdzaW5zdGFuY2UgLSAiVXNlciBmb3IgY29ja3BpdC13cyBpbnN0YW5jZXMiIC0A

# echo dSBjb2NrcGl0LXdzIC0gIlVzZXIgZm9yIGNvY2twaXQgd2ViIHNlcnZpY2UiIC0A | 
base64 -d
u cockpit-ws - "User for cockpit web service" -
```

On install it does create the sysusers, but it tries to apply the `%attr` 
*before* creating the users:
```
# rpm -i --verbose 
/var/tmp/build/cockpit-ws-316.dev27+g1dc9d3b8f-1.fc40.x86_64.rpm 
Verifying packages...
Preparing packages...
cockpit-ws-316.dev27+g1dc9d3b8f-1.fc40.x86_64
warning: group cockpit-wsinstance does not exist - using root
Creating group 'cockpit-ws' with GID 979.
Creating user 'cockpit-ws' (User for cockpit web service) with UID 979 and GID 
979.
Creating group 'cockpit-wsinstance' with GID 978.
Creating user 'cockpit-wsinstance' (User for cockpit-ws instances) with UID 978 
and GID 978.
```

and after installation, /usr/libexec/cockpit-session has the wrong ownership 
(group root).

So for the docs to actually work, it needs to create the sysusers before 
unpacking (i.e. what a `%pre` script would do) from its "magic" provides or 
other internal .rpm metadata, or defer the `%attr()` application after the 
initial unpacking of the files and sysusers creation.

I suppose that is the reason why the [Fedora packaging 
guidelines](https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation)
 have a completely different, and very hackish approach -- that suggests to 
duplicate the sysusers file downstream in the packaging dist-git, and using 
`%sysusers_create_compat` to basically create some `useradd` shell script out 
of the sysusers.d file. But this is awkward, error prone, a bit hard to 
automate for releases. It also feels backwards -- the whole point is to move 
and standardize all of this upstream.

I didn't find any existing upstream or Fedora downstream (bugzilla) bug report, 
so filing this one.

Thanks!

CC: @travier

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3073
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint