Bug#888126: [patch] Please enable systemd-sysusers unit

[Michael Vogt]

On Sat, Jan 27, 2018 at 10:20:46PM +0100, Martin Pitt wrote:
[..]
> Michael Vogt [2018-01-23 16:15 +0100]:
> >     sync:*:4:65534:sync:/bin:/bin/sync
> > 
> > which cannot be represented because you cannot specify a different
> > primary gid in the sysusers file (or a login shell). So extra work is
> > required for this but (personally) I would love to this is.
> 
> Since you freshly looked at this, was this the only problem? I figure the sync
> group is mostly unused anyway, and completely irrelevant for containers - but
> does this also affect static groups which are actually important? I. e. which
> static groups cannot be replicated with sysusers?

I think man is the important one, it has uid=6 gid=12. Also nobody and
nogroup share the same id but different names.

> IMHO if we enable this, we should also provide a reasonably correct static
> sysusers so that the program actually works as intended. It doesn't need to
> (and can't right now) be perfect, but at least not completely break your
> system.

Toally agree. To do that I pushed a PR to systemd
(https://github.com/systemd/systemd/pull/7973) to allow a new uid:gid
syntax. Fwiw, I'm impressed once more by the quality and speed of the
upstream code reviews.

With and the attached sysusers.d conf file we are closer but there is
the issue that some users/groups share the same ID, e.g. nouser and
nogroup. systemd-sysusers does not like that, it will pick a new
ID in this case.

Fixing this in the code is pretty trivial, we just need an OK from
upstream how to do it (either by ensuing the uid:gid syntax never
changes the uid/gid or via a new prefix/postfix like "!" to force
creation).

Then there is also a small issue incompatibility with the shell:
```
$ head -n2 passwd 
root:x:0:0::/root:/bin/sh
daemon:x:1:1::/usr/sbin:/sbin/nologin

$ head -n2 /usr/share/base-passwd/passwd.master 
root:*:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
```

For root it is "nologin" and the path of /sbin/nologin between Debian
and Fedora differs. Thats another open issue.

That seems to be the blockers for making this available
generally. What do you think?

Cheers,
 Michael

-------------- next part --------------
#Type  Name        ID GECOS Home directory
u      root         0 -     /root
u      daemon       1 -     /usr/sbin
u      bin          2 -     /bin
u      sys          3 -     /dev
g      adm          4 -
g      tty          5 -
g      disk         6 -
g      man         12    -
u      sync         4:65534 -     /bin
u      games        5:60 -     /usr/games
u      man          6:12 -     /var/cache/man
u      lp           7 -     /var/spool/lpd
u      mail         8 -     /var/mail
u      news         9 -     /var/spool/news
u      uucp        10 -     /var/spool/uucp
u      proxy       13 -     /bin
g      kmem        15 -
g      dialout     20 -
g      fax         21 -
g      voice       22 -
g      cdrom       24 -
g      floppy      25 -
g      tape        26 -
g      sudo        27 -
g      audio       29 -
g      dip         30 -
u      www-data    33 -     /var/www
u      backup      34 -     /var/backups
g      operator    37 -
u      list        38 -     /var/list
u      irc         39 -     /var/run/ircd
g      src         40 -
u      gnats       41 -     /var/lib/gnats
g      shadow      42 -
g      utmp        43 -
g      video       44 -
g      sasl        45 -
g      plugdev     46 -
g      staff       50 -
g      games       60 -
g      users      100 -
u      nobody   65534:65534 -     /nonexistent
g      nogroup  65534 -