Bug#912525: systemd: nobody group is created by systemd-sysusers automatically

Keh-Ming Luoh kmluoh at gmail.com
Mon Nov 19 17:05:09 GMT 2018 

Hi, Martin:

Thanks for reminding me that my patch isn't good enough.

My intension is indeed to keep uid/gid creation more explicitly.
So the script can handle other "exceptions" better (in the future).

I prefer to keep the logic instead of treating 65534 special.

Thanks.
-KM


On Fri, Nov 16, 2018 at 9:32 AM Martin Pitt <mpitt at debian.org> wrote:

> Hello Keh-Ming Luoh, hello Michael,
>
> sorry for the delay!
>
> Keh-Ming Luoh [2018-10-31 19:22 -0700]:
> > When I upgrade my systemd, I found there is a "nobody" group created
> > automatically.
>
> Thanks for tracking this down!
>
> > -awk -F:  '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s
> %s\n", $1,i,$6,$7) }'  < /usr/share/base-passwd/passwd.master
> > +awk -F:  '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n",
> $1,i,$6,$7) }'  < /usr/share/base-passwd/passwd.master
>
> This is not quite correct. If you specify the GID explicitly, then it
> needs to
> exist before, i. e. the script would also need to be changed to create
> groups
> like "sys:3" explicitly. I. e. the conditional
>
>    # only take groups whose name+gid != the corresponding user in
> passwd.master
>
> part would need to become unconditional. This would work, but would make
> both
> the group and passwd list more unwieldy.
>
> As all static Debian users and groups *except* nobody:nogroup have the same
> name, I'd like to keep the "single ID" behaviour of systemd-sysusers, as
> it's
> generally the right thing to do and more robust. So instead I'd like to
> handle the "nogroup" special-case as such.
>
> With the attached patch I seem to get the correct behaviour. The effective
> diff
> of the generated sysusers.d is
>
> -u nobody     65534   - /nonexistent         /usr/sbin/nologin
> +u nobody     65534:65534 - /nonexistent         /usr/sbin/nologin
>
> and nothing else. With current 239-11:
>
>   # systemd-sysusers
>   Creating group nobody with gid 999.
>
> and with this patched /usr/lib/sysusers.d/basic.conf:
>
>   # systemd-sysusers
>   # grep nobody /etc/group
>   #
>
> i. e. it stops creating the group.
>
> I also added some postinst cleanup with some reasonable defensiveness.
> (Double-checking it now)
>
> @Michael, does that seem ok to you?
>
> Thanks,
>
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20181119/aac9e796/attachment.html>

More information about the Pkg-systemd-maintainers mailing list