On Sat, Jan 27, 2018 at 10:20:46PM +0100, Martin Pitt wrote: [..] > Michael Vogt [2018-01-23 16:15 +0100]: > > sync:*:4:65534:sync:/bin:/bin/sync > > > > which cannot be represented because you cannot specify a different > > primary gid in the sysusers file (or a login shell). So extra work is > > required for this but (personally) I would love to this is. > > Since you freshly looked at this, was this the only problem? I figure the sync > group is mostly unused anyway, and completely irrelevant for containers - but > does this also affect static groups which are actually important? I. e. which > static groups cannot be replicated with sysusers?
I think man is the important one, it has uid=6 gid=12. Also nobody and nogroup share the same id but different names. > IMHO if we enable this, we should also provide a reasonably correct static > sysusers so that the program actually works as intended. It doesn't need to > (and can't right now) be perfect, but at least not completely break your > system. Toally agree. To do that I pushed a PR to systemd (https://github.com/systemd/systemd/pull/7973) to allow a new uid:gid syntax. Fwiw, I'm impressed once more by the quality and speed of the upstream code reviews. With and the attached sysusers.d conf file we are closer but there is the issue that some users/groups share the same ID, e.g. nouser and nogroup. systemd-sysusers does not like that, it will pick a new ID in this case. Fixing this in the code is pretty trivial, we just need an OK from upstream how to do it (either by ensuing the uid:gid syntax never changes the uid/gid or via a new prefix/postfix like "!" to force creation). Then there is also a small issue incompatibility with the shell: ``` $ head -n2 passwd root:x:0:0::/root:/bin/sh daemon:x:1:1::/usr/sbin:/sbin/nologin $ head -n2 /usr/share/base-passwd/passwd.master root:*:0:0:root:/root:/bin/bash daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin ``` For root it is "nologin" and the path of /sbin/nologin between Debian and Fedora differs. Thats another open issue. That seems to be the blockers for making this available generally. What do you think? Cheers, Michael
#Type Name ID GECOS Home directory u root 0 - /root u daemon 1 - /usr/sbin u bin 2 - /bin u sys 3 - /dev g adm 4 - g tty 5 - g disk 6 - g man 12 - u sync 4:65534 - /bin u games 5:60 - /usr/games u man 6:12 - /var/cache/man u lp 7 - /var/spool/lpd u mail 8 - /var/mail u news 9 - /var/spool/news u uucp 10 - /var/spool/uucp u proxy 13 - /bin g kmem 15 - g dialout 20 - g fax 21 - g voice 22 - g cdrom 24 - g floppy 25 - g tape 26 - g sudo 27 - g audio 29 - g dip 30 - u www-data 33 - /var/www u backup 34 - /var/backups g operator 37 - u list 38 - /var/list u irc 39 - /var/run/ircd g src 40 - u gnats 41 - /var/lib/gnats g shadow 42 - g utmp 43 - g video 44 - g sasl 45 - g plugdev 46 - g staff 50 - g games 60 - g users 100 - u nobody 65534:65534 - /nonexistent g nogroup 65534 -