Hello Keh-Ming Luoh, hello Michael, sorry for the delay!
Keh-Ming Luoh [2018-10-31 19:22 -0700]: > When I upgrade my systemd, I found there is a "nobody" group created > automatically. Thanks for tracking this down! > -awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s > %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master > +awk -F: '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' > < /usr/share/base-passwd/passwd.master This is not quite correct. If you specify the GID explicitly, then it needs to exist before, i. e. the script would also need to be changed to create groups like "sys:3" explicitly. I. e. the conditional # only take groups whose name+gid != the corresponding user in passwd.master part would need to become unconditional. This would work, but would make both the group and passwd list more unwieldy. As all static Debian users and groups *except* nobody:nogroup have the same name, I'd like to keep the "single ID" behaviour of systemd-sysusers, as it's generally the right thing to do and more robust. So instead I'd like to handle the "nogroup" special-case as such. With the attached patch I seem to get the correct behaviour. The effective diff of the generated sysusers.d is -u nobody 65534 - /nonexistent /usr/sbin/nologin +u nobody 65534:65534 - /nonexistent /usr/sbin/nologin and nothing else. With current 239-11: # systemd-sysusers Creating group nobody with gid 999. and with this patched /usr/lib/sysusers.d/basic.conf: # systemd-sysusers # grep nobody /etc/group # i. e. it stops creating the group. I also added some postinst cleanup with some reasonable defensiveness. (Double-checking it now) @Michael, does that seem ok to you? Thanks, Martin
>From b74313718d817e224e807b7979dd6434ba2fc120 Mon Sep 17 00:00:00 2001 From: Martin Pitt <mar...@piware.de> Date: Fri, 16 Nov 2018 18:21:29 +0100 Subject: [PATCH] Fix wrong "nobody" group from sysusers.d Fix our make-sysusers-basic sysusers.d generator to special-case the nobody group. "nobody" user and "nogroup" group both have the same ID 65534, which is the only special case for Debian's static users/groups. So specify the gid explicitly, to avoid systemd-sysusers creating a dynamic system group for "nobody". Also clean up the group on upgrades. Thanks to Keh-Ming Luoh for the original patch! Closes: #912525 --- debian/extra/make-sysusers-basic | 3 ++- debian/systemd.postinst | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/debian/extra/make-sysusers-basic b/debian/extra/make-sysusers-basic index 0aaa65cc5c..8ff1b15900 100755 --- a/debian/extra/make-sysusers-basic +++ b/debian/extra/make-sysusers-basic @@ -14,4 +14,5 @@ done < /usr/share/base-passwd/group.master echo -awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master +# treat "nobody:nogroup" specially: same ID, but different name, so prevent creating a "nobody" group +awk -F: '{ i = ($3 == $4 && $4 != 65534) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master diff --git a/debian/systemd.postinst b/debian/systemd.postinst index 21210baab8..70f0b2334d 100644 --- a/debian/systemd.postinst +++ b/debian/systemd.postinst @@ -155,4 +155,13 @@ if dpkg --compare-versions "$2" lt-nl "236-1~"; then rm -f /var/lib/systemd/clock fi +if dpkg --compare-versions "$2" lt-nl "239-12~"; then + # clean up bogus "nobody" group from #912525; ensure that it's a system group + gid=$(grep '^nobody:x:' /etc/group | cut -f3 -d:) + if [ -n "$gid" ] && [ "$gid" -gt 0 ] && [ "$gid" -lt 1000 ]; then + echo "Cleaning up erroneous nobody group" + sed -i '/^nobody:x:/d' /etc/group + fi +fi + #DEBHELPER# -- 2.19.1