Hi, Martin: Thanks for reminding me that my patch isn't good enough.
My intension is indeed to keep uid/gid creation more explicitly. So the script can handle other "exceptions" better (in the future). I prefer to keep the logic instead of treating 65534 special. Thanks. -KM On Fri, Nov 16, 2018 at 9:32 AM Martin Pitt <mp...@debian.org> wrote: > Hello Keh-Ming Luoh, hello Michael, > > sorry for the delay! > > Keh-Ming Luoh [2018-10-31 19:22 -0700]: > > When I upgrade my systemd, I found there is a "nobody" group created > > automatically. > > Thanks for tracking this down! > > > -awk -F: '{ i = ($3 == $4) ? $3 : $3":"$4; printf("u %-10s %-7s - %-20s > %s\n", $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master > > +awk -F: '{ i = $3":"$4; printf("u %-10s %-7s - %-20s %s\n", > $1,i,$6,$7) }' < /usr/share/base-passwd/passwd.master > > This is not quite correct. If you specify the GID explicitly, then it > needs to > exist before, i. e. the script would also need to be changed to create > groups > like "sys:3" explicitly. I. e. the conditional > > # only take groups whose name+gid != the corresponding user in > passwd.master > > part would need to become unconditional. This would work, but would make > both > the group and passwd list more unwieldy. > > As all static Debian users and groups *except* nobody:nogroup have the same > name, I'd like to keep the "single ID" behaviour of systemd-sysusers, as > it's > generally the right thing to do and more robust. So instead I'd like to > handle the "nogroup" special-case as such. > > With the attached patch I seem to get the correct behaviour. The effective > diff > of the generated sysusers.d is > > -u nobody 65534 - /nonexistent /usr/sbin/nologin > +u nobody 65534:65534 - /nonexistent /usr/sbin/nologin > > and nothing else. With current 239-11: > > # systemd-sysusers > Creating group nobody with gid 999. > > and with this patched /usr/lib/sysusers.d/basic.conf: > > # systemd-sysusers > # grep nobody /etc/group > # > > i. e. it stops creating the group. > > I also added some postinst cleanup with some reasonable defensiveness. > (Double-checking it now) > > @Michael, does that seem ok to you? > > Thanks, > > Martin >