Skip to content

docs/users-and-groups: expand on static users and systemd-sysusers #1261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 10, 2025
Merged

docs/users-and-groups: expand on static users and systemd-sysusers #1261

merged 1 commit into from
Apr 10, 2025

Conversation

jmarrero
Copy link
Contributor

@jmarrero jmarrero commented Apr 9, 2025
edited
Loading

https://docs.fedoraproject.org/en-US/bootc/authentication/ links to this page instead of copying the info, so we should be OK. This doc is 99% Colin's modifications.

@github-actions github-actions bot added documentation Improvements or additions to documentation control/skip-ci Do not run expensive CI on this job labels Apr 9, 2025
@cgwalters
Copy link
Collaborator

cc @keszybz

@jmarrero jmarrero force-pushed the docs-users branch 3 times, most recently from 5b5c5a1 to dd376c4 Compare April 10, 2025 19:10
cgwalters
cgwalters approved these changes Apr 10, 2025
View reviewed changes
docs/src/building/users-and-groups.md Outdated
These directives will adjust the access mode, user and group ownership and the SELinux security context as
stated on the doc linked above.

For example, if we need a on "/var/lib/my_file.conf" to be part of the tss group but owned by root
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo here "a on"

@jmarrero jmarrero enabled auto-merge April 10, 2025 19:17
@cgwalters @jmarrero
docs/users-and-groups: expand on static users and systemd-sysusers
5add888 
Co-authored-by: Colin Walters <walters@verbum.org>

Signed-off-by: Colin Walters <walters@verbum.org>
Signed-off-by: Joseph Marrero Corchado <jmarrero@redhat.com>
@jmarrero jmarrero merged commit e33eafd into bootc-dev:main Apr 10, 2025
18 of 30 checks passed
@keszybz
Copy link

keszybz commented Apr 11, 2025

I was later to the review, but here are some comments anyway:

At the time of this writing this relies on SMBIOS which is mainly configurable in local virtualization environments. (qemu).

I don't know when this was written, but nowadays it's quite wrong. There are multiple other mechanisms to pass credentials other than SMBIOS.

It is common for packages (deb/rpm/etc) to allocate system users or groups as part of e.g apt|dnf install <server package
such as Apache or MySQL, and this is often done by directly invoking useradd or groupadd as part of package pre/post installation scripts.

With https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers, this is now not true for dnf install. Distro packages in F43+ do not call useradd or groupadd

COPY mycustom-user.conf /usr/lib/sysusers.d

We recommend the file to be named after the package. So this probably should be myservice.conf or something like that.

Such cases are best handled by being converted to use sysusers.d (see Fedora change)

Using sysusers.d doesn't really matter or solve anything. systemd-sysusers intentionally implements the same allocation policy, dynamic by default, as the scriptlets specified in the Fedora Packaging Guidelines.

/var/lib/my_file.conf

Extra ".conf" here. We wouldn't have a config file in /var and it doesn't match the snippet below.

--

The big problem with this text is that it doesn't explain the problem adequately, and it doesn't offer a solution that people can select&paste into their own stuff. After doing packaging for a while, I know that if you offer people a menu of low-level options like this, most people will just ignore it, and a few will use it in very creative ways. I think that there needs to be a simple recipe like "If you have this situation, do this, and otherwise, if this, then that, otherwise something else.".

Using tmpfiles to set file ownership during boot is a useful workaround, but it has caveats. One is that systemd-tmpfiles is called during not-too-early boot, so the service that wants to use the files cannot start too early. This shouldn't be a issue for most services though, but might be worth mentioning. Second, bigger, issue is that for this to work reliably the file must be owned by root first, and then chowned to the user/group. If it is owned by the user/group, and drift occurs, it'll be wrongly owned after installation and during early boot and this creates likely confusion and a potential vulnerability. A typical package for which we'd want to use such a tmpfiles snippet, i.e. which has a static owned file in the payload, falls into this trap :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgwalters cgwalters cgwalters approved these changes

@ckyrouac ckyrouac ckyrouac approved these changes

Assignees
No one assigned
Labels
control/skip-ci Do not run expensive CI on this job documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jmarrero @cgwalters @keszybz @ckyrouac