public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
To: git-commits@fedoraproject.org
Subject: [rpms/setup] update_services: Create passwd,group files from sysusers
Date: Mon, 22 Jun 2026 15:56:28 GMT [thread overview]
Message-ID: <178214378847.1.9572153546663545430.rpms-setup-7ced36d60b67@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/setup
Branch : update_services
Commit : 7ced36d60b67c9e74f7951123225200597e3d2fa
Author : Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date : 2025-03-14T17:57:55+01:00
Stats : +58/-84 in 4 file(s)
URL : https://src.fedoraproject.org/rpms/setup/c/7ced36d60b67c9e74f7951123225200597e3d2fa?branch=update_services
Log:
Create passwd,group files from sysusers
This inverts the order of operations: previously, the passwd and group
files were the original source of information, and shadow and gpasswd
were created using sed, and sysusers fragments were generated using a
shell script.
There are a few problems with the previous approach:
- We had two sysusers files, one for groups and one for users. This
split makes things more complicated. By default sysusers will create
a group with the same name and number, if a user is defined without
an explicit group override. This is what we want to do, to make the
config shorter and easier to read.
- The rpm sysusers generator created two sets of 'Provides:group(…)'
attributes.
In the new approach, we use the sysusers file as the "source of truth",
and run systemd-sysusers to generate passwd, group, shadow, and gshadow
files.
This has the following advantages:
- No code to maintain here.
- The config is easier to read.
- Toes a lint of the data. If a uid conflict was present, we'd
get a warning.
- With the support for sysusers in rpm, when we install this package on
a system, because of the Provides, rpm will create the users and groups
using systemd-sysusers anyway. So by doing the same during the build,
we match what rpm would do anyway, so we get a file that is closer to
what will actually appear in the system.
- Since we now have a file generated by systemd-sysusers in the payload,
we can see how things will actually look on the installed system.
This allowed me to notice a bug in systemd packaging.
---
diff --git a/generate-sysusers-fragments.sh b/generate-sysusers-fragments.sh
deleted file mode 100755
index 6ff9470..0000000
--- a/generate-sysusers-fragments.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-#SPDX-License-Identifier: 0BSD
-
-set -euo pipefail
-
-test -f etc/group
-test -f etc/passwd
-
-mkdir -p sysusers.d
-
-while read -r line; do
- groupname=$(echo "${line}" | cut -d: -f1)
- gid=$(echo "${line}" | cut -d: -f3)
- echo "g ${groupname} ${gid}"
-done <etc/group >sysusers.d/20-setup-groups.conf
-
-while read -r line; do
- username=$(echo "${line}" | cut -d: -f1)
- uid=$(echo "${line}" | cut -d: -f3)
- gid=$(echo "${line}" | cut -d: -f4)
- gecos=$(echo "${line}" | cut -d: -f5)
- homedir=$(echo "${line}" | cut -d: -f6)
- if [ "${homedir}" == "/" ]; then
- homedir="-"
- fi
- shell=$(echo "${line}" | cut -d: -f7)
- if [ "${shell}" == "/usr/sbin/nologin" ]; then
- shell="-"
- fi
- echo "u ${username} ${uid}:${gid} \"${gecos}\" ${homedir} ${shell}"
-done <etc/passwd >sysusers.d/20-setup-users.conf
diff --git a/setup.spec b/setup.spec
index 390249d..83e6d62 100644
--- a/setup.spec
+++ b/setup.spec
@@ -12,31 +12,29 @@ Source0003: csh.cshrc
Source0004: csh.login
Source0005: ethertypes
Source0006: filesystems
-Source0007: group
-Source0008: host.conf
-Source0009: hosts
-Source0010: inputrc
-Source0011: networks
-Source0012: passwd
-Source0013: printcap
-Source0014: profile
-Source0015: protocols
-Source0016: services
-Source0017: shells
+Source0007: host.conf
+Source0008: hosts
+Source0009: inputrc
+Source0010: networks
+Source0011: printcap
+Source0012: profile
+Source0013: protocols
+Source0014: services
+Source0015: shells
Source0021: lang.csh
Source0022: lang.sh
Source0031: COPYING
Source0032: uidgid
-Source0033: generate-sysusers-fragments.sh
-Source0034: uidgidlint
+Source0033: setup.sysusers.conf
Source0035: serviceslint
BuildArch: noarch
BuildRequires: bash
BuildRequires: tcsh
BuildRequires: perl-interpreter
+BuildRequires: /usr/bin/systemd-sysusers
#systemd-rpm-macros: required to use _sysusersdir and _tmpfilesdir macro
BuildRequires: systemd-rpm-macros
#require system release for saner dependency order
@@ -48,21 +46,18 @@ setup files, such as passwd, group, and profile.
%prep
mkdir -p etc/profile.d
-cp %{lua: for i=1,17 do print(sources[i]..' ') end} etc/
+cp %{lua: for i=1,15 do print(sources[i]..' ') end} etc/
cp %SOURCE21 %SOURCE22 etc/profile.d/
-touch etc/{exports,motd,subgid,subuid}
+touch etc/{exports,motd,subgid,subuid,environment,fstab}
mkdir -p docs
cp %SOURCE31 %SOURCE32 docs/
-bash %SOURCE33
-
%build
-#make prototype for /etc/shadow
-sed -e "s/:.*/:*:`expr $(date +%s) / 86400`:0:99999:7:::/" etc/passwd >etc/shadow
-
-#make prototype for /etc/gshadow
-sed -e 's/:[0-9]\+:/::/g; s/:x:/::/' etc/group >etc/gshadow
+# This produces ./etc/{passwd,group,shadow,gshadow}
+systemd-sysusers --root=./ %SOURCE33
+# Allow the user to copy the file
+chmod 0400 ./etc/{shadow,gshadow}
%check
# Sanity checking selected files....
@@ -70,19 +65,16 @@ bash -n etc/bashrc
bash -n etc/profile
tcsh -f etc/csh.cshrc
tcsh -f etc/csh.login
-(cd etc && bash %SOURCE34 ./uidgid)
(cd etc && perl %SOURCE35 ./services)
%install
mkdir -p %{buildroot}/etc
cp -ar etc/* %{buildroot}/etc/
-mkdir -p %{buildroot}%{_sysusersdir}
-cp sysusers.d/* %{buildroot}%{_sysusersdir}/
+install -D -m0644 %SOURCE33 %{buildroot}%{_sysusersdir}/setup.conf
mkdir -p %{buildroot}/var/log
touch %{buildroot}/etc/environment
-chmod 0400 %{buildroot}/etc/{shadow,gshadow}
touch %{buildroot}/etc/fstab
echo "#Add any required envvar overrides to this file, it is sourced from /etc/profile" >%{buildroot}/etc/profile.d/sh.local
echo "#Add any required envvar overrides to this file, it is sourced from /etc/csh.login" >%{buildroot}/etc/profile.d/csh.local
@@ -181,8 +173,7 @@ end
%config(noreplace) %verify(not md5 size mtime) /etc/shells
%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/fstab
%{_tmpfilesdir}/%{name}.conf
-%{_sysusersdir}/20-setup-groups.conf
-%{_sysusersdir}/20-setup-users.conf
+%{_sysusersdir}/setup.conf
/etc/dnf/protected.d/%{name}.conf
%dir /usr/share/dnf5
%dir /usr/share/dnf5/libdnf.conf.d
diff --git a/setup.sysusers.conf b/setup.sysusers.conf
new file mode 100644
index 0000000..6ab9c87
--- /dev/null
+++ b/setup.sysusers.conf
@@ -0,0 +1,39 @@
+u root 0 "Super User" /root /bin/bash
+u bin 1 "bin" /bin -
+u daemon 2 "daemon" /sbin -
+u adm 3:4 "adm" /var/adm -
+u lp 4:7 "lp" /var/spool/lpd -
+u sync 5:0 "sync" /sbin /bin/sync
+u shutdown 6:0 "shutdown" /sbin /sbin/shutdown
+u halt 7:0 "halt" /sbin /sbin/halt
+u mail 8:12 "mail" /var/spool/mail -
+u operator 11:0 "operator" /root -
+u games 12:100 "games" /usr/games -
+u ftp 14:50 "FTP User" /var/ftp -
+u nobody 65534 "Kernel Overflow User" - -
+g sys 3
+g adm 4
+g tty 5
+g disk 6
+g lp 7
+g mem 8
+g kmem 9
+g wheel 10
+g cdrom 11
+g mail 12
+g man 15
+g dialout 18
+g floppy 19
+g games 20
+g utmp 22
+g tape 33
+g kvm 36
+g video 39
+g ftp 50
+g lock 54
+g audio 63
+g users 100
+g clock 103
+g input 104
+g render 105
+g sgx 106
diff --git a/uidgidlint b/uidgidlint
deleted file mode 100755
index 902f55e..0000000
--- a/uidgidlint
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/sh
-# We need a file to look at.
-if [ -z "$*" ] ; then
- echo Usage: `basename $0` uidgid
- exit 1
-fi
-error=0
-# The format of the file is (currently)
-for infile in "$@" ; do
- uidlist=`grep -v '^#' "$infile" | awk '{print $2}' | grep -v -e - | sort -nu`
- gidlist=`grep -v '^#' "$infile" | awk '{print $3}' | grep -v -e - | sort -nu`
- for uid in $uidlist ; do
- if test `grep -v '^#' "$infile" | awk '{print $2}' | grep '^'"$uid"'$' | wc -l` -ne 1 ; then
- echo Duplicate UID: $uid
- error=1
- fi
- done
- for gid in $gidlist ; do
- if test `grep -v '^#' "$infile" | awk '{print $3}' | grep '^'"$gid"'$' | wc -l` -ne 1 ; then
- echo Duplicate GID: $gid
- error=1
- fi
- done
-done
-exit $error
reply other threads:[~2026-06-22 15:56 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178214378847.1.9572153546663545430.rpms-setup-7ced36d60b67@fedoraproject.org \
--to=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox