[rpms/setup] update_services: Create passwd,group files from sysusers

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/setup] update_services: Create passwd,group files from sysusers
@ 2026-06-22 15:56 
  0 siblings, 0 replies; only message in thread
From:  @ 2026-06-22 15:56 UTC (permalink / raw)
  To: git-commits

            A new commit has been pushed.

            Repo   : rpms/setup
            Branch : update_services
            Commit : 7ced36d60b67c9e74f7951123225200597e3d2fa
            Author : Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
            Date   : 2025-03-14T17:57:55+01:00
            Stats  : +58/-84 in 4 file(s)
            URL    : https://src.fedoraproject.org/rpms/setup/c/7ced36d60b67c9e74f7951123225200597e3d2fa?branch=update_services

            Log:
            Create passwd,group files from sysusers

This inverts the order of operations: previously, the passwd and group
files were the original source of information, and shadow and gpasswd
were created using sed, and sysusers fragments were generated using a
shell script.

There are a few problems with the previous approach:
- We had two sysusers files, one for groups and one for users. This
  split makes things more complicated. By default sysusers will create
  a group with the same name and number, if a user is defined without
  an explicit group override. This is what we want to do, to make the
  config shorter and easier to read.
- The rpm sysusers generator created two sets of 'Provides:group(…)'
  attributes.

In the new approach, we use the sysusers file as the "source of truth",
and run systemd-sysusers to generate passwd, group, shadow, and gshadow
files.

This has the following advantages:
- No code to maintain here.
- The config is easier to read.
- Toes a lint of the data. If a uid conflict was present, we'd
  get a warning.
- With the support for sysusers in rpm, when we install this package on
  a system, because of the Provides, rpm will create the users and groups
  using systemd-sysusers anyway. So by doing the same during the build,
  we match what rpm would do anyway, so we get a file that is closer to
  what will actually appear in the system.
- Since we now have a file generated by systemd-sysusers in the payload,
  we can see how things will actually look on the installed system.
  This allowed me to notice a bug in systemd packaging.

---
diff --git a/generate-sysusers-fragments.sh b/generate-sysusers-fragments.sh
deleted file mode 100755
index 6ff9470..0000000
--- a/generate-sysusers-fragments.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-#SPDX-License-Identifier: 0BSD
-
-set -euo pipefail
-
-test -f etc/group
-test -f etc/passwd
-
-mkdir -p sysusers.d
-
-while read -r line; do
-  groupname=$(echo "${line}" | cut -d: -f1)
-  gid=$(echo "${line}" | cut -d: -f3)
-  echo "g ${groupname} ${gid}"
-done <etc/group >sysusers.d/20-setup-groups.conf
-
-while read -r line; do
-  username=$(echo "${line}" | cut -d: -f1)
-  uid=$(echo "${line}" | cut -d: -f3)
-  gid=$(echo "${line}" | cut -d: -f4)
-  gecos=$(echo "${line}" | cut -d: -f5)
-  homedir=$(echo "${line}" | cut -d: -f6)
-  if [ "${homedir}" == "/" ]; then
-    homedir="-"
-  fi
-  shell=$(echo "${line}" | cut -d: -f7)
-  if [ "${shell}" == "/usr/sbin/nologin" ]; then
-    shell="-"
-  fi
-  echo "u ${username} ${uid}:${gid} \"${gecos}\" ${homedir} ${shell}"
-done <etc/passwd >sysusers.d/20-setup-users.conf

diff --git a/setup.spec b/setup.spec
index 390249d..83e6d62 100644
--- a/setup.spec
+++ b/setup.spec
@@ -12,31 +12,29 @@ Source0003: csh.cshrc
 Source0004: csh.login
 Source0005: ethertypes
 Source0006: filesystems
-Source0007: group
-Source0008: host.conf
-Source0009: hosts
-Source0010: inputrc
-Source0011: networks
-Source0012: passwd
-Source0013: printcap
-Source0014: profile
-Source0015: protocols
-Source0016: services
-Source0017: shells
+Source0007: host.conf
+Source0008: hosts
+Source0009: inputrc
+Source0010: networks
+Source0011: printcap
+Source0012: profile
+Source0013: protocols
+Source0014: services
+Source0015: shells
 
 Source0021: lang.csh
 Source0022: lang.sh
 
 Source0031: COPYING
 Source0032: uidgid
-Source0033: generate-sysusers-fragments.sh
-Source0034: uidgidlint
+Source0033: setup.sysusers.conf
 Source0035: serviceslint
 
 BuildArch: noarch
 BuildRequires: bash
 BuildRequires: tcsh
 BuildRequires: perl-interpreter
+BuildRequires: /usr/bin/systemd-sysusers
 #systemd-rpm-macros: required to use _sysusersdir and _tmpfilesdir macro
 BuildRequires: systemd-rpm-macros
 #require system release for saner dependency order
@@ -48,21 +46,18 @@ setup files, such as passwd, group, and profile.
 
 %prep
 mkdir -p etc/profile.d
-cp %{lua: for i=1,17 do print(sources[i]..' ') end} etc/
+cp %{lua: for i=1,15 do print(sources[i]..' ') end} etc/
 cp %SOURCE21 %SOURCE22 etc/profile.d/
-touch etc/{exports,motd,subgid,subuid}
+touch etc/{exports,motd,subgid,subuid,environment,fstab}
 
 mkdir -p docs
 cp %SOURCE31 %SOURCE32 docs/
 
-bash %SOURCE33
-
 %build
-#make prototype for /etc/shadow
-sed -e "s/:.*/:*:`expr $(date +%s) / 86400`:0:99999:7:::/" etc/passwd >etc/shadow
-
-#make prototype for /etc/gshadow
-sed -e 's/:[0-9]\+:/::/g; s/:x:/::/' etc/group >etc/gshadow
+# This produces ./etc/{passwd,group,shadow,gshadow}
+systemd-sysusers --root=./ %SOURCE33
+# Allow the user to copy the file
+chmod 0400 ./etc/{shadow,gshadow}
 
 %check
 # Sanity checking selected files....
@@ -70,19 +65,16 @@ bash -n etc/bashrc
 bash -n etc/profile
 tcsh -f etc/csh.cshrc
 tcsh -f etc/csh.login
-(cd etc && bash %SOURCE34 ./uidgid)
 (cd etc && perl %SOURCE35 ./services)
 
 %install
 mkdir -p %{buildroot}/etc
 cp -ar etc/* %{buildroot}/etc/
 
-mkdir -p %{buildroot}%{_sysusersdir}
-cp sysusers.d/* %{buildroot}%{_sysusersdir}/
+install -D -m0644 %SOURCE33 %{buildroot}%{_sysusersdir}/setup.conf
 
 mkdir -p %{buildroot}/var/log
 touch %{buildroot}/etc/environment
-chmod 0400 %{buildroot}/etc/{shadow,gshadow}
 touch %{buildroot}/etc/fstab
 echo "#Add any required envvar overrides to this file, it is sourced from /etc/profile" >%{buildroot}/etc/profile.d/sh.local
 echo "#Add any required envvar overrides to this file, it is sourced from /etc/csh.login" >%{buildroot}/etc/profile.d/csh.local
@@ -181,8 +173,7 @@ end
 %config(noreplace) %verify(not md5 size mtime) /etc/shells
 %ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/fstab
 %{_tmpfilesdir}/%{name}.conf
-%{_sysusersdir}/20-setup-groups.conf
-%{_sysusersdir}/20-setup-users.conf
+%{_sysusersdir}/setup.conf
 /etc/dnf/protected.d/%{name}.conf
 %dir /usr/share/dnf5
 %dir /usr/share/dnf5/libdnf.conf.d

diff --git a/setup.sysusers.conf b/setup.sysusers.conf
new file mode 100644
index 0000000..6ab9c87
--- /dev/null
+++ b/setup.sysusers.conf
@@ -0,0 +1,39 @@
+u root         0      "Super User"            /root            /bin/bash
+u bin          1      "bin"                   /bin             -
+u daemon       2      "daemon"                /sbin            -
+u adm          3:4    "adm"                   /var/adm         -
+u lp           4:7    "lp"                    /var/spool/lpd   -
+u sync         5:0    "sync"                  /sbin            /bin/sync
+u shutdown     6:0    "shutdown"              /sbin            /sbin/shutdown
+u halt         7:0    "halt"                  /sbin            /sbin/halt
+u mail         8:12   "mail"                  /var/spool/mail  -
+u operator    11:0    "operator"              /root            -
+u games       12:100  "games"                 /usr/games       -
+u ftp         14:50   "FTP User"              /var/ftp         -
+u nobody   65534      "Kernel Overflow User"  -                -
+g sys            3
+g adm            4
+g tty            5
+g disk           6
+g lp             7
+g mem            8
+g kmem           9
+g wheel          10
+g cdrom          11
+g mail           12
+g man            15
+g dialout        18
+g floppy         19
+g games          20
+g utmp           22
+g tape           33
+g kvm            36
+g video          39
+g ftp            50
+g lock           54
+g audio          63
+g users          100
+g clock          103
+g input          104
+g render         105
+g sgx            106

diff --git a/uidgidlint b/uidgidlint
deleted file mode 100755
index 902f55e..0000000
--- a/uidgidlint
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/sh
-# We need a file to look at.
-if [ -z "$*" ] ; then
-	echo Usage: `basename $0` uidgid
-	exit 1
-fi
-error=0
-# The format of the file is (currently)
-for infile in "$@" ; do
-	uidlist=`grep -v '^#' "$infile" | awk '{print $2}' | grep -v -e - | sort -nu`
-	gidlist=`grep -v '^#' "$infile" | awk '{print $3}' | grep -v -e - | sort -nu`
-	for uid in $uidlist ; do
-		if test `grep -v '^#' "$infile" | awk '{print $2}' | grep '^'"$uid"'$' | wc -l` -ne 1 ; then
-			echo Duplicate UID: $uid
-			error=1
-		fi
-	done
-	for gid in $gidlist ; do
-		if test `grep -v '^#' "$infile" | awk '{print $3}' | grep '^'"$gid"'$' | wc -l` -ne 1 ; then
-			echo Duplicate GID: $gid
-			error=1
-		fi
-	done
-done
-exit $error

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-22 15:56 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-22 15:56 [rpms/setup] update_services: Create passwd,group files from sysusers

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox