#94 Support user:group notation by sysusers.generate-pre.sh script
Closed 9 months ago by zbyszek. Opened 9 months ago by mosvald.
rpms/ mosvald/systemd user_group_notation  into  rawhide

file modified
+6 -3
@@ -70,9 +70,12 @@ 

  		eval "arr=( $line )"

  		case "${arr[0]}" in

  			('u')

- 				group "${arr[1]}" "${arr[2]}"

- 				user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"

- 				# TODO: user:group support

+ 				if [[ "${arr[2]}" == *":"* ]]; then

+ 					user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}"

+ 				else

+ 					group "${arr[1]}" "${arr[2]}"

+ 					user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"

+ 				fi

  				;;

  			('g')

  				group "${arr[1]}" "${arr[2]}"

Hi,

Found out user:group notation is not supported by sysusers.generate-pre.sh while trying to implement/fix the below BZ:

Bug 2139054 - [RFE] cyrus-imapd user systemd-sysusers

For usual services, this is not needed, but cyrus-imapd runs under a different primary group (mail):

# grep -E 'cyrus|mail' /etc/passwd /etc/group
/etc/passwd:mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
/etc/passwd:cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/sbin/nologin
/etc/group:mail:x:12:
/etc/group:saslauth:x:76:cyrus
#

The %pre section and related definitions from cyrus-imapd.spec:

%define uid 76
%define gid 76
...
%define cyrususer cyrus
%define cyrusgroup mail
...
 %pre
# Create 'cyrus' user on target host
getent group saslauth >/dev/null || /usr/sbin/groupadd -g %gid -r saslauth
getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /var/lib/imap -g %cyrusgroup \
  -G saslauth -s /sbin/nologin -u %uid -r %cyrususer

When being rewritten to this:

+%sysusers_create_compat %{SOURCE19}

with SOURCE19 containing:

#Type Name     ID             GECOS                 Home directory Shell
g     saslauth 76
g     mail     12
u     cyrus    76:12          "Cyrus IMAP Server"   /var/lib/imap  /sbin/nologin
m     cyrus    saslauth

The package installation ends up creating the stuff correctly but only later on with the below preceding error/warning messages:

groupadd: invalid group ID '76:12'
useradd: invalid user ID '76:12'
useradd: group 'cyrus' does not exist
usermod: user 'cyrus' does not exist

  Installing       : cyrus-imapd-3.4.4-4.fc38.x86_64                                                                                                                                                                                   13/14 
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root
warning: user cyrus does not exist - using root

  Running scriptlet: cyrus-imapd-3.4.4-4.fc38.x86_64                                                                                                                                                                                   13/14 
  Installing       : cyrus-imapd-utils-3.4.4-4.fc38.x86_64                                                                                                                                                                             14/14 
  Running scriptlet: cyrus-imapd-utils-3.4.4-4.fc38.x86_64                                                                                                                                                                             14/14 
Creating user 'cyrus' (Cyrus IMAP Server) with UID 76 and GID 12.
Creating user 'saslauth' (Saslauthd user) with UID 991 and GID 76.

The patch fixes it for the cyrus-imapd.

Wrote it very quickly so it is likely buggy or not counting with some scenario, but it tries to behave according to a snippet from the documentation:

https://www.freedesktop.org/software/systemd/man/sysusers.d.html#ID

The syntaxes "uid:gid" and "uid:groupname" are supported to allow creating users with specific primary groups. *The given group must be created explicitly, or it must already exist.*

Anyway, we need to implement this as I expect I won't be the only one hitting this at some point. Currently, all BZs which already implemented %sysusers_create_compat macro doesn't use this user:group notation.

Thanks!

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

Hi @zbyszek , pls could you look into this?

Sorry for the delay. Thanks for the patch, it looks like it does the right thing. It is merged now.

Do you also need this in F37 and lower? I don't see a reason not to backport this, so I'll cherry-pick it before the next rebuild.

g saslauth 76
g mail 12
u cyrus 76:12 "Cyrus IMAP Server" /var/lib/imap /sbin/nologin
m cyrus saslauth

This would better be written as:

u cyrus 76:mail "Cyrus IMAP Server" /var/lib/imap /sbin/nologin

The allocations are "soft", so 'mail' could get a different GID, at least in principle.

Pull-Request has been closed by zbyszek

9 months ago

Thank you @zbyszek for the advice! Much appreciated, will use that.

Regarding Fedora, it depends, I plan to implement the sysusers only on Rawhide for now (although I saw others do that on older Fedoras too).

Anyway, the main reason behind this is RHEL9 where I have the below BZ about the same:

https://bugzilla.redhat.com/show_bug.cgi?id=2095381#c2

Do you think this change could get there? (would open BZ for it if needed).

Regarding Fedora, it depends, I plan to implement the sysusers only on Rawhide for now (although I saw others do that on older Fedoras too).

OK, so I'll backport this eventually, but without a hurry.

Anyway, the main reason behind this is RHEL9 where I have the below BZ about the same:

https://bugzilla.redhat.com/show_bug.cgi?id=2095381#c2

Do you think this change could get there? (would open BZ for it if needed).

For RHEL, please open a bug. It won't happen otherwise.

Metadata