----- Original Message ----- > Hi, for Atomic I'd like to investigate the new systemd-sysusers, so I > wrote up a Change: > > https://fedoraproject.org/wiki/Changes/SystemdSysusers
A move to something more declarative makes sense (whether in systemd or through some kind of long-expected declarative rpm facility doesn’t matter to me much.) The sysusers tool _really_ needs to use an existing API to manage the user database, though. As it is, the implementation * validates names incorrectly * breaks the configurable [UG]ID_MIN logic (http://fedoraproject.org/wiki/Features/1000SystemAccounts, and yes, that is actually used and needed) * is likely to break various readers software by not updating the shadow files * doesn’t do any auditing. We are currently already in a bad position by having two major implementations of maintaining the critical databases, we absolutely don’t want any more. At this point this means systemd-sysuers should either run the executables from shadow-utils, or link to libuser. (Or, I suppose, use accountsservice, but that ends up calling shadow-utils.). The plan is to have a single implementation, living around sssd. (Jakub knows more.) Either of two API points above are planned to use the sssd implementation, so can be relied on long-term. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
