Re: [systemd-devel] [PATCH] sysusers: allow overrides in /etc and /run

Thu, 10 Jul 2014 11:49:37 -0700 


On 07/10/2014 04:47 PM, Zbigniew Jędrzejewski-Szmek wrote:

On Thu, Jul 10, 2014 at 02:59:10PM +0000, "Jóhann B. Guðmundsson" wrote:

On 07/10/2014 12:51 PM, Zbigniew Jędrzejewski-Szmek wrote:

An administrator might want to block a certain sysusers config file from
being executed, e.g. to block the creation of a certain user.
---
  src/sysusers/sysusers.c | 2 ++
  1 file changed, 2 insertions(+)

diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
index 129493a1e7..68c552d24a 100644
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@ -62,6 +62,8 @@ typedef struct Item {
  static char *arg_root = NULL;
  static const char conf_file_dirs[] =
+        "/etc/sysusers.d\0"
+        "/run/sysusers.d\0"
          "/usr/local/lib/sysusers.d\0"
          "/usr/lib/sysusers.d\0"
  #ifdef HAVE_SPLIT_USR

How does this handle multiple users and if I as an administrator I
wanted to block some users from being created I simply would not
have installed the component that created him in the first place no?

Let's say that mydatabase.rpm wants to use mydatabaseuser, and creates
the user using sysusers.d, and has a config file which contains
   user = mydatabaseuser.
You as an admin know this, but want to use a different user for
whatever reason.
We need to know that reason as in what exactly is the problem administrators is trying to solve by doing that and is that problem not already solved with containers or sandboxed application? 


  So you provide the config file, but sysusers will
still create the user. This is not harmful usually, but can lead
e.g. to confusion, if you or the other admin later sees that this
user exists. So you might do 'ln -s /dev/null /etc/sysusers.d/mydatabase.conf',
to avoid that.
Surely "Sandboxed applications" when designed was not strictly intended for GNOME or limited to Gnome existing on the machine for it to be used mean surely I should be able to download/install/run the "Sandboxed applications postgresql" which I fetched directly from postgresql upstream and it's community and deploy it on my server
As I said before aren't we wasting time solving problems for packaging formats that are becoming obsolete if things continue to progress in sandboxed/containerized future?
I have to ask at this point is there something that is preventing us to introduce type container unit? 

JBG
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to