sysusers.d support applies %attr() ownership before creating sysusers #3073

martinpitt · 2024-05-03T04:14:25Z

We are currently trying to move our project to systemd-sysusers, away from manual useradd calls in the package's %pre script. The rpm manual claims

Rpm >= 4.19 has native support for declarative user and group creation through integration with systemd’s sysusers.d format. Packagers will only need to package a sysusers.d file for their custom users and groups in /usr/lib/sysusers.d and rpm will take care of the rest.

I tried that on current Fedora 40 (rpm-4.19.1.1-1.fc40.x86_64), and an initial version with a clean approach just adds %{_sysusersdir}/cockpit-ws.conf file to the rpm. The diff doesn't show the existing

attr(4750, root, cockpit-wsinstance) %{_libexecdir}/cockpit-session

in the spec which makes use of the dynamic group.

The rpm build does create the "magic" provides:

# rpm -q --provides cockpit-ws
cockpit-ws = 316.dev27+g1dc9d3b8f-1.fc40
cockpit-ws(x86-64) = 316.dev27+g1dc9d3b8f-1.fc40
config(cockpit-ws) = 316.dev27+g1dc9d3b8f-1.fc40
group(cockpit-ws)
group(cockpit-wsinstance)
user(cockpit-ws) = dSBjb2NrcGl0LXdzIC0gIlVzZXIgZm9yIGNvY2twaXQgd2ViIHNlcnZpY2UiIC0A
user(cockpit-wsinstance) = dSBjb2NrcGl0LXdzaW5zdGFuY2UgLSAiVXNlciBmb3IgY29ja3BpdC13cyBpbnN0YW5jZXMiIC0A

# echo dSBjb2NrcGl0LXdzIC0gIlVzZXIgZm9yIGNvY2twaXQgd2ViIHNlcnZpY2UiIC0A | base64 -d
u cockpit-ws - "User for cockpit web service" -

On install it does create the sysusers, but it tries to apply the %attr before creating the users:

# rpm -i --verbose /var/tmp/build/cockpit-ws-316.dev27+g1dc9d3b8f-1.fc40.x86_64.rpm 
Verifying packages...
Preparing packages...
cockpit-ws-316.dev27+g1dc9d3b8f-1.fc40.x86_64
warning: group cockpit-wsinstance does not exist - using root
Creating group 'cockpit-ws' with GID 979.
Creating user 'cockpit-ws' (User for cockpit web service) with UID 979 and GID 979.
Creating group 'cockpit-wsinstance' with GID 978.
Creating user 'cockpit-wsinstance' (User for cockpit-ws instances) with UID 978 and GID 978.

and after installation, /usr/libexec/cockpit-session has the wrong ownership (group root).

So for the docs to actually work, it needs to create the sysusers before unpacking (i.e. what a %pre script would do) from its "magic" provides or other internal .rpm metadata, or defer the %attr() application after the initial unpacking of the files and sysusers creation.

I suppose that is the reason why the Fedora packaging guidelines have a completely different, and very hackish approach -- that suggests to duplicate the sysusers file downstream in the packaging dist-git, and using %sysusers_create_compat to basically create some useradd shell script out of the sysusers.d file. But this is awkward, error prone, a bit hard to automate for releases. It also feels backwards -- the whole point is to move and standardize all of this upstream.

I didn't find any existing upstream or Fedora downstream (bugzilla) bug report, so filing this one.

Thanks!

CC: @travier

The text was updated successfully, but these errors were encountered:

ffesti · 2024-05-03T06:55:09Z

A far as I know this feature is not enabled in Fedora 40. See https://fedoraproject.org/wiki/Changes/RPM-4.19#Scope

rpm-4.18.92-disable-sysusers.patch

iff -up rpm-4.18.92/macros.in.orig rpm-4.18.92/macros.in                       
--- rpm-4.18.92/macros.in.orig  2023-08-02 17:56:49.858065935 +0200             
+++ rpm-4.18.92/macros.in       2023-08-02 17:57:01.967988065 +0200             
@@ -138,7 +138,7 @@                                                             
                                                                                
 # sysusers helper binary (or a replacement script), uncomment to disable       
 #%__systemd_sysusers   @__SYSTEMD_SYSUSERS@                                    
-%__systemd_sysusers    %{_rpmconfigdir}/sysusers.sh                            
+#%__systemd_sysusers   %{_rpmconfigdir}/sysusers.sh                            
                                                                                
 #                                                                              
 #      Path to script that creates debug symbols in a /usr/lib/debug

So there is some work to do on the Fedora side to make sure the distribution is ready for this.

martinpitt · 2024-05-03T07:08:08Z

Thanks @ffesti ! So I suppose this should be closed upstream, and I'll create a bugzilla instead?

Add a sysusers config file for our remaining system user. Arch was already using sysusers, replace the packaging specific one with the upstream one. For Debian, run dh_installsysusers (compat level 14 will do that automatically in the future). RPM 4.19 has native support for sysusers in principle [1], but it's not currently enabled/working [2]. Fedora rather wants packages to do an overcomplicated process which keeps a downstream copy of the sysusers file in the packaging dist-git [3], which is error prone and ugly to automate. So keep the tried-and-tested current approach of creating the user directly in the spec's `%pre` script for the time being (which is necessary anyway for CentOS/RHEL 9). [1] https://rpm-software-management.github.io/rpm/manual/users_and_groups.html [2] rpm-software-management/rpm#3073 [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation

travier · 2024-05-03T08:29:25Z

Ah, good point. This needs discussion on the Fedora side.

ffesti · 2024-05-04T07:35:00Z

Yeah, this probably needs a discussion and Global Change in Fedora and an additional change in the Packaging Guidelines. Those are not topics for upstream. So I am closing this here. But fee free to ping me if you need help on the Fedora side. We will also happily improve the documentation upstream with lessons learned.

Also note that there are more improvements coming with the rpm 4.20 release that is expected in Fedora 41 in a few weeks.

Add a sysusers config file for our remaining system user. Arch was already using sysusers, replace the packaging specific one with the upstream one. For Debian, run dh_installsysusers (compat level 14 will do that automatically in the future). RPM 4.19 has native support for sysusers in principle [1], but it's not currently enabled/working [2]. Fedora rather wants packages to do an overcomplicated process which keeps a downstream copy of the sysusers file in the packaging dist-git [3], which is error prone and ugly to automate. So keep the tried-and-tested current approach of creating the user directly in the spec's `%pre` script for the time being (which is necessary anyway for CentOS/RHEL 9). [1] https://rpm-software-management.github.io/rpm/manual/users_and_groups.html [2] rpm-software-management/rpm#3073 [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation

ffesti · 2024-05-13T13:34:16Z

I started a discussion on the Fedora devel list:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/IKWECWMBWN2IDKLHK3Q2TZKVSVFTXUNA/

This was referenced May 3, 2024

systemd: Use systemd-sysusers to create cockpit-wsinstance user cockpit-project/cockpit#20365

Closed

Automatically create users and groups from sysusers.d(5) files #2432

Merged

ffesti closed this as completed May 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sysusers.d support applies %attr() ownership before creating sysusers #3073

sysusers.d support applies %attr() ownership before creating sysusers #3073

martinpitt commented May 3, 2024

ffesti commented May 3, 2024

martinpitt commented May 3, 2024

travier commented May 3, 2024

ffesti commented May 4, 2024

ffesti commented May 13, 2024

sysusers.d support applies %attr() ownership before creating sysusers #3073

sysusers.d support applies %attr() ownership before creating sysusers #3073

Comments

martinpitt commented May 3, 2024

ffesti commented May 3, 2024

martinpitt commented May 3, 2024

travier commented May 3, 2024

ffesti commented May 4, 2024

ffesti commented May 13, 2024