On 24/08/14 04:54 PM, Sébastien Luttringer wrote:
On 20/08/2014 20:25, Dave Reisner wrote:
For packagers: - systemd-sysusers is now a reasonable thing as it now reads and writes to /etc/shadow and /etc/gshadow. This means that we can simplify the filesystem package immensely, and packages which want to ship their own runtime users can switch to this as well. Note that new IDs are allocated semi-arbitrarily starting from 999 and counting down. Please be aware of the implications of using this if your package ships files owned by the user you're going to create! There's still no way of removing users via sysusers.d, but I think this is fine (Fedora actually never removes users or groups). I'm enthused by this feature and systemd-sysusers can offer a more standard way for managing system users across distro. Nevertheless, It would be nice if we do not fall into the shortcut of not removing users bound to a package when we remove it. That avoid manual removing and I don't see a drawback for doing this.
Do you know why they don't implement the same logic (--create, --clean) as systemd-tmpfiles in systemd-sysusers?
There will often be files left behind owned by that uid/gid, and deleting the user/group will free up the id to be consumed by the next user/group. There's a potential to leak sensitive information like passwords. Fedora and systemd choose to ignore the ickiness of having dead system users/groups to avoid that issue.