Thanks to visit codestin.com
Credit goes to github.com

Skip to content

sysusers: create fully locked system account #3468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

sysusers: create fully locked system account #3468

wants to merge 1 commit into from

Conversation

eworm-de
Copy link
Contributor

... for some extra security. The account is marked locked as a whole, not just created with an invalid password.

https://github.com/systemd/systemd/blob/v257/NEWS#L767-L777
https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html#u

@eworm-de
Copy link
Contributor Author

This is supported with systemd v257. Can we just use it (as a system with recent util-linux should comes with recent systemd as well) or do we need a switch?

@karelzak
Copy link
Collaborator

I have doubts that enabling it by default is a good idea as v257 seems very recent (for example, the current Fedora has v256). The util-linux does not require the most recent dependencies. Maybe adding --enable-sysusers-locked is not a bad idea.

@eworm-de
Copy link
Contributor Author

Wondering if this should be autodetected from build environment...

@karelzak
Copy link
Collaborator

systemctl systemctl --version, or maybe somehow by pkg-config, not sure

@karelzak karelzak added the NOT-READY The patch is not ready yet. Need rework. label Mar 24, 2025
@kkm000
Copy link

kkm000 commented Aug 10, 2025

Debian "Trixie" 13 releases any day now, with systemd 257.

kkm@kiki:~$ systemctl --version
systemd 257 (257.7-1)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE

As for the pkg-config(1) test, --atleast-version has been there for ages. This is on Deb 12 (don't have libsystemd-dev anywhere I have Trixie installed):

kkm@buba:~$ systemctl --version
systemd 252 (252.38-1~deb12u1)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
kkm@buba:~$ pkg-config --atleast-version=257 libsystemd; echo $?
1
kkm@buba:~$ pkg-config --atleast-version=252 libsystemd; echo $?
0

@karelzak karelzak added the TODO We going to think about it ;-) label Aug 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
NOT-READY The patch is not ready yet. Need rework. TODO We going to think about it ;-)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eworm-de @karelzak @kkm000