useradd: `SYS_USER_AUTO_GROUPS_ENAB` option #1156

SgAkErRu · 2024-12-16T15:56:33Z

A new SYS_USER_AUTO_GROUPS_ENAB option in /etc/login.defs that control whether supplementary groups are automatically added for the system user that is created via the -r flag.

Default value is no, so groups from the GROUPS parameter from the /etc/default/useradd file are not added automatically for the system user.

Related to: #586

alejandro-colomar · 2024-12-17T11:42:54Z

Could you please explain why we want this?

Isn't this another way of having an empty GROUPS list? Why not have an empty GROUPS list instead? (I'm not sure I liked the GROUPS list in the first place.)

SgAkErRu · 2024-12-17T12:25:58Z

Could you please explain why we want this?

Isn't this another way of having an empty GROUPS list? Why not have an empty GROUPS list instead? (I'm not sure I liked the GROUPS list in the first place.)

GROUPS allows maintainers to set a list of additional (supplementary) default groups, for example users, dialout, audio, serial and so on.

Or, for example, only users, which is then expanded through the libnss-role, i.e. these groups (dialout, audio, serial) are added through libnss-role to those users who are in the users group.

But at this moment, it works so that when creating a system user via useradd --system or useradd -r, these groups are also added to it, which is most often undesirable (more precisely, I do not even know the case when it would be necessary).

Therefore, this new option was created, which allows maintainers to disable auto-addition of additional groups for system users.

src/useradd.c

ikerexxe · 2024-12-17T13:29:13Z

But at this moment, it works so that when creating a system user via useradd --system or useradd -r, these groups are also added to it, which is most often undesirable (more precisely, I do not even know the case when it would be necessary).

Since you are the original author of this functionality and you don't know the case, why don't you filter the group membership addition for non-system users instead of creating a new option? I think that would be the most sensible approach.

SgAkErRu · 2024-12-17T13:35:05Z

But at this moment, it works so that when creating a system user via useradd --system or useradd -r, these groups are also added to it, which is most often undesirable (more precisely, I do not even know the case when it would be necessary).

Since you are the original author of this functionality and you don't know the case, why don't you filter the group membership addition for non-system users instead of creating a new option? I think that would be the most sensible approach.

Because I am not original author of this functionality.

So, that's why I suggest this option, which will keep the possibility of the original behavior (when these groups automatically adds to system users).

P.S But in general, with the option, it seems to me a more flexible.

I mean, the GROUPS feature itself with SYS_USER_AUTO_GROUPS_ENAB enabled will be like a complete alternative to specifying default supplementary groups using -G.

ikerexxe · 2024-12-17T13:53:54Z

Because I am not original author of this functionality.

Ups sorry, I have mixed up the names.

@AZaugg any opinion on the following topic?

But at this moment, it works so that when creating a system user via useradd --system or useradd -r, these groups are also added to it, which is most often undesirable (more precisely, I do not even know the case when it would be necessary).

Since you are the original author of this functionality and you don't know the case, why don't you filter the group membership addition for non-system users instead of creating a new option? I think that would be the most sensible approach.

src/useradd.c

alejandro-colomar reviewed Dec 17, 2024

View reviewed changes