From mboxrd@z Thu Jan  1 00:00:00 1970
From: John Darrington <john@darrington.wattle.id.au>
Subject: Re: User accounts
Date: Tue, 13 May 2014 10:17:52 +0200
Message-ID: <20140513081752.GA10442@jocasta.intra>
References: <87d2fidrnm.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38119)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <john@darrington.wattle.id.au>) id 1Wk7ud-0002z6-FI
	for guix-devel@gnu.org; Tue, 13 May 2014 04:18:16 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <john@darrington.wattle.id.au>) id 1Wk7uY-0007GC-TP
	for guix-devel@gnu.org; Tue, 13 May 2014 04:18:11 -0400
Content-Disposition: inline
In-Reply-To: <87d2fidrnm.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic Court??s <ludo@gnu.org>
Cc: guix-devel <guix-devel@gnu.org>

On Tue, May 13, 2014 at 10:11:41AM +0200, Ludovic Court??s wrote:
     Before commit ab6a279, /etc/{group,passwd,shadow} were all created from
     a derivation.  Thus, /etc contained symlinks to those files, which were
     actually in the store.  Being in the store, they were all immutable and
     world-readable (you can see that in the VM image released with 0.6.)
     
     That was obviously not desirable, because then everyone can read shadow,
     and because that prevents passwords from being changed.
     
     So commit ab6a279 changed accounts to be created at ???activation
     time??????i.e., when booting, or when switching to a new operating system
     configuration.  What happens is that the activation code checks for all
     the user accounts and groups required by the ???operating-system???
     declaration, and invokes ???useradd??? and ???groupadd??? for any missing
     account/group.
     
     That way, {group,passwd,shadow} are normal state files with the right
     permissions, and everything works as expected.  NixOS uses the same
     strategy.
     

Does /etc/group now have a "nogroup" group?  I was trying to package up GNU cssc,
but one of its tests relies on having a group which no user is a member of.

J'
     

-- 
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.