sysusers: allow defining additional sysusers lines via credentials

man/systemd-sysctl.service.xml

@@ -86,10 +86,10 @@
         <term><literal>sysctl.extra</literal></term>
 
         <listitem><para>The contents of this credential may contain additional lines to operate on. The
-        credential contents should follow the same format as any other <filename>sysctl.d/</filename>
+        credential contents should follow the same format as any other <filename>sysctl.d/</filename> drop-in
-        drop-in. If this credential is passed it is processed after all of the drop-in files read from the
+        configuration file. If this credential is passed it is processed after all of the drop-in files read
-        file system. The settings configured in the credential hence take precedence over those in the file
+        from the file system. The settings configured in the credential hence take precedence over those in
-        system.</para></listitem>
+        the file system.</para></listitem>
       </varlistentry>
     </variablelist>
 

man/systemd-sysusers.xml

@@ -169,18 +169,27 @@
 
         <listitem><para>Specifies the shell binary to use for the specified account when creating it.</para></listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><literal>sysusers.extra</literal></term>
+
+        <listitem><para>The contents of this credential may contain additional lines to operate on. The
+        credential contents should follow the same format as any other <filename>sysusers.d/</filename>
+        drop-in. If this credential is passed it is processed after all of the drop-in files read from the
+        file system.</para></listitem>
+      </varlistentry>
     </variablelist>
 
     <para>Note that by default the <filename>systemd-sysusers.service</filename> unit file is set up to
     inherit the <literal>passwd.hashed-password.root</literal>,
-    <literal>passwd.plaintext-password.root</literal> and <literal>passwd.shell.root</literal> credentials
+    <literal>passwd.plaintext-password.root</literal>, <literal>passwd.shell.root</literal> and
-    from the service manager. Thus, when invoking a container with an unpopulated <filename>/etc/</filename>
+    <literal>sysusers.extra</literal> credentials from the service manager. Thus, when invoking a container
-    for the first time it is possible to configure the root user's password to be <literal>systemd</literal>
+    with an unpopulated <filename>/etc/</filename> for the first time it is possible to configure the root
-    like this:</para>
+    user's password to be <literal>systemd</literal> like this:</para>
 
     <para><programlisting># systemd-nspawn --image=… --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' …</programlisting></para>
 
-    <para>Note again that the data specified in these credentials is consulted only when creating an account
+    <para>Note again that the data specified in this credential is consulted only when creating an account
     for the first time, it may not be used for changing the password or shell of an account that already
     exists.</para>
 

src/sysusers/sysusers.c

@@ -1981,7 +1981,7 @@ static int parse_arguments(char **args) {
                         /* Use (argument):n, where n==1 for the first positional arg */
                         r = parse_line("(argument)", pos, *arg);
                 else
-                        r = read_config_file(*arg, false);
+                        r = read_config_file(*arg, /* ignore_enoent= */ false);
                 if (r < 0)
                         return r;
 
@@ -2011,12 +2011,31 @@ static int read_config_files(char **args) {
                         log_debug("Reading config file \"%s\"%s", *f, special_glyph(SPECIAL_GLYPH_ELLIPSIS));
 
                         /* Just warn, ignore result otherwise */
-                        (void) read_config_file(*f, true);
+                        (void) read_config_file(*f, /* ignore_enoent= */ true);
                 }
 
         return 0;
 }
 
+static int read_credential_lines(void) {
+        _cleanup_free_ char *j = NULL;
+        const char *d;
+        int r;
+
+        r = get_credentials_dir(&d);
+        if (r == -ENXIO)
+                return 0;
+        if (r < 0)
+                return log_error_errno(r, "Failed to get credentials directory: %m");
+
+        j = path_join(d, "sysusers.extra");
+        if (!j)
+                return log_oom();
+
+        (void) read_config_file(j, /* ignore_enoent= */ true);
+        return 0;
+}
+
 static int run(int argc, char *argv[]) {
 #ifndef STANDALONE
         _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
@@ -2068,12 +2087,10 @@ static int run(int argc, char *argv[]) {
         assert(!arg_image);
 #endif
 
-        /* If command line arguments are specified along with --replace, read all
+        /* If command line arguments are specified along with --replace, read all configuration files and
-         * configuration files and insert the positional arguments at the specified
+         * insert the positional arguments at the specified place. Otherwise, if command line arguments are
-         * place. Otherwise, if command line arguments are specified, execute just
+         * specified, execute just them, and finally, without --replace= or any positional arguments, just
-         * them, and finally, without --replace= or any positional arguments, just
+         * read configuration and execute it. */
-         * read configuration and execute it.
-         */
         if (arg_replace || optind >= argc)
                 r = read_config_files(argv + optind);
         else
@@ -2081,11 +2098,15 @@ static int run(int argc, char *argv[]) {
         if (r < 0)
                 return r;
 
-        /* Let's tell nss-systemd not to synthesize the "root" and "nobody" entries for it, so that our detection
+        r = read_credential_lines();
-         * whether the names or UID/GID area already used otherwise doesn't get confused. After all, even though
+        if (r < 0)
-         * nss-systemd synthesizes these users/groups, they should still appear in /etc/passwd and /etc/group, as the
+                return r;
-         * synthesizing logic is merely supposed to be fallback for cases where we run with a completely unpopulated
+
-         * /etc. */
+        /* Let's tell nss-systemd not to synthesize the "root" and "nobody" entries for it, so that our
+         * detection whether the names or UID/GID area already used otherwise doesn't get confused. After
+         * all, even though nss-systemd synthesizes these users/groups, they should still appear in
+         * /etc/passwd and /etc/group, as the synthesizing logic is merely supposed to be fallback for cases
+         * where we run with a completely unpopulated /etc. */
         if (setenv("SYSTEMD_NSS_BYPASS_SYNTHETIC", "1", 1) < 0)
                 return log_error_errno(errno, "Failed to set SYSTEMD_NSS_BYPASS_SYNTHETIC environment variable: %m");
 

test/TEST-54-CREDS/test.sh

@@ -4,7 +4,7 @@ set -e
 
 TEST_DESCRIPTION="test credentials"
 NSPAWN_ARGUMENTS="${NSPAWN_ARGUMENTS:-} --set-credential=mynspawncredential:strangevalue"
-QEMU_OPTIONS="${QEMU_OPTIONS:-} -fw_cfg name=opt/io.systemd.credentials/myqemucredential,string=othervalue -smbios type=11,value=io.systemd.credential:smbioscredential=magicdata -smbios type=11,value=io.systemd.credential.binary:binarysmbioscredential=bWFnaWNiaW5hcnlkYXRh"
+QEMU_OPTIONS="${QEMU_OPTIONS:-} -fw_cfg name=opt/io.systemd.credentials/myqemucredential,string=othervalue -smbios type=11,value=io.systemd.credential:smbioscredential=magicdata -smbios type=11,value=io.systemd.credential.binary:binarysmbioscredential=bWFnaWNiaW5hcnlkYXRh -smbios type=11,value=io.systemd.credential.binary:sysusers.extra=dSBjcmVkdGVzdHVzZXIK"
 KERNEL_APPEND="${KERNEL_APPEND:-} systemd.set_credential=kernelcmdlinecred:uff systemd.set_credential=sysctl.extra:kernel.domainname=sysctltest rd.systemd.import_credentials=no"
 
 # shellcheck source=test/test-functions

test/units/testsuite-54.sh

@@ -40,6 +40,9 @@ elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then
 
     # Verify that writing a sysctl via the kernel cmdline worked
     [ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ]
+
+    # Verify that creating a user via sysusers via the kernel cmdline worked
+    grep -q ^credtestuser: /etc/passwd
 else
     echo "qemu_fw_cfg support missing in kernel. Sniff!"
     expected_credential=""

units/systemd-sysusers.service

@@ -14,7 +14,8 @@ DefaultDependencies=no
 Conflicts=shutdown.target
 After=systemd-remount-fs.service
 Before=sysinit.target shutdown.target systemd-update-done.service
-ConditionNeedsUpdate=/etc
+ConditionNeedsUpdate=|/etc
+ConditionCredential=|sysusers.extra
 
 [Service]
 Type=oneshot
@@ -28,3 +29,6 @@ TimeoutSec=90s
 LoadCredential=passwd.hashed-password.root
 LoadCredential=passwd.plaintext-password.root
 LoadCredential=passwd.shell.root
+
+# Also, allow configuring extra sysusers lines via a credential
+LoadCredential=sysusers.extra