Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

olive · 2014-06-05 09:31:26

Today (5 June 2014) , while an upgrade, I have a /etc/group.pacnew as well as /etc/passwd.pacnew. These files cause confusion. Unlike most other configuration files, these files are not usually edited directly and some packages update them. In my case /etc/group appears to be the same as /etc/group with the following extra lines:

oxxxxx:x:1000:oxxxxx
avahi:x:84:
polkitd:x:102:
git:x:999:
ntp:x:87:
colord:x:124:
spamd:x:182:

The first line is my name, no problem; my understanding is that the other lines were added by the corresponding packages and that I must leave them as is. But maybe some of these lines are deprecated and must be removed? How can I know?

For /etc/passwd, it appears that the login of systemd-journal-gateway has been changed from /bin/nologin to /bin/false and I think I must make this change and leave the other lines as is. But once again I cannot be sure some of the other extra lines in /etc/passwd should not be removed.

Also am I correct that I must run grpconv and pwdconv after the change to update the corresponding shadow files?

I thing the handling of these two files should be clarified somewhere in the documentation. Other configuration files are usually edited by hand and it's obvious how to merge the new ones, but these two files are different.

Last edited by olive (2014-06-05 09:34:46)

ukhippo · 2014-06-05 10:38:26

I don't know about “correct”, but all I did was overwrite the changed systemd-* entries with those from the .pacnew and then ran pwck and grpck as a sanity check.

Last edited by ukhippo (2014-06-05 10:38:57)

clfarron4 · 2014-06-05 12:11:57

I haven't done the updating of the files, but I'd probably look at both, merge the new changes and do a sanity check as ukhippo suggests.

Leonid.I · 2014-06-06 15:23:32

clfarron4 wrote:

I haven't done the updating of the files, but I'd probably look at both, merge the new changes and do a sanity check as ukhippo suggests.

And I'd probably _think_ before proposing stupid things... And then take a long look at /var/lib/pacman/local/filesystem-2014.06-1/install.

To answer the original question: you don't have to do anything.

bstaletic · 2014-06-06 15:39:07

Leonid.I wrote:

And I'd probably _think_ before proposing stupid things... And then take a long look at /var/lib/pacman/local/filesystem-2014.06-1/install.
To answer the original question: you don't have to do anything.

You're wrong. Take a look at the wiki page concerning dealing with these files. Then check if there is a group like "git" or "ntp" in your earlier /etc/group. Then check if there's anything about that group in /var/lib/pacman/local/filesystem-2014.06-1/install.

Wiki says to do just what ukhippo suggested, and there's nothing about any of the groups I mentioned in the file.

Leonid.I · 2014-06-06 16:23:12

bstaletic wrote:

Leonid.I wrote:
And I'd probably _think_ before proposing stupid things... And then take a long look at /var/lib/pacman/local/filesystem-2014.06-1/install.
To answer the original question: you don't have to do anything.
You're wrong. Take a look at the wiki page concerning dealing with these files. Then check if there is a group like "git" or "ntp" in your earlier /etc/group. Then check if there's anything about that group in /var/lib/pacman/local/filesystem-2014.06-1/install.

I sense lots of confusion here, so let me explain in detail.

The .install script in the filesystem package is provided specifically to ensure that already running systems will keep running with new packages which require new user/groups, like systemd-timesyncd, by adding users/groups via post_upgrade() as well as checking that "standard" users/groups exist. For example

post_upgrade() {
	_addgroup optical -g 93
	_addgroup audio   -g 92
	_addgroup video   -g 91
...
	_addgroup systemd-network -g 193
	_adduser systemd-network -u 193 -g 193 -d / -s /usr/bin/nologin
...

Yes, you may have git and ntp which were added by corresponding packages and "vanilla" passwd/group doesn't have these.

Hence, there is no need to merge {group,passwd}.pacnew files manually, just rm them. They are _not_ like other config files. In fact, they probably shouldn't even be in the backup array of filesystem (just like resolv.conf).

bstaletic wrote:

Wiki says to do just what ukhippo suggested, and there's nothing about any of the groups I mentioned in the file.

Yes, and wiki is the Ultimate Truth of course, right?

progandy · 2014-06-06 16:39:36

Leonid.I wrote:

Hence, there is no need to merge {group,passwd}.pacnew files manually, just rm them. They are _not_ like other config files. In fact, they probably shouldn't even be in the backup array of filesystem (just like resolv.conf).

I believe {group,passwd} are part of the backup array in order to get the pacsave files in case you accidentally? unistall your filesystem package. It would be a hassle to get all user and group ids back in working order if these files were lost.
resolv.conf is not that mission-critical. A simple entry of e.g. 8.8.8.8 will work until you get the ips of your own nameservers back.

Last edited by progandy (2014-06-06 16:41:20)

WonderWoofy · 2014-06-06 17:09:55

progandy wrote:

I believe {group,passwd} are part of the backup array in order to get the pacsave files in case you accidentally? unistall your filesystem package

I would think that the primary reason that they end up in the backup array is so that they won't be overwritten. It would be a bad thing to have all your users and groups reset upon every filesystem update.

alphaniner · 2014-06-06 19:16:38

Maybe this is a bug, but the /etc/passwd file in the filesystem package doesn't jive with the modifications made by the .install script. Eg. /etc/passwd from filesystem-2014.05-2:

http:x:33:33:http:/srv/http:/bin/false
uuidd:x:68:68:uuidd:/:/sbin/nologin
dbus:x:81:81:dbus:/:/sbin/nologin
systemd-journal-gateway:x:191:191:systemd-journal-gateway:/:/bin/false
systemd-timesync:x:192:192:systemd-timesync:/:/bin/false

The .install script sets the shell to /usr/bin/nologin for all of these. So if you merge the .pacnew file, you're actually undoing some of what was updated. At least that's what's been happening to me since I always merged these files.

Thanks to Leonid.I for 'splaining things, otherwise I wouldn't have realized this.

Edit: so much for that theory. If the .install script is supposed to update the existing passwd file, it ain't working. After updating my home machine, http, uuid and dbus were still /bin/false, /sbin/nologin, and /sbin/nologin respectively.

Last edited by alphaniner (2014-06-07 01:15:51)

sl1pkn07 · 2014-06-07 19:57:37

new filesystem (2014.06-1) package change the "/bin/false" to "/usr/bin/nologin"

but other packages like avahi, tor, postfix, etc still use "/bin/false" (or "/sbin/nologin")

need change to "/usr/bin/nologin"? or need wait the package update

greetings

Last edited by sl1pkn07 (2014-06-08 23:04:50)

Scimmia · 2014-06-07 20:04:29

Doesn't matter, they're functionally the same.

karol · 2014-06-07 20:15:09

Is it https://bugs.archlinux.org/task/40690 ?

89c51 · 2014-06-08 19:52:14

(same question as sl1pkn07) So we just do nothing and wait the packagers/maintainert take care of it?

clfarron4 · 2014-06-08 20:35:35

89c51 wrote:

(same question as sl1pkn07) So we just do nothing and wait the packagers/maintainert take care of it?

It says in the bug report: https://bugs.archlinux.org/task/40690

falconindy wrote:

I'll fix this the next time I do a filesystem release.

89c51 · 2014-06-08 21:03:33

Thnanks. While i clicked on it i didn't read the comments.

henk · 2014-06-09 04:11:06

Today's update of /etc/paswd showed the following change for most of the normal existing entries,
present passwd file:

bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
mail:x:8:12:mail:/var/spool/mail:/bin/false
ftp:x:14:11:ftp:/srv/ftp:/bin/false
http:x:33:33:http:/srv/http:/bin/false
uuidd:x:68:68:uuidd:/:/sbin/nologin
dbus:x:81:81:dbus:/:/sbin/nologin
nobody:x:99:99:nobody:/:/bin/false

the pacnew file:

bin:x:1:1:bin:/bin:/usr/bin/nologin
daemon:x:2:2:daemon:/sbin:/usr/bin/nologin
mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
http:x:33:33:http:/srv/http:/usr/bin/nologin
uuidd:x:68:68:uuidd:/:/sbin/nologin
dbus:x:81:81:dbus:/:/sbin/nologin
nobody:x:99:99:nobody:/:/usr/bin/nologin

Should I pass this change to /usr/bin/nologin onto entries created during the setup of the system?

<snip>
polkitd:x:102:102:Policy Kit Daemon:/:/bin/false
avahi:x:84:84:avahi:/:/bin/false
mysql:x:89:89::/var/lib/mysql:/bin/false
kdm:x:135:135::/var/lib/kdm:/bin/false
<snip>

WonderWoofy · 2014-06-09 04:12:51

I actually don't think it makes a difference. I didn't change it and my shit hasn't borked yet.

Read through this thread though: https://bbs.archlinux.org/viewtopic.php?id=182428

jasonwryan · 2014-06-09 04:33:20

Merging...

henk · 2014-06-09 04:55:20

jasonwryan wrote:

Merging...

Just as I was submitting a reply to Wonderwoofy.....there were some surprising moments there.
Anyhow, thank you Wonderwoofy for the reply. Things are clear now.

WonderWoofy · 2014-06-09 05:06:22

Oh, sorry. I also reported the thread to be merged here since it is covering the same topic.

ppsalama · 2014-06-09 11:07:15

Hello
If I compare my group and passwd with the "pacnew" ones I see that I have the same lines (even more) but in different sequence (all lines in pacnew are in my files -although personalized-), so I guess I have to do nothing, is it so?

I have read that never mind "false" or "nobody" (they're functionally the same) but which is better?
Thanks

Last edited by ppsalama (2014-06-09 11:07:35)

Leonid.I · 2014-06-09 17:44:44

WonderWoofy wrote:

progandy wrote:
I believe {group,passwd} are part of the backup array in order to get the pacsave files in case you accidentally? unistall your filesystem package
I would think that the primary reason that they end up in the backup array is so that they won't be overwritten. It would be a bad thing to have all your users and groups reset upon every filesystem update.

Yes, you right -- my bad.

alphaniner wrote:

Edit: so much for that theory. If the .install script is supposed to update the existing passwd file, it ain't working. After updating my home machine, http, uuid and dbus were still /bin/false, /sbin/nologin, and /sbin/nologin respectively.

The .install script only checks the presence of a user, and does nothing if it finds that user. This is the correct behavior because otherwise your modifications would be lost. Having said that, having /sbin/nologin or /bin/false is all the same. There is a cosmetic difference between them -- read man nologin.

Again, if your group/passwd files are functional before the update -- keep them as is (unless you wan to do cosmetic changes). If they are missing a user/group needed for some package that you don't have yet (and .pacnew files ship that user/group), this user/group should be added by that package's post_install(), e.g. systemd-timesyncd...

alphaniner · 2014-06-11 14:15:10

@Leonid.I: Thanks for clearing that up.

Xyne · 2014-06-11 16:58:03

WonderWoofy wrote:

I actually don't think it makes a difference. I didn't change it and my shit hasn't borked yet.
Read through this thread though: https://bbs.archlinux.org/viewtopic.php?id=182428

I thought that posting a recursive link was just sarcastic humor until I saw that the thread had been merged.

Some of you may find my pacnew merge scripts useful for handling these files: http://xyne.archlinux.ca/projects/pacnew_scripts/

WonderWoofy · 2014-06-11 22:00:18

Way to post 5000 times Xyne!

Arch Linux

#1 2014-06-05 09:31:26

Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#2 2014-06-05 10:38:26

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#3 2014-06-05 12:11:57

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#4 2014-06-06 15:23:32

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#5 2014-06-06 15:39:07

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#6 2014-06-06 16:23:12

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#7 2014-06-06 16:39:36

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#8 2014-06-06 17:09:55

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#9 2014-06-06 19:16:38

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#10 2014-06-07 19:57:37

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#11 2014-06-07 20:04:29

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#12 2014-06-07 20:15:09

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#13 2014-06-08 19:52:14

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#14 2014-06-08 20:35:35

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#15 2014-06-08 21:03:33

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#16 2014-06-09 04:11:06

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#17 2014-06-09 04:12:51

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#18 2014-06-09 04:33:20

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#19 2014-06-09 04:55:20

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#20 2014-06-09 05:06:22

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#21 2014-06-09 11:07:15

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#22 2014-06-09 17:44:44

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#23 2014-06-11 14:15:10

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#24 2014-06-11 16:58:03

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

#25 2014-06-11 22:00:18

Re: Correct handling of /etc/group.pacnew and /etc/passwd.pacnew

Board footer