You are not logged in.
- Topics: Active | Unanswered
#1 2025-07-06 20:05:36
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,717
- Website
Script to refresh users who need fully locked accounts [solved]
With the move to change-sysusers-to-fully-locked-system-accounts, in progress, about 1/2 of the 288 are already shipping sysuser files that do this. I recently became aware that users created with the u! directive have expired status, eg:
# chage -l rpc
Last password change : Jul 06, 2025
Password expires : never
Password inactive : never
Account expires : Jan 02, 1970
Minimum number of days between password change : -1
Maximum number of days between password change : -1
Number of days of warning before password expires : -1Seeking feedback on sanity of this script before posting it to the wiki. The goals are two fold:
1. Remove users which have been created by packages which may no longer be installed (assumption here is that any official package will recreate the needed users via sysuser files) - is that a safe assumption?
2. Upon recreating them, if they ship with a u! entry, they we be created expired (locked). From my tests, even though a new sysuser file is present, if the user was created before the u! definition, it is NOT recreated unless it is first deleted.
EDIT - removed initial script, final version:
https://wiki.archlinux.org/index.php?ti … did=840747
Last edited by graysky (2025-07-13 09:19:43)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#2 2025-07-06 22:57:46
- seth
- Member
- Registered: 2012-09-03
- Posts: 66,079
Re: Script to refresh users who need fully locked accounts [solved]
https://gitlab.archlinux.org/archlinux/ … type=heads
I guess you want to keep the root…
Also exclude every user
- w/ a uid >= 1000
- w/ a $HOME and a valid login shell (though that will cause false positives, eg. git - "$HOME" = "/home/"* ?)
(either or or and)
while IFS=: read name x uid gid desc home shell; do echo "$name $home $shell"; done < /etc/passwdTrusting users to maintain whitelists is like trusting them with matchsticks which is like trusting 5yr old toddlers with guns. Or so.
Also better check whether the user is still defined anywhere in
/etc/sysusers.d/*.conf
/run/sysusers.d/*.conf
/usr/local/lib/sysusers.d/*.conf
/usr/lib/sysusers.d/*.conf
rather than relying on re-creation. The recommendation is to use auto-generated UIDs so those will change, pot. breaking ownership of already created files when the recreated ID changes.
awk '!/^(#|$)/{print $2}' /etc/sysusers.d/*.conf /run/sysusers.d/*.conf /usr/local/lib/sysusers.d/*.conf /usr/lib/sysusers.d/*.conf | sort -uCode snippets for inspiration only 
Offline
#3 2025-07-07 11:12:04
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,717
- Website
Re: Script to refresh users who need fully locked accounts [solved]
Spent WAY too much time on this, what do you think of user-analysis.sh
Last edited by graysky (2025-07-11 21:19:35)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#4 2025-07-07 13:04:39
- seth
- Member
- Registered: 2012-09-03
- Posts: 66,079
Re: Script to refresh users who need fully locked accounts [solved]
has_homedirs=true : eg. mpd homes in /var/lib/mpd (not sure whether that will left behind by the package - it's not owned and might contain local data if mpd runs as non-user service)
I'm still not conviced about the recreating stuff and would leave still relevant sysusers completely alone to not risk spoiling the UID
bash-wise:
a) instead of mapfile everywhere I'd probably
1. stick w/ newline seperated lists (this way you can also use comm to filter the "arrays")
2. when actually building arrays you can just keep growing it foo+=(bar)
b) format_array() : "man column" ?
c) s/echo -e/printf/g
d) is_empty: "find foo -maxdepth 0 -empty" ?
For a copy-paste thing form the wiki you probably want to be as concise as possible?
Offline
#5 2025-07-07 15:01:02
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,717
- Website
Re: Script to refresh users who need fully locked accounts [solved]
I think it's too big for the wiki copy/paste. Will link it. I added a statement instructing the user to manually inspect /var/lib/ dirs. I switch to printf.
Last edited by graysky (2025-07-07 15:02:47)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#6 2025-07-12 00:33:44
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,717
- Website
Re: Script to refresh users who need fully locked accounts [solved]
https://wiki.archlinux.org/index.php?ti … did=840747
Feedback is welcomed.
Last edited by graysky (2025-07-12 00:33:56)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline