pub(crate) fn run(root: &Dir) -> Result<()>Expand description
Remove orphaned and duplicate entries from /etc/shadow and /etc/gshadow.
For /etc/shadow: an entry is orphaned if the username does not appear in
/etc/passwd OR /usr/lib/passwd. Both are checked because nss-altfiles
places real system users in /usr/lib/passwd and those users legitimately
have shadow entries for local PAM authentication.
For /etc/gshadow: an entry is orphaned if the group name does not appear
in /etc/group OR /usr/lib/group. The symmetry with shadow/passwd is
intentional: nss-altfiles places groups in /usr/lib/group and those groups
legitimately have gshadow entries. A gshadow entry is only stale when the
group has dropped from both locations (the rechunk scenario).
This runs as bootc-sysusers-shadow-sync.service before
systemd-sysusers.service to prevent fatal “already exists” errors when
sysusers tries to create users/groups whose shadow entries are stale.