Expand description
Remove orphaned and duplicate entries from /etc/shadow and /etc/gshadow
before systemd-sysusers runs, preventing fatal “already exists” errors.
The canonical trigger for this problem is the ublue/rechunk tooling, which
resets /etc/group (and optionally /etc/passwd) but leaves the shadow
files untouched, producing stale entries. When systemd-sysusers then
tries to create those users/groups it finds them already in the shadow files
and fatally errors, causing subsequent entries to be skipped.
This module is invoked as bootc internals sysusers-sync by the static
bootc-sysusers-shadow-sync.service unit, which the generator symlinks into
sysinit.target.wants/ and which runs Before=systemd-sysusers.service.
Structs§
- PwdLock 🔒
- RAII guard that holds the shadow-utils password-file lock (
/etc/.pwd.lock) for the duration of its lifetime, matching the locking convention used byshadow-utils(lckpwdf(3)) andsystemd-sysusers. - Removed
Entries 🔒 - Entries removed from a shadow-style file, split by reason.
Functions§
- filter_
shadow_ 🔒file - Remove entries from a shadow-style file whose name is not in
valid_namesor which are duplicates (keeping first occurrence). Returns the sets of removed entry names, orNoneif the file does not exist. Logging is left to the caller. - load_
groupnames 🔒 - Load group names from a group-format file at
pathwithinroot, returning an empty set if the file doesn’t exist. - load_
usernames 🔒 - Load usernames from a passwd-format file at
pathwithinroot, returning an empty set if the file doesn’t exist. - run 🔒
- Remove orphaned and duplicate entries from
/etc/shadowand/etc/gshadow.