• Status: draft

  • Last-Updated: 2022-03


We need declarative system user and group handling. This should be done from dpkg itself, because eventually dpkg will also be aware of the files metadata which includes users/group information, and this would allow shipping packages using dynamic user/group, while generating them before unpack with no maintscript required.

Doing this via any other mechanism, requires either maintscripts (which is undesirable and goes against what is being tried to achieve here), or triggers (which might be too late in many situations, or require awaiting ones which are generally undesirable).

Analysis of pre-existing implementations

Using adduser is not satisfactory because:

I've checked the systemd sysusers.conf stuff, and it also seems unsatisfactory, because it lacks things from the list below. Also being tied to what systemd might or might not agree with, does not seem wise. The systemd sysusers support has two parts:

It's probably better, if there's ever a need, to include a mapping tool that can convert at package build-time from systemd sysusers, or any other OS-specific declarative format, into the native dpkg format, where any semantic discrepancies can be adapted gracefully.


What we'd need from this new interface and declarative file would be:

This would be either implemented by a new dpkg command or internally, because in theory everything above would be expressible with the declarative file format, so there should be no need to call anything explicitly?

If this is implemented by a new command then the actions could perhaps be:

For sysadmins, shadow and or adduser would still be the interface to use, as those are really fine for those jobs.

For a first iteration I guess we could either use the shadow commands as backend or the glibc/musl FILE-stream interfaces. Ideally this should be implemented natively in dpkg, to make it "portable". But there's no standard API to handle the gshadow file, if it even exists. :(


In addition to the aforementioned non-standardized interfaces available, there are at least the following problems to keep in mind:

Ref: http://blog.liw.fi/posts/addsysuser/