Revert "Removed uidgid pair 27:27 for MySQL/MariaDB"

This reverts commit df5ba729d6.

Reason: The MariaDB and MySQL sysusers.d files has to use soft static allocation in order to correctly handle the MariaDB PAM v2 plugin which utilizes setuid-to-root binary "/usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool".

Related: RHEL-119790 RHEL-119789

generate-sysusers-fragments.sh

@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-#SPDX-License-Identifier: 0BSD
-
-set -euo pipefail
-
-test -f etc/group
-test -f etc/passwd
-
-mkdir -p sysusers.d
-
-while read -r line; do
-  groupname=$(echo "${line}" | cut -d: -f1)
-  gid=$(echo "${line}" | cut -d: -f3)
-  echo "g ${groupname} ${gid}"
-done <etc/group >sysusers.d/20-setup-groups.conf
-
-while read -r line; do
-  username=$(echo "${line}" | cut -d: -f1)
-  uid=$(echo "${line}" | cut -d: -f3)
-  gid=$(echo "${line}" | cut -d: -f4)
-  gecos=$(echo "${line}" | cut -d: -f5)
-  homedir=$(echo "${line}" | cut -d: -f6)
-  if [ "${homedir}" == "/" ]; then
-    homedir="-"
-  fi
-  shell=$(echo "${line}" | cut -d: -f7)
-  if [ "${shell}" == "/usr/sbin/nologin" ]; then
-    shell="-"
-  fi
-  echo "u ${username} ${uid}:${gid} \"${gecos}\" ${homedir} ${shell}"
-done <etc/passwd >sysusers.d/20-setup-users.conf

group

@@ -1,29 +0,0 @@
-root:x:0:
-bin:x:1:
-daemon:x:2:
-sys:x:3:
-adm:x:4:
-tty:x:5:
-disk:x:6:
-lp:x:7:
-mem:x:8:
-kmem:x:9:
-wheel:x:10:
-cdrom:x:11:
-mail:x:12:
-man:x:15:
-dialout:x:18:
-floppy:x:19:
-games:x:20:
-utmp:x:22:
-tape:x:33:
-kvm:x:36:
-video:x:39:
-ftp:x:50:
-lock:x:54:
-audio:x:63:
-users:x:100:
-input:x:104:
-render:x:105:
-sgx:x:106:
-nobody:x:65534:

passwd

@@ -1,13 +0,0 @@
-root:x:0:0:Super User:/root:/bin/bash
-bin:x:1:1:bin:/bin:/usr/sbin/nologin
-daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin
-adm:x:3:4:adm:/var/adm:/usr/sbin/nologin
-lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin
-sync:x:5:0:sync:/sbin:/bin/sync
-shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
-halt:x:7:0:halt:/sbin:/sbin/halt
-mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin
-operator:x:11:0:operator:/root:/usr/sbin/nologin
-games:x:12:100:games:/usr/games:/usr/sbin/nologin
-ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin
-nobody:x:65534:65534:Kernel Overflow User:/:/usr/sbin/nologin

profile

@@ -9,6 +9,9 @@
 # will prevent the need for merging in future updates.
 
 pathmunge () {
+    # If the path is a compat symlink, do nothing.
+    [ -h "$1" ] && return
+
     case ":${PATH}:" in
         *:"$1":*)
             ;;

protocols

@@ -1,12 +1,12 @@
 # /etc/protocols:
-# $Id: protocols,v 1.12 2016/07/08 12:27 ovasik Exp $
+# $Id: protocols,v 1.13 2025/05/14 15:30 mosvald Exp $
 #
 # Internet (IP) protocols
 #
 #	from: @(#)protocols	5.1 (Berkeley) 4/17/89
 #
 # Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).
-# Last IANA update included dated 2011-05-03
+# Last IANA update included dated 2025-01-08
 #
 # See also http://www.iana.org/assignments/protocol-numbers
 
@@ -66,7 +66,7 @@ ipv6-crypt	50	IPv6-Crypt		# Encryption Header for IPv6 (not in official list)
 ah	51	AH		# Authentication Header
 ipv6-auth	51	IPv6-Auth		# Authentication Header for IPv6 (not in official list)
 i-nlsp	52	I-NLSP		# Integrated Net Layer Security TUBA
-swipe	53	SWIPE		# IP with Encryption
+swipe	53	SWIPE		# IP with Encryption (deprecated)
 narp	54	NARP		# NBMA Address Resolution Protocol
 mobile	55	MOBILE		# IP Mobility
 tlsp	56	TLSP		# Transport Layer Security Protocol
@@ -108,7 +108,7 @@ larp	91	LARP		# Locus Address Resolution Protocol
 mtp	92	MTP		# Multicast Transport Protocol
 ax.25	93	AX.25		# AX.25 Frames
 ipip	94	IPIP		# Yet Another IP encapsulation
-micp	95	MICP		# Mobile Internetworking Control Pro.
+micp	95	MICP		# Mobile Internetworking Control Pro. (deprecated)
 scc-sp	96	SCC-SP		# Semaphore Communications Sec. Pro.
 etherip	97	ETHERIP		# Ethernet-within-IP Encapsulation
 encap	98	ENCAP		# Yet Another IP encapsulation
@@ -156,7 +156,12 @@ hip	139	HIP		# Host Identity Protocol
 shim6	140	Shim6		# Shim6 Protocol
 wesp	141	WESP		# Wrapped Encapsulating Security Payload
 rohc	142	ROHC		# Robust Header Compression
-#   143-252 Unassigned                                       [IANA]
+ethernet	143	Ethernet		# Ethernet encapsulation for SRv6
+aggfrag	144	AGGFRAG		# AGGFRAG encapsulation payload for ESP
+nsh	145	NSH		# Network Service Header
+homa	146	Homa		# Homa
+bit-emu	147	BIT-EMU		# Bit-stream Emulation
+#   148-252 Unassigned                                       [IANA]
 #   253     Use for experimentation and testing           [RFC3692]
 #   254     Use for experimentation and testing           [RFC3692]
 #   255                 Reserved                             [IANA]

setup.spec

@@ -12,24 +12,22 @@ Source0003: csh.cshrc
 Source0004: csh.login
 Source0005: ethertypes
 Source0006: filesystems
-Source0007: group
-Source0008: host.conf
-Source0009: hosts
-Source0010: inputrc
-Source0011: networks
-Source0012: passwd
-Source0013: printcap
-Source0014: profile
-Source0015: protocols
-Source0016: services
-Source0017: shells
+Source0007: host.conf
+Source0008: hosts
+Source0009: inputrc
+Source0010: networks
+Source0011: printcap
+Source0012: profile
+Source0013: protocols
+Source0014: services
+Source0015: shells
 
 Source0021: lang.csh
 Source0022: lang.sh
 
 Source0031: COPYING
 Source0032: uidgid
-Source0033: generate-sysusers-fragments.sh
+Source0033: setup.sysusers.conf
 Source0034: uidgidlint
 Source0035: serviceslint
 
@@ -37,6 +35,7 @@ BuildArch: noarch
 BuildRequires: bash
 BuildRequires: tcsh
 BuildRequires: perl-interpreter
+BuildRequires: /usr/bin/systemd-sysusers
 #systemd-rpm-macros: required to use _sysusersdir and _tmpfilesdir macro
 BuildRequires: systemd-rpm-macros
 #require system release for saner dependency order
@@ -48,21 +47,18 @@ setup files, such as passwd, group, and profile.
 
 %prep
 mkdir -p etc/profile.d
-cp %{lua: for i=1,17 do print(sources[i]..' ') end} etc/
+cp %{lua: for i=1,15 do print(sources[i]..' ') end} etc/
 cp %SOURCE21 %SOURCE22 etc/profile.d/
-touch etc/{exports,motd,subgid,subuid}
+touch etc/{exports,motd,subgid,subuid,environment,fstab}
 
 mkdir -p docs
 cp %SOURCE31 %SOURCE32 docs/
 
-bash %SOURCE33
-
 %build
-#make prototype for /etc/shadow
-sed -e "s/:.*/:*:`expr $(date +%s) / 86400`:0:99999:7:::/" etc/passwd >etc/shadow
-
-#make prototype for /etc/gshadow
-sed -e 's/:[0-9]\+:/::/g; s/:x:/::/' etc/group >etc/gshadow
+# This produces ./etc/{passwd,group,shadow,gshadow}
+systemd-sysusers --root=./ %SOURCE33
+# Allow the user to copy the file
+chmod 0400 ./etc/{shadow,gshadow}
 
 %check
 # Sanity checking selected files....
@@ -70,19 +66,17 @@ bash -n etc/bashrc
 bash -n etc/profile
 tcsh -f etc/csh.cshrc
 tcsh -f etc/csh.login
-(cd etc && bash %SOURCE34 ./uidgid)
+bash %SOURCE34 docs/uidgid
 (cd etc && perl %SOURCE35 ./services)
 
 %install
 mkdir -p %{buildroot}/etc
 cp -ar etc/* %{buildroot}/etc/
 
-mkdir -p %{buildroot}%{_sysusersdir}
-cp sysusers.d/* %{buildroot}%{_sysusersdir}/
+install -D -m0644 %SOURCE33 %{buildroot}%{_sysusersdir}/setup.conf
 
 mkdir -p %{buildroot}/var/log
 touch %{buildroot}/etc/environment
-chmod 0400 %{buildroot}/etc/{shadow,gshadow}
 touch %{buildroot}/etc/fstab
 echo "#Add any required envvar overrides to this file, it is sourced from /etc/profile" >%{buildroot}/etc/profile.d/sh.local
 echo "#Add any required envvar overrides to this file, it is sourced from /etc/csh.login" >%{buildroot}/etc/profile.d/csh.local
@@ -106,13 +100,15 @@ cat >%{buildroot}/usr/share/dnf5/libdnf.conf.d/protect-setup.conf <<EOF
 protected_packages = setup
 EOF
 
-#throw away useless and dangerous update stuff until rpm will be able to
-#handle it ( http://rpm.org/ticket/6 )
-# Use rpm.spawn() if available (in >= 4.20) but fallback to forking if not
 %post -p <lua>
+-- Throw away useless and dangerous update stuff until rpm will be able to
+-- handle it.  See: http://rpm.org/ticket/6
 for i, name in ipairs({"passwd", "shadow", "group", "gshadow"}) do
    os.remove("/etc/"..name..".rpmnew")
 end
+-- Use rpm.spawn() if available (in >= 4.20) but fallback to forking if not.
+--
+-- Initialize or update /etc/alias.db from /etc/aliases for sendmail, etc.
 if posix.access("/usr/bin/newaliases", "x") then
   if rpm.spawn ~= nil then
     rpm.spawn({'/usr/bin/newaliases'}, {stdout='/dev/null'})
@@ -126,6 +122,20 @@ if posix.access("/usr/bin/newaliases", "x") then
     end
   end
 end
+-- Ensure pre-allocated tmpfiles are created immediately on upgrades.
+if posix.access("/usr/bin/systemd-tmpfiles", "x") then
+  if rpm.spawn ~= nil then
+    rpm.spawn({"/usr/bin/systemd-tmpfiles", "--create"}, {stderr='/dev/null'})
+  else
+    local pid = posix.fork()
+    if pid == 0 then
+      posix.redirect2null(2)
+      posix.exec("/usr/bin/systemd-tmpfiles", "--create")
+    elseif pid > 0 then
+      posix.wait(pid)
+    end
+  end
+end
 
 %files
 %license docs/COPYING
@@ -165,8 +175,7 @@ end
 %config(noreplace) %verify(not md5 size mtime) /etc/shells
 %ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/fstab
 %{_tmpfilesdir}/%{name}.conf
-%{_sysusersdir}/20-setup-groups.conf
-%{_sysusersdir}/20-setup-users.conf
+%{_sysusersdir}/setup.conf
 /etc/dnf/protected.d/%{name}.conf
 %dir /usr/share/dnf5
 %dir /usr/share/dnf5/libdnf.conf.d

setup.sysusers.conf

@@ -0,0 +1,41 @@
+u root         0:0     "Super User"            /root            /bin/bash
+u bin          1       "bin"                   /bin             -
+u daemon       2       "daemon"                /sbin            -
+u adm          3:4     "adm"                   /var/adm         -
+u lp           4:7     "lp"                    /var/spool/lpd   -
+u sync         5:0     "sync"                  /sbin            /bin/sync
+u shutdown     6:0     "shutdown"              /sbin            /sbin/shutdown
+u halt         7:0     "halt"                  /sbin            /sbin/halt
+u mail         8:12    "mail"                  /var/spool/mail  -
+u operator    11:0     "operator"              /root            -
+u games       12:100   "games"                 /usr/games       -
+u ftp         14:50    "FTP User"              /var/ftp         -
+u nobody   65534:65534 "Kernel Overflow User"  -                -
+g root           0
+g sys            3
+g adm            4
+g tty            5
+g disk           6
+g lp             7
+g mem            8
+g kmem           9
+g wheel          10
+g cdrom          11
+g mail           12
+g man            15
+g dialout        18
+g floppy         19
+g games          20
+g utmp           22
+g tape           33
+g kvm            36
+g video          39
+g ftp            50
+g lock           54
+g audio          63
+g users          100
+g clock          103
+g input          104
+g render         105
+g sgx            106
+g nobody         65534

uidgid

@@ -19,29 +19,35 @@ news	9	13	/var/spool/news		/usr/sbin/nologin	inn
 uucp	10	14	/var/spool/uucp		/usr/sbin/nologin	uucp
 operator	11	(0)	/root		/usr/sbin/nologin	setup
 games	12	(100)	/usr/games		/usr/sbin/nologin	setup
-# Not created by default anymore.
-gopher	13	30	/var/gopher		/usr/sbin/nologin	-
+# Removed in 2013 (#918206, #1667231), can be reused if necessary later
+# gopher	13	30	/var/gopher		/usr/sbin/nologin	-
 ftp	14	50	/var/ftp		/usr/sbin/nologin	setup
 man	-	15	-		-	setup
-oprofile	16	16	/var/lib/oprofile		/usr/sbin/nologin	oprofile
-pkiuser	17	17	/usr/share/pki		/usr/sbin/nologin	pki-ca,rhpki-ca
+# Retired in 2018 (https://src.fedoraproject.org/rpms/oprofile/c/80fe828c879b1f67a109998cdd42a1bd8513bc3c)
+# oprofile	16	16	/var/lib/oprofile		/usr/sbin/nologin	oprofile
+# Retired sometime between 2011 and 2014 (https://src.fedoraproject.org/rpms/pki-ca/c/4ca1ce11a6e090099b36493653808cfe380911e1)
+# pkiuser	17	17	/usr/share/pki		/usr/sbin/nologin	pki-ca,rhpki-ca
 dialout	-	18	-		-	setup
 floppy	-	19	-		-	setup
 games	-	20	-		-	setup
-slocate	-	21	-		-	slocate
+# mlocate retired in 2024 (https://src.fedoraproject.org/rpms/mlocate/c/7277dd5f59db126d1046a6aa5c4077a597dddddc)
+# slocate	-	21	-		-	slocate
 utmp	-	22	-		-	initscripts,libutempter
 squid	23	23	/var/spool/squid		/dev/null	squid
-pvm	24	24	/usr/share/pvm3		/bin/bash	pvm
+# Retired in 2015 (https://src.fedoraproject.org/rpms/pvm/c/eb6972917befbed00aff622c2c428d18439efe27)
+# pvm	24	24	/usr/share/pvm3		/bin/bash	pvm
 named	25	25	/var/named		/bin/false	bind
 postgres	26	26	/var/lib/pgsql		/bin/bash	postgresql-server
-mysql	27	27	/var/lib/mysql		/bin/bash	mysql
+mysql	27	27	/var/lib/mysql		/usr/sbin/nologin	mysql
 nscd	28	28	/		/bin/false	nscd
 rpcuser	29	29	/var/lib/nfs		/bin/false	nfs-utils
-console	-	31	-		-	dev
+# Present in https://pagure.io/setup/c/08258e0f748c4f372fcbf1dd7947c132ee0b8a12, probably already unused in 2008
+# console	-	31	-		-	dev
 rpc	32	32	/var/lib/rpcbind		/usr/sbin/nologin	portmap
 amandabackup	33	(6)	/var/lib/amanda		/bin/false	amanda
 tape	-	33	-		-	setup
-netdump	34	34	/var/crash		/bin/bash	netdump-client, netdump-server
+# Retired in 2021 (https://src.fedoraproject.org/rpms/netdump-server/c/9bbe604e20c113eaa7c897b9b12a705a36afb109)
+# netdump	34	34	/var/crash		/bin/bash	netdump-client, netdump-server
 utempter	-	35	-		-	libutempter
 kvm	-	36	-		-	kvm, vdsm, libvirt
 vdsm	36	(36)	/		/bin/bash	kvm, vdsm
@@ -51,73 +57,92 @@ video	-	39	-		-	setup
 dip	-	40	-		-	ppp
 mailman	41	41	/usr/lib/mailman		/usr/sbin/nologin	mailman
 gdm	42	42	/var/lib/gdm		/usr/sbin/nologin	gdm
-xfs	43	43	/etc/X11/fs		/bin/false	XFree86-xfs
+# Retired in 2022 (https://src.fedoraproject.org/rpms/xorg-x11-xfs/c/3e273d8a939cf5f08bd4eea4f594fedd508dabcf)
+# xfs	43	43	/etc/X11/fs		/bin/false	XFree86-xfs
 pppusers	-	44	-		-	linuxconf
 popusers	-	45	-		-	linuxconf
 slipusers	-	46	-		-	linuxconf
 mailnull	47	47	/var/spool/mqueue		/dev/null	sendmail
 apache	48	48	/usr/share/httpd		/bin/false	httpd
-wnn	49	49	/var/lib/wnn		/usr/sbin/nologin	FreeWnn
+# Retired sometime before 2008 (https://src.fedoraproject.org/rpms/FreeWnn/c/8f9ac4e26531c704a26057be48261fb3d1ebea8e)
+# wnn	49	49	/var/lib/wnn		/usr/sbin/nologin	FreeWnn
 smmsp	51	51	/var/spool/mqueue		/dev/null	sendmail
 puppet	52	52	/var/lib/puppet		/usr/sbin/nologin	puppet
 tomcat	53	53	/var/lib/tomcat		/usr/sbin/nologin	tomcat
 lock	-	54	-		-	setup
 ldap	55	55	/var/lib/ldap		/bin/false	openldap-servers
-frontpage	56	56	/var/www		/bin/false	mod_frontpage
+# Last references on the web appear around 2007…
+# frontpage	56	56	/var/www		/bin/false	mod_frontpage
 nut	57	57	/var/lib/ups		/bin/false	nut
-beagleindex	58	58	/var/cache/beagle		/bin/false	beagle
+# Retired in 2011 (https://src.fedoraproject.org/rpms/beagle/c/5721c9577eebdc7a0f6566f3efd955b3f4427a0e)
+# beagleindex	58	58	/var/cache/beagle		/bin/false	beagle
 tss	59	59	-		/usr/sbin/nologin	trousers
-piranha	60	60	/etc/sysconfig/ha		/dev/null	piranha
-prelude-manager	61	61	-		/usr/sbin/nologin	prelude-manager
-snortd	62	62	-		/usr/sbin/nologin	snortd
+# Retired in 2012 (https://src.fedoraproject.org/rpms/piranha/c/15262075b63d48e2ee236ffb87d2db0a4aef1c42)
+# piranha	60	60	/etc/sysconfig/ha		/dev/null	piranha
+# Retired in 2025 (https://src.fedoraproject.org/rpms/prelude-manager/c/68cce28aa0e1788d857791155812e1f20d35036e)
+# prelude-manager	61	61	-		/usr/sbin/nologin	prelude-manager
+# Retired in 2011 (https://src.fedoraproject.org/rpms/snort/c/e2e149974cb3b56b70ed158339a3cb931497dfa2)
+# snortd	62	62	-		/usr/sbin/nologin	snortd
 audio	-	63	-		-	setup
 condor	64	64	/var/lib/condor		/usr/sbin/nologin	condord
 nslcd	65	(55)	/		/usr/sbin/nologin	nslcd
 wine	-	66	-		-	wine
 pegasus	66	65	/var/lib/Pegasus		/usr/sbin/nologin	tog-pegasus
 webalizer	67	67	/var/www/usage		/usr/sbin/nologin	webalizer
-haldaemon	68	68	/		/usr/sbin/nologin	hal
-vcsa	69	69	-		/usr/sbin/nologin	dev,MAKEDEV
+# Retired in 2011 (https://src.fedoraproject.org/rpms/hal/c/e6690cd150b5e1c13e7779de1ce32ded0bc22bc1)
+# haldaemon	68	68	/		/usr/sbin/nologin	hal
+# Present in https://pagure.io/setup/c/08258e0f748c4f372fcbf1dd7947c132ee0b8a12, probably already unused in 2008
+# vcsa	69	69	-		/usr/sbin/nologin	dev,MAKEDEV
 avahi	70	70	/var/run/avahi-daemon		/usr/sbin/nologin	avahi
-realtime	-	71	-		-	-
+# Present in https://pagure.io/setup/c/08258e0f748c4f372fcbf1dd7947c132ee0b8a12, probably already unused in 2008
+# realtime	-	71	-		-	-
 tcpdump	72	72	/		/usr/sbin/nologin	tcpdump
 privoxy	73	73	/etc/privoxy		/bin/bash	privoxy
 sshd	74	74	/var/empty/sshd		/usr/sbin/nologin	openssh-server
 radvd	75	75	/		/bin/false	radvd
 cyrus	76	(12)	/var/imap		/bin/bash	cyrus-imapd
 saslauth	-	76	-		-	cyrus-sasl, cyrus-imap
-# Dynamic on new systems, removed Dec2023, can be freed if necessary later
+# Dynamic on new systems, removed Dec2023, can be reused if necessary later
 #arpwatch       77      77      /var/lib/arpwatch               /usr/sbin/nologin       arpwatch
 fax	78	78	/var/spool/fax		/usr/sbin/nologin	mgetty
-nocpulse	79	79	/etc/sysconfig/nocpulse		/bin/bash	nocpulse
+# Retired in 2014 (https://src.fedoraproject.org/rpms/nocpulse-common/c/2ee190601831472ca3ae9857311cfbd31c129c0e)
+# nocpulse	79	79	/etc/sysconfig/nocpulse		/bin/bash	nocpulse
 desktop	80	80	-		/usr/sbin/nologin	desktop-file-utils
 dbus	81	81	/		/usr/sbin/nologin	dbus
-jonas	82	82	/var/lib/jonas		/usr/sbin/nologin	jonas
+# References to JOnAS in FC3 around 2005…
+# jonas	82	82	/var/lib/jonas		/usr/sbin/nologin	jonas
 clamav	83	83	/tmp		/usr/sbin/nologin	clamav
 screen	-	84	-		-	screen
-quaggavt	-	85	-		-	quagga
-sabayon	86	86	-		/usr/sbin/nologin	sabayon
+# Retired in 2021 (https://src.fedoraproject.org/rpms/quagga/c/42d57331ac98fcc4c7103854cb1ce0ddfc4bbbc2)
+# quaggavt	-	85	-		-	quagga
+# Retired in 2014 (https://src.fedoraproject.org/rpms/sabayon/c/e1c4c886227e8123e55fd3fad93dc966d512b9b9)
+# sabayon	86	86	-		/usr/sbin/nologin	sabayon
 polkituser	87	87	/		/usr/sbin/nologin	PolicyKit
 wbpriv	-	88	-		-	samba-common
 postfix	89	89	/var/spool/postfix		/bin/true	postfix
 postdrop	-	90	-		-	postfix
-majordomo	91	91	/usr/lib/majordomo		/bin/bash	majordomo
-quagga	92	92	/		/usr/sbin/nologin	quagga
+# https://en.wikipedia.org/wiki/Majordomo_(software) says final release was 19 January 2000
+# majordomo	91	91	/usr/lib/majordomo		/bin/bash	majordomo
+# Retired in 2021 (https://src.fedoraproject.org/rpms/quagga/c/42d57331ac98fcc4c7103854cb1ce0ddfc4bbbc2)
+# quagga	92	92	/		/usr/sbin/nologin	quagga
 exim	93	93	/var/spool/exim		/usr/sbin/nologin	exim
 distcache	94	94	/		/usr/sbin/nologin	distcache
 radiusd	95	95	/		/bin/false	freeradius
-hsqldb	96	96	/var/lib/hsqldb		/usr/sbin/nologin	hsqldb
+# Retired in 2021 (https://src.fedoraproject.org/rpms/hsqldb/c/54def1d22548601a91ccf6a92c17645a1c5d7cdf)
+# hsqldb	96	96	/var/lib/hsqldb		/usr/sbin/nologin	hsqldb
 dovecot	97	97	/usr/libexec/dovecot		/usr/sbin/nologin	dovecot
 ident	98	98	/		/usr/sbin/nologin	ident
 # Note: 99 used to be the old uid for nobody, now moved to 65534, do not reuse
 users	-	100	-		-	setup
 ssh_keys	-	101	-		-	openssh
+clock	-	103	-		-	systemd
 input	-	104	-		-	systemd
 render	-	105	-		-	systemd
 sgx	-	106	-		-	systemd
 qemu	107	107	/		/usr/sbin/nologin	libvirt
 ovirt	108	108	/		/usr/sbin/nologin	libvirt
-rhevm	109	109	/home/rhevm		/usr/sbin/nologin	vdsm-reg
+# Retired in 2019 (https://src.fedoraproject.org/rpms/vdsm/c/6f1df621f648aa3b65edfcf3389649a6d13df5d4)
+# rhevm	109	109	/home/rhevm		/usr/sbin/nologin	vdsm-reg
 jetty	110	110	/usr/share/jetty		/usr/sbin/nologin	jetty
 saned	111	111	/		/usr/sbin/nologin	sane-backends
 vhostmd	112	112	/usr/share/vhostmd		/usr/sbin/nologin	vhostmd
@@ -126,10 +151,13 @@ polkitd	114	114	/		/usr/sbin/nologin	polkit
 bacula	133	133	/var/spool/bacula		/usr/sbin/nologin	bacula
 cimsrvr	134	134	/		/usr/sbin/nologin	tog-pegasus-libs
 mock	-	135	/		-	mock
-ricci	140	140	/var/lib/ricci		/usr/sbin/nologin	ricci
-luci	141	141	/var/lib/luci		/usr/sbin/nologin	luci
+# Retired in 2012 (https://src.fedoraproject.org/rpms/ricci/c/02a86812383253577ce309d633a400c9c6353ecd,
+#                  https://fedoraproject.org/wiki/Features/Cluster)
+# ricci	140	140	/var/lib/ricci		/usr/sbin/nologin	ricci
+# luci	141	141	/var/lib/luci		/usr/sbin/nologin	luci
 activemq	142	142	/usr/share/activemq		/usr/sbin/nologin	activemq
-cassandra	143	143	/var/lib/cassandra		/usr/sbin/nologin	cassandra
+# Retired in 2019 (https://src.fedoraproject.org/rpms/cassandra/c/8fcb780b616a034aa5d787d04d631ac1f815f694)
+# cassandra	143	143	/var/lib/cassandra		/usr/sbin/nologin	cassandra
 stap-server	155	155	/var/lib/stap-server		/usr/sbin/nologin	systemtap
 stapusr	-	156	/		-	systemtap-runtime
 stapsys	-	157	/		-	systemtap-runtime
@@ -144,7 +172,8 @@ ceilometer	166	166	/var/lib/ceilometer		/usr/sbin/nologin	openstack-ceilometer
 ceph	167	167	/var/lib/ceph		/usr/sbin/nologin	ceph-common
 avahi-autoipd	170	170	/var/lib/avahi-autoipd		/usr/sbin/nologin	avahi
 pulse	171	171	/var/run/pulse		/usr/sbin/nologin	pulseaudio
-rtkit	172	172	/proc		/usr/sbin/nologin	rtkit
+# Dynamic on new systems, removed Mar2025, can be reused if necessary later
+# rtkit	172	172	/proc		/usr/sbin/nologin	rtkit
 abrt	173	173	/etc/abrt		/usr/sbin/nologin	abrt
 retrace	174	174	/usr/share/retrace-server		/usr/sbin/nologin	retrace-server
 ovirtagent	175	175	/		/usr/sbin/nologin	ovirt-guest-agent
@@ -152,9 +181,11 @@ ats	176	176	/		/usr/sbin/nologin	trafficserver
 dhcpd	177	177	/		/usr/sbin/nologin	dhcp
 myproxy	178	178	/var/lib/myproxy		/usr/sbin/nologin	myproxy-server
 sanlock	179	179	/var/run/sanlock		/usr/sbin/nologin	sanlock
-aeolus	180	180	/var/aeolus		/usr/sbin/nologin	aeolus-configure
-wallaby	181	181	/var/lib/wallaby		/usr/sbin/nologin	wallaby
-# Not used anymore, removed Jun2021, can be freed if necessary later
+# Retired in 2012 (https://src.fedoraproject.org/rpms/aeolus-all/c/4b303d259fb530130e413be462e032390595714d)
+# aeolus	180	180	/var/aeolus		/usr/sbin/nologin	aeolus-configure
+# Retired in 2015 (https://src.fedoraproject.org/rpms/wallaby/c/93d5de780d22a378db988a8b72d3d30ebf628930)
+# wallaby	181	181	/var/lib/wallaby		/usr/sbin/nologin	wallaby
+# Not used anymore, removed Jun2021, can be reused if necessary later
 #katello	182	182	/usr/share/katello		/usr/sbin/nologin	katello-common
 elasticsearch	183	183	/usr/share/java/elasticsearch		/usr/sbin/nologin	elasticsearch
 mongodb	184	184	/var/lib/mongodb		/usr/sbin/nologin	mongodb
@@ -167,10 +198,11 @@ haproxy	188	188	/var/lib/haproxy		/usr/sbin/nologin	haproxy
 haclient	-	189	-		-	pacemaker
 hacluster	189	(189)	/		/usr/sbin/nologin	pacemaker
 systemd-journal	-	190	-		-	systemd
-# Dynamic on new systems, removed Dec2014, can be freed if necessary later
+# Dynamic on new systems, removed Dec2014, can be reused if necessary later
 #systemd-journal-gateway	191	191	/		/usr/sbin/nologin	systemd
 systemd-network	192	192	/		/usr/sbin/nologin	systemd
 systemd-resolve	193	193	/		/usr/sbin/nologin	systemd
+xrootd	194	194	/var/spool/xrootd		-	xrootd-server
 #gnats	?	?	?		?	gnats, gnats-db
 #listar	?	?	?		?	listar
 nobody	65534	65534	/		/usr/sbin/nologin	setup

uidgidlint

@@ -1,23 +1,26 @@
-#!/bin/sh
+#!/bin/bash
+set -eu
+set -o pipefail
+
 # We need a file to look at.
 if [ -z "$*" ] ; then
-	echo Usage: `basename $0` uidgid
+	echo "Usage: $0 uidgid"
 	exit 1
 fi
 error=0
 # The format of the file is (currently)
 for infile in "$@" ; do
-	uidlist=`grep -v '^#' "$infile" | awk '{print $2}' | grep -v -e - | sort -nu`
-	gidlist=`grep -v '^#' "$infile" | awk '{print $3}' | grep -v -e - | sort -nu`
-	for uid in $uidlist ; do
-		if test `grep -v '^#' "$infile" | awk '{print $2}' | grep '^'"$uid"'$' | wc -l` -ne 1 ; then
-			echo Duplicate UID: $uid
+	uidlist=$(grep -v '^#' "$infile" | awk '{print $2}' | grep -v -e - | sort -nu)
+	gidlist=$(grep -v '^#' "$infile" | awk '{print $3}' | grep -v -e - | sort -nu)
+	for uid in $uidlist; do
+		if test "$(grep -v '^#' "$infile" | awk '{print $2}' | grep -c '^'"$uid"'$')" -ne 1 ; then
+			echo "Duplicate UID: $uid"
 			error=1
 		fi
 	done
-	for gid in $gidlist ; do
-		if test `grep -v '^#' "$infile" | awk '{print $3}' | grep '^'"$gid"'$' | wc -l` -ne 1 ; then
-			echo Duplicate GID: $gid
+	for gid in $gidlist; do
+		if test "$(grep -v '^#' "$infile" | awk '{print $3}' | grep -c '^'"$gid"'$')" -ne 1 ; then
+			echo "Duplicate GID: $gid"
 			error=1
 		fi
 	done