When you access a freshly installed Solaris system (directly from the ISO without any automated post-install stuff) 1 and investigate the `passwd file, you will already see a lot of preexisting users before you have done anything on your own. Those are used my many functions in the operating system. And they must be exactly setup in this way, so the operating system can work without problems. When you change a property of such a user, you may break things. And it’s not that seldom, that a problem with a system can finally be rootcaused to such a change.
Since SRU72 Solaris has a new SMF service that checks the user related repositories /etc/passwd
and /etc/shadow
for changes. Due to the pkg
tooling we know exactly how a user should look like. And the new service leverages this knowledge.
A nice example is the aiuser
. Someone could get the idea to use it for their artificial intelligence applications. And change for example the home directory or give it a different user id. But in a Solaris system this user is for the automated installer. And with a change you may break one or more subsystem in Solaris. Even when you are not using the Automated Installer knowingly, it may be used in the background of a different feature like Solaris Zones.
Okay, for my example i changed the uid and the home directory of the aiuser
. The passwd entry should look like this:
root@testbed:~# getent passwd aiuser
aiuser:x:61:61:AI User:/:
After my changes it looks like this
root@testbed:~# getent passwd aiuser
aiuser:x:1001:61:AI User:/narf:
An first check is executed at boot, however i will restart it with svcadm restart svc:/system/check/user:default
how the output should look like after a reboot.
[ 2025 Mar 31 20:09:30 Executing start method ("/lib/svc/method/sysusercheck "). ]
2025-03-31T20:09:35 user='aiuser' uid mismatch: got 1001 expected 61
2025-03-31T20:09:35 user='aiuser' pw_dir mismatch: got /narf expected /
2025-03-31T20:09:35 2 issues with system accounts. Run 'pkg fix' to resolve the issues.
[ 2025 Mar 31 20:09:36 Method "start" exited with status 0. ]
As suggested by the output, I will use pkg fix
to correct the problems instead of using vi
to revert the user manually to its intended state.
root@testbed:~# pkg fix
Packages to fix: 1
Create boot environment: No
Create backup boot environment: Yes
Repairing: pkg://solaris/system/install/auto-install/auto-install-common@(...)
PACKAGE STATUS
pkg://solaris/system/install/auto-install/auto-install-common ERROR
user: aiuser
ERROR: home-dir: '/narf' should be '/'
ERROR: uid: '1001' should be '61'
PHASE ITEMS
Updating modified actions 1/1
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
root@testbed:~#
Let’s check if the user aiuser
is up to our expectations.
root@testbed:~# getent passwd aiuser
aiuser:x:61:61:AI User:/:
But the real cool feature is: If you had to reboot the server or restart the service to get the service to do its job, the service wouldn’t be that helpful. Reboots should be seldom. Manual intervention as well. However, the service monitors /etc/passwd
and /etc/shadow
with the help of event ports. So the checks are run right after you are modifying one of the both files.
So, I modified the file again. I substituted the uid 61
with 1002
. When I accessed the log file a few seconds later, I found the following lines at the end indicating that the service already detected the change and checked it.
root@testbed:~# cat /var/svc/log/system-check-user:default.log
(...)
2025-03-31T20:26:01 user='aiuser' uid mismatch: got 1002 expected 61
2025-03-31T20:26:01 issue with a system account. Run 'pkg fix' to resolve the issues.
The script used by SMF can be used outside of a SMF service as well. It behaves differently in this case. Instead of monitoring it executes the check one time and exits:
root@testbed:~# /lib/svc/method/sysusercheck debug
Getting list of system users from pkg...
23 system users installed on this system
user='aiuser' uid mismatch: got 1003 expected 61
-
Or any other multi-user operating system for that matter ↩