Log in once with an isSystemUser, and it gets displayed forever on login screen?

pmorch · April 17, 2024, 11:10pm

I have a user:

  users.mutableUsers = false;

  # other user definitions and:

  users.users.otheruser = {
    isSystemUser = true;
    hashedPassword = "supersecret";
    createHome = false;
    packages = with pkgs; [];
  };

and this user is not shown on the GDM login page initially. If I click “Not listed?” and enter username/password for otheruser I am logged in as that user.

And now forevermore I’ll see otheruser as a login option in GDM.

Logging in as otheruser creates:

$ sudo cat /var/lib/AccountsService/users/otheruser
[User]
Session=
Icon=/var/empty/.face
SystemAccount=false

If I remove that file, otheruser is hidden again. That file does not get removed by sudo nixos-rebuild switch.

Is there some way I can log in with otheruser via “Not listed?”, but avoid otheruser being shown as a permanent displayed login option (until I manually delete /var/lib/AccountsService/users/otheruser)?

(I noticed it first for root, but then discovered that this also applies to other isSystemUsers. And I’m assuming that root is also isSystemUser. Either way, this applies to root also.)

TLATER · April 17, 2024, 11:44pm

You can permanently hide a specific user by setting SystemAccount=true in that file, and you can declaratively create that file like so:

{
  systemd.tmpfiles.settings."/var/lib/AccountsService/users/otheruser".f = {
    type = "f+";
    argument = "[User]\nSession=\nIcon=/var/empty/.face\nSystemAccount=true";
  };
}

Ultimately this is a feature of gdm, if you want some nice generic UI for this you’ll have to go upstream. Somewhat doubt they’ll be receptive to this, though, I don’t think this is intended for temporary system user logins.

IMO logging into a real session as system users is bad practice anyway, they are designed to never actually be logged in to (hence the lack of home directory or any other interactive things). Just use sudo -s -u otheruser to switch to a shell owned by them if you need to do administrative things, or create a non-system user with proper permissions to do whatever you need to do as that system user.

I don’t think root has isSystemUser set; the reason it doesn’t show up is because its UID < 1000 (because root is defined as the user with UID 0). ~~I’m not even sure there are any explicit settings for root in nixpkgs.~~ It does seem to, with a bit of lib.traceVal you can see that isSystemUser is false.

pmorch · April 18, 2024, 5:08pm

Yeah, I don’t plan on making a habit out of logging into such users. I logged in as root once because I had messed up my config and couldn’t log in as myself. Which caused “System Administrator” to be a permanent option in GDM, and so I needed to investigate why.

Thank you @TLATER for your reply.