Groupadd & usermod don't always work in CoreOS

Is there some issue in CoreOS with certain groups? For instance, the group “input” does not exist in /etc/group, but when I do “sudo groupadd input” I get an error saying it already exists. Then when I do “sudo usermod -aG input core”, this doesn’t fail, but it doesn’t modify /etc/group either. I found this occurring with some special groups like “input” and “video”, but not non-special groups like “foobar”. Is there some rule in CoreOS that states that users can only be added to special groups by specifying the membership in the Butane config file?

I am using fedora-coreos-36.20220723.3.1-virtualbox.x86_64.ova

There are additional groups in /usr/lib/group and users in /usr/lib/passwd. These are normally read via the altfiles NSS module in /etc/nsswitch.conf, but the shadow-utils programs don’t use NSS for these lookups.

There’s been some work on replacing nss-altfiles with systemd-sysusers, which would avoid this behavior, but that change isn’t imminent.

I guess this means there is no way to run a rootless GUI desktop environment (Xorg or Wayland) on CoreOS, as the necessary groups are not available to non-root users. Is that correct?

The workaround for this for now is to manually add the appropriate line in /etc/group. See e.g. Drop requirement on nss-altfiles, use systemd sysusers · Issue #49 · coreos/rpm-ostree · GitHub.