Why are some user/group ids changed?

Recently I got an error message from ddclient.service:

/bin/touch: cannot touch '/var/cache/ddclient/ddclient.cache': Permission denied

And I found the problem was caused by wrong user:group of the file /var/cache/ddclient/ddclient.cache (which should be ddclient:ddclient instead of clevis):

-rw-------. 1 clevis 960 system_u:object_r:ddclient_var_t:s0 614 Dec 30 14:08 /var/cache/ddclient/ddclient.cache

I also found user:group of the file /etc/ddclient.conf is wrong:

-rw-------. 1 clevis 960 system_u:object_r:ddclient_etc_t:s0 10410 Oct  5 08:53 /etc/ddclient.conf

It seems that the user:group id of ddclient:ddclient has changed.

While the problem can be solved by running chown on the files. I still don’t know why suddenly user:group id changed. Anyone has any clues?

gid=960 is in the range of dynamically assigned ids and maybe the scripts in the rpm will shed some light on why they changed. Is your system an “atomic” version or purely RPMs?

I am using silverblue fc41. By checking the journalctl log, I found the error occurred after I updated the system, so it looks like the scripts in the rpm did this.

By inspecting the contents of /etc/passwd, /etc/group and /usr/lib/passwd, /usr/lib/group, I found that clevis user/group is defned in /etc/passwd and /etc/group while ddclient user/group is defned in the /usr/lib/passwd and /usr/lib/group.

$ grep clevis /etc/passwd
clevis:x:961:961:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/usr/sbin/nologin
$ grep clevis /etc/group 
clevis:x:961:
$ grep ddclient /usr/lib/passwd
dclient:x:963:962:Dynamic DNS Client:/var/cache/ddclient:/sbin/nologin
$ grep ddclient /usr/lib/group 
ddclient:x:962:

:thinking: I think system users/groups in silverblue should all go to /usr/lib/passwd and /usr/lib/group. Maybe it is an upstream bug that handled user/group ids incorretly?

Searching around a bit shows problems that have been looked at but you have a case that is currently not working. More recent attempts in bootc exist. Not sure what is silverblue using today. The transition to a new way can’t be easy.

After reading the github issue, I have some clues why this happened but still not very sure.

I occasionally run sudo rpm-ostree apply-live --allow-replacement after rpm-ostree upgrade to avoid rebooting my system every time.

I think maybe rpm-ostree does not handle user/groupd id allocation correctly when executing apply-live, which caused clevis scripts in the rpm modified /etc/passwd and /etc/group instead of /usr/lib/passwd and /usr/lib/group. Therefore clevis appeared in /etc/passwd and /etc/group instead of /usr/lib/passwd and /usr/lib/group.

So I manually removed clevis from /etc/passwd and /etc/group and uninstalled some layered packages to enable rpm-ostree to update my system. After rebooting, clevis user/group now is defined in /usr/lib/passwd and /usr/lib/group. However, I am not sure this is the real cause because I can not reproduce this bug by running apply-live.