* [gentoo-dev] [PATCH 1/9] user.eclass: Do not create user-group automatically
2019-05-30 12:50 [gentoo-dev] [PATCH 0/9] User/group package draft implementation Michał Górny
@ 2019-05-30 12:50 ` Michał Górny
2019-05-30 12:50 ` [gentoo-dev] [PATCH 2/9] user.eclass: Prevent automated home creation in useradd Michał Górny
` (9 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Michał Górny @ 2019-05-30 12:50 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Closes: https://bugs.gentoo.org/512220
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/user.eclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eclass/user.eclass b/eclass/user.eclass
index f6a10a6bee28..a6c6ad82b7a0 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -246,7 +246,7 @@ enewuser() {
;;
*)
- useradd -r "${opts[@]}" "${euser}" || die
+ useradd -N -r "${opts[@]}" "${euser}" || die
;;
esac
--
2.22.0.rc1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-dev] [PATCH 2/9] user.eclass: Prevent automated home creation in useradd
2019-05-30 12:50 [gentoo-dev] [PATCH 0/9] User/group package draft implementation Michał Górny
2019-05-30 12:50 ` [gentoo-dev] [PATCH 1/9] user.eclass: Do not create user-group automatically Michał Górny
@ 2019-05-30 12:50 ` Michał Górny
2019-05-30 12:50 ` [gentoo-dev] [PATCH 3/9] user.eclass: Support disabling home directory creation Michał Górny
` (8 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Michał Górny @ 2019-05-30 12:50 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Pass '-M' to prevent useradd from automatically creating the home
directory (depending on system configuration). We create the home
directory ourselves anyway, and we have better control over how it's
created this way.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/user.eclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eclass/user.eclass b/eclass/user.eclass
index a6c6ad82b7a0..6be76666d9f3 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -246,7 +246,7 @@ enewuser() {
;;
*)
- useradd -N -r "${opts[@]}" "${euser}" || die
+ useradd -M -N -r "${opts[@]}" "${euser}" || die
;;
esac
--
2.22.0.rc1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-dev] [PATCH 3/9] user.eclass: Support disabling home directory creation
2019-05-30 12:50 [gentoo-dev] [PATCH 0/9] User/group package draft implementation Michał Górny
2019-05-30 12:50 ` [gentoo-dev] [PATCH 1/9] user.eclass: Do not create user-group automatically Michał Górny
2019-05-30 12:50 ` [gentoo-dev] [PATCH 2/9] user.eclass: Prevent automated home creation in useradd Michał Górny
@ 2019-05-30 12:50 ` Michał Górny
2019-05-30 12:50 ` [gentoo-dev] [PATCH 4/9] user.eclass: Support forcing specified UID/GID Michał Górny
` (7 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Michał Górny @ 2019-05-30 12:50 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/user.eclass | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/eclass/user.eclass b/eclass/user.eclass
index 6be76666d9f3..7eda668974f0 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -96,12 +96,15 @@ egetent() {
}
# @FUNCTION: enewuser
-# @USAGE: <user> [uid] [shell] [homedir] [groups]
+# @USAGE: <user> [-M] [uid] [shell] [homedir] [groups]
# @DESCRIPTION:
# Same as enewgroup, you are not required to understand how to properly add
# a user to the system. The only required parameter is the username.
# Default uid is (pass -1 for this) next available, default shell is
# /bin/false, default homedir is /dev/null, and there are no default groups.
+#
+# If -M is passed, enewuser does not create the home directory if it does not
+# exist.
enewuser() {
if [[ ${EUID} != 0 ]] ; then
einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
@@ -109,6 +112,15 @@ enewuser() {
fi
_assert_pkg_ebuild_phase ${FUNCNAME}
+ local create_home=1
+ while [[ $1 == -* ]]; do
+ case $1 in
+ -M) create_home=;;
+ *) die "${FUNCNAME}: invalid option ${1}";;
+ esac
+ shift
+ done
+
# get the username
local euser=$1; shift
if [[ -z ${euser} ]] ; then
@@ -250,7 +262,7 @@ enewuser() {
;;
esac
- if [[ ! -e ${ROOT}/${ehome} ]] ; then
+ if [[ -n ${create_home} && ! -e ${ROOT}/${ehome} ]] ; then
einfo " - Creating ${ehome} in ${ROOT}"
mkdir -p "${ROOT}/${ehome}"
chown "${euser}" "${ROOT}/${ehome}"
--
2.22.0.rc1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-dev] [PATCH 4/9] user.eclass: Support forcing specified UID/GID
2019-05-30 12:50 [gentoo-dev] [PATCH 0/9] User/group package draft implementation Michał Górny
` (2 preceding siblings ...)
2019-05-30 12:50 ` [gentoo-dev] [PATCH 3/9] user.eclass: Support disabling home directory creation Michał Górny
@ 2019-05-30 12:50 ` Michał Górny
2019-05-30 12:50 ` [gentoo-dev] [PATCH 5/9] user.eclass: Die if no free UID/GID is found Michał Górny
` (6 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Michał Górny @ 2019-05-30 12:50 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/user.eclass | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/eclass/user.eclass b/eclass/user.eclass
index 7eda668974f0..1ffeaae29569 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -96,13 +96,15 @@ egetent() {
}
# @FUNCTION: enewuser
-# @USAGE: <user> [-M] [uid] [shell] [homedir] [groups]
+# @USAGE: <user> [-F] [-M] [uid] [shell] [homedir] [groups]
# @DESCRIPTION:
# Same as enewgroup, you are not required to understand how to properly add
# a user to the system. The only required parameter is the username.
# Default uid is (pass -1 for this) next available, default shell is
# /bin/false, default homedir is /dev/null, and there are no default groups.
#
+# If -F is passed, enewuser will always enforce specified UID and fail if it
+# can not be assigned.
# If -M is passed, enewuser does not create the home directory if it does not
# exist.
enewuser() {
@@ -112,9 +114,10 @@ enewuser() {
fi
_assert_pkg_ebuild_phase ${FUNCNAME}
- local create_home=1
+ local create_home=1 force_uid=
while [[ $1 == -* ]]; do
case $1 in
+ -F) force_uid=1;;
-M) create_home=;;
*) die "${FUNCNAME}: invalid option ${1}";;
esac
@@ -142,6 +145,7 @@ enewuser() {
if [[ -n ${euid} && ${euid} != -1 ]] ; then
if [[ ${euid} -gt 0 ]] ; then
if [[ -n $(egetent passwd ${euid}) ]] ; then
+ [[ -n ${force_uid} ]] && die "${FUNCNAME}: UID ${euid} already taken"
euid="next"
fi
else
@@ -149,6 +153,7 @@ enewuser() {
die "${euid} is not a valid UID"
fi
else
+ [[ -n ${force_uid} ]] && die "${FUNCNAME}: -F with uid==-1 makes no sense"
euid="next"
fi
if [[ ${euid} == "next" ]] ; then
@@ -277,6 +282,9 @@ enewuser() {
# group to the system. Just give it a group name to add and enewgroup will
# do the rest. You may specify the gid for the group or allow the group to
# allocate the next available one.
+#
+# If -F is passed, enewgroup will always enforce specified GID and fail if it
+# can not be assigned.
enewgroup() {
if [[ ${EUID} != 0 ]] ; then
einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
@@ -284,6 +292,15 @@ enewgroup() {
fi
_assert_pkg_ebuild_phase ${FUNCNAME}
+ local force_gid=
+ while [[ $1 == -* ]]; do
+ case $1 in
+ -F) force_gid=1;;
+ *) die "${FUNCNAME}: invalid option ${1}";;
+ esac
+ shift
+ done
+
# get the group
local egroup=$1; shift
if [[ -z ${egroup} ]] ; then
@@ -302,6 +319,7 @@ enewgroup() {
if [[ ! -z ${egid} ]] ; then
if [[ ${egid} -gt 0 ]] ; then
if [[ -n $(egetent group ${egid}) ]] ; then
+ [[ -n ${force_gid} ]] && die "${FUNCNAME}: GID ${egid} already taken"
egid="next available; requested gid taken"
fi
else
@@ -309,6 +327,7 @@ enewgroup() {
die "${egid} is not a valid GID"
fi
else
+ [[ -n ${force_gid} ]] && die "${FUNCNAME}: -F with gid==-1 makes no sense"
egid="next available"
fi
einfo " - Groupid: ${egid}"
--
2.22.0.rc1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-dev] [PATCH 5/9] user.eclass: Die if no free UID/GID is found
2019-05-30 12:50 [gentoo-dev] [PATCH 0/9] User/group package draft implementation Michał Górny
` (3 preceding siblings ...)
2019-05-30 12:50 ` [gentoo-dev] [PATCH 4/9] user.eclass: Support forcing specified UID/GID Michał Górny
@ 2019-05-30 12:50 ` Michał Górny
2019-05-31 8:02 ` Jaco Kroon
2019-05-30 12:50 ` [gentoo-dev] [PATCH 6/9] {group,user}.eclass: WIP eclasses to maintain users/groups Michał Górny
` (5 subsequent siblings)
10 siblings, 1 reply; 16+ messages in thread
From: Michał Górny @ 2019-05-30 12:50 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/user.eclass | 2 ++
1 file changed, 2 insertions(+)
diff --git a/eclass/user.eclass b/eclass/user.eclass
index 1ffeaae29569..b16c4c6d69b7 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -160,6 +160,7 @@ enewuser() {
for ((euid = 101; euid <= 999; euid++)); do
[[ -z $(egetent passwd ${euid}) ]] && break
done
+ [[ ${euid} -le 999 ]] || die "${FUNCNAME}: no free UID found"
fi
opts+=( -u ${euid} )
einfo " - Userid: ${euid}"
@@ -344,6 +345,7 @@ enewgroup() {
for ((egid = 101; egid <= 999; egid++)) ; do
[[ -z $(egetent group ${egid}) ]] && break
done
+ [[ ${egid} -le 999 ]] || die "${FUNCNAME}: no free GID found"
fi
}
--
2.22.0.rc1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [gentoo-dev] [PATCH 5/9] user.eclass: Die if no free UID/GID is found
2019-05-30 12:50 ` [gentoo-dev] [PATCH 5/9] user.eclass: Die if no free UID/GID is found Michał Górny
@ 2019-05-31 8:02 ` Jaco Kroon
0 siblings, 0 replies; 16+ messages in thread
From: Jaco Kroon @ 2019-05-31 8:02 UTC (permalink / raw
To: gentoo-dev
Hi,
Why not utilize -r or --system as per useradd(8) in order to add system
users?
The limits for the allocated user ids comes from /etc/login.defs.
Kind Regards,
Jaco
On 2019/05/30 14:50, Michał Górny wrote:
> Signed-off-by: Michał Górny <mgorny@gentoo.org>
> ---
> eclass/user.eclass | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/eclass/user.eclass b/eclass/user.eclass
> index 1ffeaae29569..b16c4c6d69b7 100644
> --- a/eclass/user.eclass
> +++ b/eclass/user.eclass
> @@ -160,6 +160,7 @@ enewuser() {
> for ((euid = 101; euid <= 999; euid++)); do
> [[ -z $(egetent passwd ${euid}) ]] && break
> done
> + [[ ${euid} -le 999 ]] || die "${FUNCNAME}: no free UID found"
> fi
> opts+=( -u ${euid} )
> einfo " - Userid: ${euid}"
> @@ -344,6 +345,7 @@ enewgroup() {
> for ((egid = 101; egid <= 999; egid++)) ; do
> [[ -z $(egetent group ${egid}) ]] && break
> done
> + [[ ${egid} -le 999 ]] || die "${FUNCNAME}: no free GID found"
> fi
> }
>
^ permalink raw reply [flat|nested] 16+ messages in thread
* [gentoo-dev] [PATCH 6/9] {group,user}.eclass: WIP eclasses to maintain users/groups
2019-05-30 12:50 [gentoo-dev] [PATCH 0/9] User/group package draft implementation Michał Górny
` (4 preceding siblings ...)
2019-05-30 12:50 ` [gentoo-dev] [PATCH 5/9] user.eclass: Die if no free UID/GID is found Michał Górny
@ 2019-05-30 12:50 ` Michał Górny
2019-05-30 12:50 ` [gentoo-dev] [PATCH 7/9] group/ftp: Add 'ftp' group (GID 21) Michał Górny
` (4 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Michał Górny @ 2019-05-30 12:50 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
---
eclass/sys-group.eclass | 105 ++++++++++++++++++++
eclass/sys-user.eclass | 206 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 311 insertions(+)
create mode 100644 eclass/sys-group.eclass
create mode 100644 eclass/sys-user.eclass
diff --git a/eclass/sys-group.eclass b/eclass/sys-group.eclass
new file mode 100644
index 000000000000..3960db16b5d6
--- /dev/null
+++ b/eclass/sys-group.eclass
@@ -0,0 +1,105 @@
+# Copyright 2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: sys-group.eclass
+# @MAINTAINER:
+# Michał Górny <mgorny@gentoo.org>
+# @AUTHOR:
+# Michael Orlitzky <mjo@gentoo.org>
+# Michał Górny <mgorny@gentoo.org>
+# @BLURB: Eclass used to create and maintain a single group entry
+# @DESCRIPTION:
+# This eclass represents and creates a single group entry. The name
+# of the group is derived from ${PN}, while (preferred) GID needs to
+# be specified via SYS_GROUP_ID. Packages (and users) needing the group
+# in question should depend on the package providing it.
+#
+# Example:
+# If your package needs group 'foo', you create 'group/foo' package
+# and add an ebuild with the following contents:
+#
+# @CODE
+# EAPI=7
+# inherit sys-group
+# SYS_GROUP_ID=200
+# @CODE
+#
+# Then you add appropriate dependency to your package. The dependency
+# type(s) should be:
+# - DEPEND (+ RDEPEND) if the group is already needed at build time,
+# - RDEPEND if it is needed at install time (e.g. you 'fowners' files
+# in pkg_preinst),
+# - PDEPEND if it is only needed at runtime.
+
+
+if [[ -z ${_SYS_GROUP_ECLASS} ]]; then
+_SYS_GROUP_ECLASS=1
+
+case ${EAPI:-0} in
+ 7) ;;
+ *) die "EAPI=${EAPI} not supported";;
+esac
+
+inherit user
+
+
+# << Eclass variables >>
+
+# @ECLASS-VARIABLE: SYS_GROUP_ID
+# @REQUIRED
+# @DESCRIPTION:
+# Preferred GID for the new group. This variable is obligatory, and its
+# value must be unique across all group packages.
+
+# @ECLASS-VARIABLE: SYS_GROUP_ENFORCE_ID
+# @DESCRIPTION:
+# If set to a non-null value, the eclass will require the group to have
+# specified GID. If the group already exists with another GID, or
+# the GID is taken by another group, the install will fail.
+: ${SYS_GROUP_ENFORCE_ID:=}
+
+
+# << Boilerplate ebuild variables >>
+: ${DESCRIPTION:="System group: ${PN}"}
+: ${HOMEPAGE:=https://www.gentoo.org/}
+: ${SLOT:=0}
+: ${KEYWORDS:=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris}
+S=${WORKDIR}
+
+
+# << Phase functions >>
+EXPORT_FUNCTIONS pkg_pretend pkg_preinst
+
+# @FUNCTION: sys-group_pkg_pretend
+# @DESCRIPTION:
+# Performs sanity checks for correct eclass usage, and early-checks
+# whether requested GID can be enforced.
+sys-group_pkg_pretend() {
+ debug-print-function ${FUNCNAME} "${@}"
+
+ # verify SYS_GROUP_ID
+ [[ -n ${SYS_GROUP_ID} ]] || die "Ebuild error: SYS_GROUP_ID must be set!"
+ [[ ${SYS_GROUP_ID} -ge 0 ]] || die "Ebuild errors: SYS_GROUP_ID=${SYS_GROUP_ID} invalid!"
+
+ # check for SYS_GROUP_ID collisions early
+ if [[ -n ${SYS_GROUP_ENFORCE_ID} ]]; then
+ local grp=$(egetent group "${SYS_GROUP_ID}")
+ if [[ -n ${grp} ]]; then
+ eerror "The required GID is already taken by another group."
+ eerror " GID: ${SYS_GROUP_ID} (needed for ${PN})"
+ eerror " current group: ${grp}"
+ die "GID ${SYS_GROUP_ID} taken already"
+ fi
+ fi
+}
+
+# @FUNCTION: sys-group_pkg_preinst
+# @DESCRIPTION:
+# Creates the group if it does not exist yet.
+sys-group_pkg_preinst() {
+ debug-print-function ${FUNCNAME} "${@}"
+
+ enewgroup -F "${PN}" "${SYS_GROUP_ID}"
+}
+
+fi
diff --git a/eclass/sys-user.eclass b/eclass/sys-user.eclass
new file mode 100644
index 000000000000..de59af99a843
--- /dev/null
+++ b/eclass/sys-user.eclass
@@ -0,0 +1,206 @@
+# Copyright 2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: sys-user.eclass
+# @MAINTAINER:
+# Michał Górny <mgorny@gentoo.org>
+# @AUTHOR:
+# Michael Orlitzky <mjo@gentoo.org>
+# Michał Górny <mgorny@gentoo.org>
+# @BLURB: Eclass used to create and maintain a single user entry
+# @DESCRIPTION:
+# This eclass represents and creates a single user entry. The name
+# of the user is derived from ${PN}, while (preferred) UID needs to
+# be specified via SYS_USER_ID. Additional variables are provided
+# to override the default home directory, shell and add group
+# membership. Packages needing the user in question should depend
+# on the package providing it.
+#
+# Example:
+# If your package needs user 'foo' belonging to same-named group, you
+# create 'user/foo' package and add an ebuild with the following
+# contents:
+#
+# @CODE
+# EAPI=7
+# inherit sys-user
+# SYS_USER_ID=200
+# SYS_USER_GROUPS=( foo )
+# sys-user_add_deps
+# @CODE
+#
+# Then you add appropriate dependency to your package. The dependency
+# type(s) should be:
+# - DEPEND (+ RDEPEND) if the user is already needed at build time,
+# - RDEPEND if it is needed at install time (e.g. you 'fowners' files
+# in pkg_preinst),
+# - PDEPEND if it is only needed at runtime.
+
+if [[ -z ${_SYS_USER_ECLASS} ]]; then
+_SYS_USER_ECLASS=1
+
+case ${EAPI:-0} in
+ 7) ;;
+ *) die "EAPI=${EAPI} not supported";;
+esac
+
+inherit user
+
+
+# << Eclass variables >>
+
+# @ECLASS-VARIABLE: SYS_USER_ID
+# @REQUIRED
+# @DESCRIPTION:
+# Preferred UID for the new user. This variable is obligatory, and its
+# value must be unique across all user packages.
+
+# @ECLASS-VARIABLE: SYS_USER_ENFORCE_ID
+# @DESCRIPTION:
+# If set to a non-null value, the eclass will require the user to have
+# specified UID. If the user already exists with another UID, or
+# the UID is taken by another user, the install will fail.
+: ${SYS_USER_ENFORCE_ID:=}
+
+# @ECLASS-VARIABLE: SYS_USER_SHELL
+# @DESCRIPTION:
+# The shell to use for the new user. If not specified, a 'nologin'
+# variant for the system is used. This affects only new user accounts.
+: ${SYS_USER_SHELL:=-1}
+
+# @ECLASS-VARIABLE: SYS_USER_HOME
+# @DESCRIPTION:
+# The home directory for the new user. If not specified, /dev/null
+# is used. This affects only new user accounts. The directory will
+# be created with appropriate permissions if it does not exist.
+: ${SYS_USER_HOME:=/dev/null}
+
+# @ECLASS-VARIABLE: SYS_USER_GROUPS
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# List of groups the user should belong to. This must be a bash
+# array. If not specified, the user is not added to any groups.
+# This affects only new user accounts.
+#
+# If SYS_USER_GROUPS is specified, the ebuild needs to call
+# sys-user_add_deps in global scope to add appropriate dependencies.
+
+
+# << Boilerplate ebuild variables >>
+: ${DESCRIPTION:="System user: ${PN}"}
+: ${HOMEPAGE:=https://www.gentoo.org/}
+: ${SLOT:=0}
+: ${KEYWORDS:=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris}
+S=${WORKDIR}
+
+
+# << API functions >>
+
+# @FUNCTION: sys-user_add_deps
+# @DESCRIPTION:
+# Generate appropriate RDEPEND from SYS_USER_GROUPS. This must be
+# called if SYS_USER_GROUPS are set.
+sys-user_add_deps() {
+ debug-print-function ${FUNCNAME} "${@}"
+
+ # SYS_USER_GROUPS sanity check
+ if ! declare -p SYS_USER_GROUPS &>/dev/null; then
+ return
+ elif [[ $(declare -p SYS_USER_GROUPS) != "declare -a"* ]]; then
+ die 'SYS_USER_GROUPS must be an array.'
+ fi
+
+ local g
+ for g in "${SYS_USER_GROUPS[@]}"; do
+ RDEPEND+=" group/${g}"
+ done
+
+ _SYS_USER_ADD_DEPS_CALLED=1
+}
+
+
+# << Phase functions >>
+EXPORT_FUNCTIONS pkg_pretend src_install pkg_preinst pkg_prerm
+
+# @FUNCTION: sys-user_pkg_pretend
+# @DESCRIPTION:
+# Performs sanity checks for correct eclass usage, and early-checks
+# whether requested UID can be enforced.
+sys-user_pkg_pretend() {
+ debug-print-function ${FUNCNAME} "${@}"
+
+ # verify that sys-user_add_deps() has been called
+ # (it verifies SYS_USER_GROUPS itself)
+ if [[ -z ${_SYS_USER_ADD_DEPS_CALLED} ]]; then
+ if declare -p SYS_USER_GROUPS &>/dev/null; then
+ die "Ebuild error: sys-user_add_deps must have been called in global scope!"
+ fi
+ fi
+
+ # verify SYS_USER_ID
+ [[ -n ${SYS_USER_ID} ]] || die "Ebuild error: SYS_USER_ID must be set!"
+ [[ ${SYS_USER_ID} -ge 0 ]] || die "Ebuild errors: SYS_USER_ID=${SYS_USER_ID} invalid!"
+
+ # check for SYS_USER_ID collisions early
+ if [[ -n ${SYS_USER_ENFORCE_ID} ]]; then
+ local pwd=$(egetent passwd "${SYS_USER_ID}")
+ if [[ -n ${pwd} ]]; then
+ eerror "The required UID is already taken by another user."
+ eerror " UID: ${SYS_USER_ID} (needed for ${PN})"
+ eerror " current user: ${pwd}"
+ die "UID ${SYS_USER_ID} taken already"
+ fi
+ fi
+}
+
+# @FUNCTION: sys-user_src_install
+# @DESCRIPTION:
+# Installs a keep-file into the user's home directory to ensure it is
+# owned by the package.
+sys-user_src_install() {
+ debug-print-function ${FUNCNAME} "${@}"
+
+ if [[ ${SYS_USER_HOME} != /dev/null ]]; then
+ # note: we can't set permissions here since the user isn't
+ # created yet
+ keepdir "${SYS_USER_HOME}"
+ fi
+}
+
+# @FUNCTION: sys-user_pkg_preinst
+# @DESCRIPTION:
+# Creates the user if it does not exist yet. Sets permissions
+# of the home directory in install image.
+sys-user_pkg_preinst() {
+ debug-print-function ${FUNCNAME} "${@}"
+
+ local groups=${SYS_USER_GROUPS[*]}
+ enewuser -F -M "${PN}" "${SYS_USER_ID}" "${SYS_USER_SHELL}" \
+ "${SYS_USER_HOME}" "${groups// /,}"
+
+ if [[ ${SYS_USER_HOME} != /dev/null ]]; then
+ # set ownership of homedir to user:primary-group
+ fowners "${SYS_USER_ID}" "${SYS_USER_HOME}"
+ if [[ -n ${SYS_USER_GROUPS[0]} ]]; then
+ fowners ":${SYS_USER_GROUPS[0]}" "${SYS_USER_HOME}"
+ fi
+ # TODO: should we fperms it too? To 0700 or is 0755 better
+ # for service users?
+ fi
+}
+
+# @FUNCTION: sys-user_pkg_prerm
+# @DESCRIPTION:
+# Ensures that the user account is locked out when it is removed.
+sys-user_pkg_prerm() {
+ debug-print-function ${FUNCNAME} "${@}"
+
+ if [[ -z ${REPLACED_BY_VERSION} ]]; then
+ :
+ # TODO: what should we do here, exactly? we shouldn't touch
+ # shell, and it should be nologin anyway. we could reset
+ # the password but it should not be set anyway.
+ fi
+}
+
+fi
--
2.22.0.rc1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-dev] [PATCH 7/9] group/ftp: Add 'ftp' group (GID 21)
2019-05-30 12:50 [gentoo-dev] [PATCH 0/9] User/group package draft implementation Michał Górny
` (5 preceding siblings ...)
2019-05-30 12:50 ` [gentoo-dev] [PATCH 6/9] {group,user}.eclass: WIP eclasses to maintain users/groups Michał Górny
@ 2019-05-30 12:50 ` Michał Górny
2019-05-30 12:50 ` [gentoo-dev] [PATCH 8/9] user/ftp: Add 'ftp' user (UID 21) Michał Górny
` (3 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Michał Górny @ 2019-05-30 12:50 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
group/ftp/ftp-0.ebuild | 8 ++++++++
group/ftp/metadata.xml | 5 +++++
profiles/categories | 1 +
3 files changed, 14 insertions(+)
create mode 100644 group/ftp/ftp-0.ebuild
create mode 100644 group/ftp/metadata.xml
diff --git a/group/ftp/ftp-0.ebuild b/group/ftp/ftp-0.ebuild
new file mode 100644
index 000000000000..e9fc60499b9a
--- /dev/null
+++ b/group/ftp/ftp-0.ebuild
@@ -0,0 +1,8 @@
+# Copyright 2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit sys-group
+
+SYS_GROUP_ID=21
diff --git a/group/ftp/metadata.xml b/group/ftp/metadata.xml
new file mode 100644
index 000000000000..7a38bb900964
--- /dev/null
+++ b/group/ftp/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <!-- maintainer-needed -->
+</pkgmetadata>
diff --git a/profiles/categories b/profiles/categories
index 4ff0d5562001..acbade9601ea 100644
--- a/profiles/categories
+++ b/profiles/categories
@@ -76,6 +76,7 @@ gnome-extra
gnustep-apps
gnustep-base
gnustep-libs
+group
gui-apps
gui-libs
gui-wm
--
2.22.0.rc1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-dev] [PATCH 8/9] user/ftp: Add 'ftp' user (UID 21)
2019-05-30 12:50 [gentoo-dev] [PATCH 0/9] User/group package draft implementation Michał Górny
` (6 preceding siblings ...)
2019-05-30 12:50 ` [gentoo-dev] [PATCH 7/9] group/ftp: Add 'ftp' group (GID 21) Michał Górny
@ 2019-05-30 12:50 ` Michał Górny
2019-05-30 12:50 ` [gentoo-dev] [PATCH 9/9] net-ftp/ftpbase: Utilize {group,user}/ftp Michał Górny
` (2 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Michał Górny @ 2019-05-30 12:50 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
profiles/categories | 1 +
user/ftp/ftp-0.ebuild | 19 +++++++++++++++++++
user/ftp/metadata.xml | 5 +++++
3 files changed, 25 insertions(+)
create mode 100644 user/ftp/ftp-0.ebuild
create mode 100644 user/ftp/metadata.xml
diff --git a/profiles/categories b/profiles/categories
index acbade9601ea..db35420df398 100644
--- a/profiles/categories
+++ b/profiles/categories
@@ -148,6 +148,7 @@ sys-kernel
sys-libs
sys-power
sys-process
+user
virtual
www-apache
www-apps
diff --git a/user/ftp/ftp-0.ebuild b/user/ftp/ftp-0.ebuild
new file mode 100644
index 000000000000..f02b52e12deb
--- /dev/null
+++ b/user/ftp/ftp-0.ebuild
@@ -0,0 +1,19 @@
+# Copyright 2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit sys-user
+
+SYS_USER_ID=21
+SYS_USER_HOME=/home/ftp
+SYS_USER_GROUPS=( ftp )
+
+sys-user_add_deps
+
+pkg_preinst() {
+ sys-user_pkg_preinst
+
+ # override home directory ownership
+ fowners root:ftp "${SYS_USER_HOME}"
+}
diff --git a/user/ftp/metadata.xml b/user/ftp/metadata.xml
new file mode 100644
index 000000000000..7a38bb900964
--- /dev/null
+++ b/user/ftp/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <!-- maintainer-needed -->
+</pkgmetadata>
--
2.22.0.rc1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-dev] [PATCH 9/9] net-ftp/ftpbase: Utilize {group,user}/ftp
2019-05-30 12:50 [gentoo-dev] [PATCH 0/9] User/group package draft implementation Michał Górny
` (7 preceding siblings ...)
2019-05-30 12:50 ` [gentoo-dev] [PATCH 8/9] user/ftp: Add 'ftp' user (UID 21) Michał Górny
@ 2019-05-30 12:50 ` Michał Górny
2019-05-30 20:17 ` [gentoo-dev] [PATCH 0/9] User/group package draft implementation James Le Cuirot
2019-05-31 14:02 ` William Hubbs
10 siblings, 0 replies; 16+ messages in thread
From: Michał Górny @ 2019-05-30 12:50 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
net-ftp/ftpbase/ftpbase-0.01-r3.ebuild | 39 ++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
create mode 100644 net-ftp/ftpbase/ftpbase-0.01-r3.ebuild
diff --git a/net-ftp/ftpbase/ftpbase-0.01-r3.ebuild b/net-ftp/ftpbase/ftpbase-0.01-r3.ebuild
new file mode 100644
index 000000000000..8944ba3a6778
--- /dev/null
+++ b/net-ftp/ftpbase/ftpbase-0.01-r3.ebuild
@@ -0,0 +1,39 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit eutils pam user
+
+DESCRIPTION="FTP layout package"
+HOMEPAGE="https://www.gentoo.org/"
+SRC_URI=""
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="pam"
+
+DEPEND="pam? ( virtual/pam )
+ !<net-ftp/proftpd-1.2.10-r6
+ !<net-ftp/pure-ftpd-1.0.20-r2
+ !<net-ftp/vsftpd-2.0.3-r1"
+PDEPEND="
+ group/ftp
+ user/ftp"
+
+S=${WORKDIR}
+
+src_install() {
+ # The ftpusers file is a list of people who are NOT allowed
+ # to use the ftp service.
+ insinto /etc
+ doins "${FILESDIR}/ftpusers" || die
+
+ cp "${FILESDIR}/ftp-pamd-include" "${T}" || die
+ if use elibc_FreeBSD; then
+ sed -i -e "/pam_listfile.so/s/^.*$/account required pam_ftpusers.so no_warn disallow/" \
+ "${T}"/ftp-pamd-include || die
+ fi
+ newpamd "${T}"/ftp-pamd-include ftp
+}
--
2.22.0.rc1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [gentoo-dev] [PATCH 0/9] User/group package draft implementation
2019-05-30 12:50 [gentoo-dev] [PATCH 0/9] User/group package draft implementation Michał Górny
` (8 preceding siblings ...)
2019-05-30 12:50 ` [gentoo-dev] [PATCH 9/9] net-ftp/ftpbase: Utilize {group,user}/ftp Michał Górny
@ 2019-05-30 20:17 ` James Le Cuirot
2019-05-31 14:02 ` William Hubbs
10 siblings, 0 replies; 16+ messages in thread
From: James Le Cuirot @ 2019-05-30 20:17 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 1752 bytes --]
On Thu, 30 May 2019 14:50:30 +0200
Michał Górny <mgorny@gentoo.org> wrote:
> Please review the following patches, implementing the user/group package
> concept. The patches incorporate some of the feedback to the proposed
> GLEP, and I'd like to get them reviewed before I submit the next GLEP
> update. They are based on earlier work by mjo.
I like the idea and the changes look good. I gather this doesn't
address the ROOT problem. That's fine, it wasn't one of the stated
goals, I just want to keep it in mind. I still stand by what I said in
https://bugs.gentoo.org/541406#c2.
The various tools such as useradd do have a -R option to specify a
root directory but this performs an actual chroot, making it useless
for non-native environments. Even if this somehow worked or if it
were run through QEMU, it would still not be sufficient because
Portage needs to know about these users and groups from the
perspective of the build system.
I believe what is needed is some way to intelligently sync the
accounts between / and ROOT. If a user or group already exists in /
then use the same ID in ROOT. If it doesn't already exist then create
it in / first, ensuring that the new ID doesn't clash with one
already in ROOT. If there is an unresolvable ID clash then error out.
If we're looking to keep all UIDs/GIDs fixed going forwards then
clashes obviously become less of an issue. Since writing the above,
I've become aware that you can bind mount individual files such
as /etc/passwd and there are also new tricks like user namespacing. We
could probably come up with something workable but this hasn't reached
the top of my pile.
--
James Le Cuirot (chewi)
Gentoo Linux Developer
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [gentoo-dev] [PATCH 0/9] User/group package draft implementation
2019-05-30 12:50 [gentoo-dev] [PATCH 0/9] User/group package draft implementation Michał Górny
` (9 preceding siblings ...)
2019-05-30 20:17 ` [gentoo-dev] [PATCH 0/9] User/group package draft implementation James Le Cuirot
@ 2019-05-31 14:02 ` William Hubbs
2019-05-31 14:08 ` Michał Górny
10 siblings, 1 reply; 16+ messages in thread
From: William Hubbs @ 2019-05-31 14:02 UTC (permalink / raw
To: gentoo-dev; +Cc: mgorny
[-- Attachment #1: Type: text/plain, Size: 291 bytes --]
I have one small nit-pick.
Can we use sys-users and sys-groups for the category names for the user
and group packages?
I guess the only argument I can give is users and groups are system
level things like other categories that start with sys-, so it feels
like a good fit to me.
William
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [gentoo-dev] [PATCH 0/9] User/group package draft implementation
2019-05-31 14:02 ` William Hubbs
@ 2019-05-31 14:08 ` Michał Górny
2019-05-31 16:37 ` William Hubbs
0 siblings, 1 reply; 16+ messages in thread
From: Michał Górny @ 2019-05-31 14:08 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 477 bytes --]
On Fri, 2019-05-31 at 09:02 -0500, William Hubbs wrote:
> I have one small nit-pick.
>
> Can we use sys-users and sys-groups for the category names for the user
> and group packages?
>
> I guess the only argument I can give is users and groups are system
> level things like other categories that start with sys-, so it feels
> like a good fit to me.
>
No. They would mix with regular packages which would be confusing.
--
Best regards,
Michał Górny
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [gentoo-dev] [PATCH 0/9] User/group package draft implementation
2019-05-31 14:08 ` Michał Górny
@ 2019-05-31 16:37 ` William Hubbs
2019-05-31 16:52 ` Michał Górny
0 siblings, 1 reply; 16+ messages in thread
From: William Hubbs @ 2019-05-31 16:37 UTC (permalink / raw
To: gentoo-dev; +Cc: mgorny
[-- Attachment #1: Type: text/plain, Size: 846 bytes --]
On Fri, May 31, 2019 at 04:08:28PM +0200, Michał Górny wrote:
> On Fri, 2019-05-31 at 09:02 -0500, William Hubbs wrote:
> > I have one small nit-pick.
> >
> > Can we use sys-users and sys-groups for the category names for the user
> > and group packages?
> >
> > I guess the only argument I can give is users and groups are system
> > level things like other categories that start with sys-, so it feels
> > like a good fit to me.
> >
>
> No. They would mix with regular packages which would be confusing.
How are you defining a regular package? A regular package to me is a
package that installs something on the system. A virtual does not
install anything directly.
A user or group package does install a user or group, so it does install
something.
William
>
> --
> Best regards,
> Michał Górny
>
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [gentoo-dev] [PATCH 0/9] User/group package draft implementation
2019-05-31 16:37 ` William Hubbs
@ 2019-05-31 16:52 ` Michał Górny
0 siblings, 0 replies; 16+ messages in thread
From: Michał Górny @ 2019-05-31 16:52 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 992 bytes --]
On Fri, 2019-05-31 at 11:37 -0500, William Hubbs wrote:
> On Fri, May 31, 2019 at 04:08:28PM +0200, Michał Górny wrote:
> > On Fri, 2019-05-31 at 09:02 -0500, William Hubbs wrote:
> > > I have one small nit-pick.
> > >
> > > Can we use sys-users and sys-groups for the category names for the user
> > > and group packages?
> > >
> > > I guess the only argument I can give is users and groups are system
> > > level things like other categories that start with sys-, so it feels
> > > like a good fit to me.
> > >
> >
> > No. They would mix with regular packages which would be confusing.
>
> How are you defining a regular package? A regular package to me is a
> package that installs something on the system. A virtual does not
> install anything directly.
> A user or group package does install a user or group, so it does install
> something.
>
They have very special purpose that is nothing like a regular package.
--
Best regards,
Michał Górny
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread