From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E0F46138334 for ; Wed, 5 Jun 2019 09:15:15 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9927CE09AD; Wed, 5 Jun 2019 09:13:14 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AE941E099F for ; Wed, 5 Jun 2019 09:13:13 +0000 (UTC) Received: from localhost.localdomain (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 0FD5C345761; Wed, 5 Jun 2019 09:13:10 +0000 (UTC) From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Cc: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Subject: [gentoo-dev] [PATCH v2 6/9] acct-{group,user}.eclass: WIP eclasses to maintain users/groups Date: Wed, 5 Jun 2019 11:12:54 +0200 Message-Id: <20190605091257.12127-7-mgorny@gentoo.org> X-Mailer: git-send-email 2.22.0.rc3 In-Reply-To: <20190605091257.12127-1-mgorny@gentoo.org> References: <20190605091257.12127-1-mgorny@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: eefb853b-844d-4ffd-a5b2-033de409690b X-Archives-Hash: 4132024211b3fe5ee336c191b2a24817 --- eclass/acct-group.eclass | 105 +++++++++++++++++++ eclass/acct-user.eclass | 217 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 322 insertions(+) create mode 100644 eclass/acct-group.eclass create mode 100644 eclass/acct-user.eclass diff --git a/eclass/acct-group.eclass b/eclass/acct-group.eclass new file mode 100644 index 000000000000..8b3b2202aa35 --- /dev/null +++ b/eclass/acct-group.eclass @@ -0,0 +1,105 @@ +# Copyright 2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# @ECLASS: acct-group.eclass +# @MAINTAINER: +# Michał Górny +# @AUTHOR: +# Michael Orlitzky +# Michał Górny +# @BLURB: Eclass used to create and maintain a single group entry +# @DESCRIPTION: +# This eclass represents and creates a single group entry. The name +# of the group is derived from ${PN}, while (preferred) GID needs to +# be specified via ACCT_GROUP_ID. Packages (and users) needing the group +# in question should depend on the package providing it. +# +# Example: +# If your package needs group 'foo', you create 'acct-group/foo' package +# and add an ebuild with the following contents: +# +# @CODE +# EAPI=7 +# inherit acct-group +# ACCT_GROUP_ID=200 +# @CODE +# +# Then you add appropriate dependency to your package. The dependency +# type(s) should be: +# - DEPEND (+ RDEPEND) if the group is already needed at build time, +# - RDEPEND if it is needed at install time (e.g. you 'fowners' files +# in pkg_preinst), +# - PDEPEND if it is only needed at runtime. + + +if [[ -z ${_ACCT_GROUP_ECLASS} ]]; then +_ACCT_GROUP_ECLASS=1 + +case ${EAPI:-0} in + 7) ;; + *) die "EAPI=${EAPI} not supported";; +esac + +inherit user + + +# << Eclass variables >> + +# @ECLASS-VARIABLE: ACCT_GROUP_ID +# @REQUIRED +# @DESCRIPTION: +# Preferred GID for the new group. This variable is obligatory, and its +# value must be unique across all group packages. + +# @ECLASS-VARIABLE: ACCT_GROUP_ENFORCE_ID +# @DESCRIPTION: +# If set to a non-null value, the eclass will require the group to have +# specified GID. If the group already exists with another GID, or +# the GID is taken by another group, the install will fail. +: ${ACCT_GROUP_ENFORCE_ID:=} + + +# << Boilerplate ebuild variables >> +: ${DESCRIPTION:="Service group: ${PN}"} +: ${HOMEPAGE:=https://www.gentoo.org/} +: ${SLOT:=0} +: ${KEYWORDS:=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris} +S=${WORKDIR} + + +# << Phase functions >> +EXPORT_FUNCTIONS pkg_pretend pkg_preinst + +# @FUNCTION: acct-group_pkg_pretend +# @DESCRIPTION: +# Performs sanity checks for correct eclass usage, and early-checks +# whether requested GID can be enforced. +acct-group_pkg_pretend() { + debug-print-function ${FUNCNAME} "${@}" + + # verify ACCT_GROUP_ID + [[ -n ${ACCT_GROUP_ID} ]] || die "Ebuild error: ACCT_GROUP_ID must be set!" + [[ ${ACCT_GROUP_ID} -ge 0 ]] || die "Ebuild errors: ACCT_GROUP_ID=${ACCT_GROUP_ID} invalid!" + + # check for ACCT_GROUP_ID collisions early + if [[ -n ${ACCT_GROUP_ENFORCE_ID} ]]; then + local grp=$(egetent group "${ACCT_GROUP_ID}") + if [[ -n ${grp} ]]; then + eerror "The required GID is already taken by another group." + eerror " GID: ${ACCT_GROUP_ID} (needed for ${PN})" + eerror " current group: ${grp}" + die "GID ${ACCT_GROUP_ID} taken already" + fi + fi +} + +# @FUNCTION: acct-group_pkg_preinst +# @DESCRIPTION: +# Creates the group if it does not exist yet. +acct-group_pkg_preinst() { + debug-print-function ${FUNCNAME} "${@}" + + enewgroup -F "${PN}" "${ACCT_GROUP_ID}" +} + +fi diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass new file mode 100644 index 000000000000..12bc3652f333 --- /dev/null +++ b/eclass/acct-user.eclass @@ -0,0 +1,217 @@ +# Copyright 2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# @ECLASS: acct-user.eclass +# @MAINTAINER: +# Michał Górny +# @AUTHOR: +# Michael Orlitzky +# Michał Górny +# @BLURB: Eclass used to create and maintain a single user entry +# @DESCRIPTION: +# This eclass represents and creates a single user entry. The name +# of the user is derived from ${PN}, while (preferred) UID needs to +# be specified via ACCT_USER_ID. Additional variables are provided +# to override the default home directory, shell and add group +# membership. Packages needing the user in question should depend +# on the package providing it. +# +# Example: +# If your package needs user 'foo' belonging to same-named group, you +# create 'acct-user/foo' package and add an ebuild with the following +# contents: +# +# @CODE +# EAPI=7 +# inherit acct-user +# ACCT_USER_ID=200 +# ACCT_USER_GROUPS=( foo ) +# acct-user_add_deps +# @CODE +# +# Then you add appropriate dependency to your package. The dependency +# type(s) should be: +# - DEPEND (+ RDEPEND) if the user is already needed at build time, +# - RDEPEND if it is needed at install time (e.g. you 'fowners' files +# in pkg_preinst), +# - PDEPEND if it is only needed at runtime. + +if [[ -z ${_ACCT_USER_ECLASS} ]]; then +_ACCT_USER_ECLASS=1 + +case ${EAPI:-0} in + 7) ;; + *) die "EAPI=${EAPI} not supported";; +esac + +inherit user + + +# << Eclass variables >> + +# @ECLASS-VARIABLE: ACCT_USER_ID +# @REQUIRED +# @DESCRIPTION: +# Preferred UID for the new user. This variable is obligatory, and its +# value must be unique across all user packages. + +# @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID +# @DESCRIPTION: +# If set to a non-null value, the eclass will require the user to have +# specified UID. If the user already exists with another UID, or +# the UID is taken by another user, the install will fail. +: ${ACCT_USER_ENFORCE_ID:=} + +# @ECLASS-VARIABLE: ACCT_USER_SHELL +# @DESCRIPTION: +# The shell to use for the new user. If not specified, a 'nologin' +# variant for the system is used. This affects only new user accounts. +: ${ACCT_USER_SHELL:=-1} + +# @ECLASS-VARIABLE: ACCT_USER_HOME +# @DESCRIPTION: +# The home directory for the new user. If not specified, /dev/null +# is used. This affects only new user accounts. The directory will +# be created with appropriate permissions if it does not exist. +: ${ACCT_USER_HOME:=/dev/null} + +# @ECLASS-VARIABLE: ACCT_USER_HOME_OWNER +# @DEFAULT_UNSET +# @DESCRIPTION: +# The ownership to use for the home directory, in chown ([user][:group]) +# syntax. Defaults to the newly created user, and its primary group +# (if any; :root otherwise). + +# @ECLASS-VARIABLE: ACCT_USER_HOME_PERMS +# @DESCRIPTION: +# The permissions to use for the home directory, in chmod (octal +# or verbose) form. +: ${ACCT_USER_HOME_PERMS:=0755} + +# @ECLASS-VARIABLE: ACCT_USER_GROUPS +# @DEFAULT_UNSET +# @DESCRIPTION: +# List of groups the user should belong to. This must be a bash +# array. If not specified, the user is not added to any groups. +# This affects only new user accounts. +# +# If ACCT_USER_GROUPS is specified, the ebuild needs to call +# acct-user_add_deps in global scope to add appropriate dependencies. + + +# << Boilerplate ebuild variables >> +: ${DESCRIPTION:="Service user: ${PN}"} +: ${HOMEPAGE:=https://www.gentoo.org/} +: ${SLOT:=0} +: ${KEYWORDS:=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris} +S=${WORKDIR} + + +# << API functions >> + +# @FUNCTION: acct-user_add_deps +# @DESCRIPTION: +# Generate appropriate RDEPEND from ACCT_USER_GROUPS. This must be +# called if ACCT_USER_GROUPS are set. +acct-user_add_deps() { + debug-print-function ${FUNCNAME} "${@}" + + # ACCT_USER_GROUPS sanity check + if ! declare -p ACCT_USER_GROUPS &>/dev/null; then + return + elif [[ $(declare -p ACCT_USER_GROUPS) != "declare -a"* ]]; then + die 'ACCT_USER_GROUPS must be an array.' + fi + + RDEPEND+=${ACCT_USER_GROUPS[*]/#/ acct-group/} + _ACCT_USER_ADD_DEPS_CALLED=1 +} + + +# << Phase functions >> +EXPORT_FUNCTIONS pkg_pretend src_install pkg_preinst pkg_prerm + +# @FUNCTION: acct-user_pkg_pretend +# @DESCRIPTION: +# Performs sanity checks for correct eclass usage, and early-checks +# whether requested UID can be enforced. +acct-user_pkg_pretend() { + debug-print-function ${FUNCNAME} "${@}" + + # verify that acct-user_add_deps() has been called + # (it verifies ACCT_USER_GROUPS itself) + if [[ -z ${_ACCT_USER_ADD_DEPS_CALLED} ]]; then + if declare -p ACCT_USER_GROUPS &>/dev/null; then + die "Ebuild error: acct-user_add_deps must have been called in global scope!" + fi + fi + + # verify ACCT_USER_ID + [[ -n ${ACCT_USER_ID} ]] || die "Ebuild error: ACCT_USER_ID must be set!" + [[ ${ACCT_USER_ID} -ge 0 ]] || die "Ebuild errors: ACCT_USER_ID=${ACCT_USER_ID} invalid!" + + # check for ACCT_USER_ID collisions early + if [[ -n ${ACCT_USER_ENFORCE_ID} ]]; then + local pwd=$(egetent passwd "${ACCT_USER_ID}") + if [[ -n ${pwd} ]]; then + eerror "The required UID is already taken by another user." + eerror " UID: ${ACCT_USER_ID} (needed for ${PN})" + eerror " current user: ${pwd}" + die "UID ${ACCT_USER_ID} taken already" + fi + fi +} + +# @FUNCTION: acct-user_src_install +# @DESCRIPTION: +# Installs a keep-file into the user's home directory to ensure it is +# owned by the package. +acct-user_src_install() { + debug-print-function ${FUNCNAME} "${@}" + + if [[ ${ACCT_USER_HOME} != /dev/null ]]; then + # note: we can't set permissions here since the user isn't + # created yet + keepdir "${ACCT_USER_HOME}" + fi +} + +# @FUNCTION: acct-user_pkg_preinst +# @DESCRIPTION: +# Creates the user if it does not exist yet. Sets permissions +# of the home directory in install image. +acct-user_pkg_preinst() { + debug-print-function ${FUNCNAME} "${@}" + + local groups=${ACCT_USER_GROUPS[*]} + enewuser -F -M "${PN}" "${ACCT_USER_ID}" "${ACCT_USER_SHELL}" \ + "${ACCT_USER_HOME}" "${groups// /,}" + + if [[ ${ACCT_USER_HOME} != /dev/null ]]; then + # default ownership to user:group + if [[ -z ${ACCT_USER_HOME_OWNER} ]]; then + ACCT_USER_HOME_OWNER=${PN} + if [[ -n ${ACCT_USER_GROUPS[0]} ]]; then + ACCT_USER_HOME_OWNER+=:${ACCT_USER_GROUPS[0]} + fi + fi + fowners "${ACCT_USER_HOME_OWNER}" "${ACCT_USER_HOME}" + fperms "${ACCT_USER_HOME_PERMS}" "${ACCT_USER_HOME}" + fi +} + +# @FUNCTION: acct-user_pkg_prerm +# @DESCRIPTION: +# Ensures that the user account is locked out when it is removed. +acct-user_pkg_prerm() { + debug-print-function ${FUNCNAME} "${@}" + + if [[ -z ${REPLACED_BY_VERSION} ]]; then + : + # TODO: what should we do here, exactly? we shouldn't touch + # shell, and it should be nologin anyway. we could reset + # the password but it should not be set anyway. + fi +} + +fi -- 2.22.0.rc3