[gentoo-dev] [PATCH v3 00/19] User/group packages

[gentoo-dev] [PATCH v3 00/19] User/group packages

[Michał Górny]

Hello,

Here's another major iteration of user/group package implementation
proposal.  There were some major design changes, so probably best
to review from scratch.

Notable changes in user.eclass:

- Darwin support has been removed.  It is unused and has been broken
  for a long time.

- Support for *BSD remains as it is working and we can test those
  platforms easily (it's needed for Gentoo/FBSD).

- esetshell counterpart to egetshell has been added.

- egetusername and egetgroupname utility functions for UID/GID→name
  conversion have been added.

- egetcomment and esetcomment functions for passwd comment field
  have been added.

- egetgroups and esetgroups functions for getting and altering group
  membership have been added.


Notable changes common to both acct-* eclasses:

- ACCT_*_NAME internal variables has been added for readability
  and possible future extension (to avoid using PN to mean user/group
  name).

- Detecting UID/GID mismatch or conflict for ACCT_*_ENFORCE_ID has been
  fixed to work correctly.  It no longer fails if the user/group
  exists already with the correct UID/GID, and now fails if it exists
  with another UID/GID.


Notable changes in acct-user.eclass:

- ACCT_USER_GROUPS is now obligatory.  After all, there is no
  well-defined concept of user without a primary group.

- Account locking (on removal) and unlocking (on reinstall) is now
  supported.  On Linux and FreeBSD it uses both password locking (which
  should lock the account if sysadmin set any password for it)
  and expiration (which locks access completely).  Also shell is forced
  to nologin for locked accounts.

- Account home directory, shell and group memberships are now updated
  on install.  This is needed for unlocking but will also help clean up
  bad previous designs (see: 'git' user).

- The comment for newly created accounts is now set from DESCRIPTION,
  making it possible to properly describe account purposes.  On removal,
  the removal date is appended to the comment.


Please review.  I'll send a GLEP update too shortly.

--
Best regards,
Michał Górny


Michał Górny (19):
  user.eclass: Remove dead/broken Darwin support
  user.eclass: NetBSD has 'getent'
  user.eclass: Do not create user-group automatically
  user.eclass: Prevent automated home creation in useradd
  user.eclass: Support disabling home directory creation
  user.eclass: Support forcing specified UID/GID
  user.eclass: Die if no free UID/GID is found
  user.eclass: Factor out finding nologin into separate function
  user.eclass: Introduce esetshell
  user.eclass: Introduce eget{user,group}name
  user.eclass: Also permit using functions in pkg_*rm phases
  user.eclass: Support getting & setting comment field
  user.eclass: Introduce e{get,set}groups
  acct-group.eclass: A new eclass to maintain group accounts
  acct-user.eclass: A new eclass to maintain user accounts
  acct-user.eclass: Supporting locking & unlocking accounts
  acct-group/ftp: Add 'ftp' group (GID 21)
  acct-user/ftp: Add 'ftp' user (UID 21)
  net-ftp/ftpbase: Utilize {group,user}/ftp

 acct-group/ftp/ftp-0.ebuild            |   8 +
 acct-group/ftp/metadata.xml            |   5 +
 acct-user/ftp/ftp-0.ebuild             |  13 +
 acct-user/ftp/metadata.xml             |   5 +
 eclass/acct-group.eclass               | 124 ++++++++
 eclass/acct-user.eclass                | 376 ++++++++++++++++++++++++
 eclass/user.eclass                     | 387 ++++++++++++++++++++-----
 net-ftp/ftpbase/ftpbase-0.01-r3.ebuild |  39 +++
 profiles/categories                    |   2 +
 9 files changed, 890 insertions(+), 69 deletions(-)
 create mode 100644 acct-group/ftp/ftp-0.ebuild
 create mode 100644 acct-group/ftp/metadata.xml
 create mode 100644 acct-user/ftp/ftp-0.ebuild
 create mode 100644 acct-user/ftp/metadata.xml
 create mode 100644 eclass/acct-group.eclass
 create mode 100644 eclass/acct-user.eclass
 create mode 100644 net-ftp/ftpbase/ftpbase-0.01-r3.ebuild

-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 01/19] user.eclass: Remove dead/broken Darwin support

[Michał Górny]

Closes: https://bugs.gentoo.org/687568
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/user.eclass | 54 +++-------------------------------------------
 1 file changed, 3 insertions(+), 51 deletions(-)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index f6a10a6bee28..ef5d3bc5e6e0 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: user.eclass
@@ -44,32 +44,6 @@ egetent() {
 	esac
 
 	case ${CHOST} in
-	*-darwin[678])
-		case ${key} in
-		*[!0-9]*) # Non numeric
-			nidump ${db} . | awk -F: "(\$1 ~ /^${key}\$/) {print;exit;}"
-			;;
-		*)	# Numeric
-			nidump ${db} . | awk -F: "(\$3 == ${key}) {print;exit;}"
-			;;
-		esac
-		;;
-	*-darwin*)
-		local mykey
-		case ${db} in
-		passwd) db="Users"  mykey="UniqueID" ;;
-		group)  db="Groups" mykey="PrimaryGroupID" ;;
-		esac
-
-		case ${key} in
-		*[!0-9]*) # Non numeric
-			dscl . -read /${db}/${key} 2>/dev/null |grep RecordName
-			;;
-		*)	# Numeric
-			dscl . -search /${db} ${mykey} ${key} 2>/dev/null
-			;;
-		esac
-		;;
 	*-freebsd*|*-dragonfly*)
 		case ${db} in
 		passwd) db="user" ;;
@@ -219,18 +193,6 @@ enewuser() {
 
 	# add the user
 	case ${CHOST} in
-	*-darwin*)
-		### Make the user
-		dscl . create "/users/${euser}" uid ${euid}
-		dscl . create "/users/${euser}" shell "${eshell}"
-		dscl . create "/users/${euser}" home "${ehome}"
-		dscl . create "/users/${euser}" realname "added by portage for ${PN}"
-		### Add the user to the groups specified
-		for g in "${egroups_arr[@]}" ; do
-			dscl . merge "/groups/${g}" users "${euser}"
-		done
-		;;
-
 	*-freebsd*|*-dragonfly*)
 		pw useradd "${euser}" "${opts[@]}" || die
 		;;
@@ -318,12 +280,6 @@ enewgroup() {
 
 	# add the group
 	case ${CHOST} in
-	*-darwin*)
-		_enewgroup_next_gid
-		dscl . create "/groups/${egroup}" gid ${egid}
-		dscl . create "/groups/${egroup}" passwd '*'
-		;;
-
 	*-freebsd*|*-dragonfly*)
 		_enewgroup_next_gid
 		pw groupadd "${egroup}" -g ${egid} || die
@@ -358,7 +314,7 @@ egethome() {
 	[[ $# -eq 1 ]] || die "usage: egethome <user>"
 
 	case ${CHOST} in
-	*-darwin*|*-freebsd*|*-dragonfly*)
+	*-freebsd*|*-dragonfly*)
 		pos=9
 		;;
 	*)	# Linux, NetBSD, OpenBSD, etc...
@@ -379,7 +335,7 @@ egetshell() {
 	[[ $# -eq 1 ]] || die "usage: egetshell <user>"
 
 	case ${CHOST} in
-	*-darwin*|*-freebsd*|*-dragonfly*)
+	*-freebsd*|*-dragonfly*)
 		pos=10
 		;;
 	*)	# Linux, NetBSD, OpenBSD, etc...
@@ -444,10 +400,6 @@ esethome() {
 
 	# update the home directory
 	case ${CHOST} in
-	*-darwin*)
-		dscl . change "/users/${euser}" home "${ehome}"
-		;;
-
 	*-freebsd*|*-dragonfly*)
 		pw usermod "${euser}" -d "${ehome}" && return 0
 		[[ $? == 8 ]] && eerror "${euser} is in use, cannot update home"
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 02/19] user.eclass: NetBSD has 'getent'

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/user.eclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index ef5d3bc5e6e0..18940f1505f1 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -4,6 +4,7 @@
 # @ECLASS: user.eclass
 # @MAINTAINER:
 # base-system@gentoo.org (Linux)
+# Michał Górny <mgorny@gentoo.org> (NetBSD)
 # @BLURB: user management in ebuilds
 # @DESCRIPTION:
 # The user eclass contains a suite of functions that allow ebuilds
@@ -58,7 +59,7 @@ egetent() {
 
 		pw show ${db} ${opts} "${key}" -q
 		;;
-	*-netbsd*|*-openbsd*)
+	*-openbsd*)
 		grep "${key}:\*:" /etc/${db}
 		;;
 	*)
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 03/19] user.eclass: Do not create user-group automatically

[Michał Górny]

Closes: https://bugs.gentoo.org/512220
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/user.eclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index 18940f1505f1..8935c338e1bb 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -209,7 +209,7 @@ enewuser() {
 		;;
 
 	*)
-		useradd -r "${opts[@]}" "${euser}" || die
+		useradd -N -r "${opts[@]}" "${euser}" || die
 		;;
 	esac
 
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 04/19] user.eclass: Prevent automated home creation in useradd

[Michał Górny]

Pass '-M' to prevent useradd from automatically creating the home
directory (depending on system configuration).  We create the home
directory ourselves anyway, and we have better control over how it's
created this way.

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/user.eclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index 8935c338e1bb..a24920af13f1 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -209,7 +209,7 @@ enewuser() {
 		;;
 
 	*)
-		useradd -N -r "${opts[@]}" "${euser}" || die
+		useradd -M -N -r "${opts[@]}" "${euser}" || die
 		;;
 	esac
 
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 05/19] user.eclass: Support disabling home directory creation

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/user.eclass | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index a24920af13f1..0577df81ae78 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -71,12 +71,15 @@ egetent() {
 }
 
 # @FUNCTION: enewuser
-# @USAGE: <user> [uid] [shell] [homedir] [groups]
+# @USAGE: <user> [-M] [uid] [shell] [homedir] [groups]
 # @DESCRIPTION:
 # Same as enewgroup, you are not required to understand how to properly add
 # a user to the system.  The only required parameter is the username.
 # Default uid is (pass -1 for this) next available, default shell is
 # /bin/false, default homedir is /dev/null, and there are no default groups.
+#
+# If -M is passed, enewuser does not create the home directory if it does not
+# exist.
 enewuser() {
 	if [[ ${EUID} != 0 ]] ; then
 		einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
@@ -84,6 +87,15 @@ enewuser() {
 	fi
 	_assert_pkg_ebuild_phase ${FUNCNAME}
 
+	local create_home=1
+	while [[ $1 == -* ]]; do
+		case $1 in
+			-M) create_home=;;
+			*) die "${FUNCNAME}: invalid option ${1}";;
+		esac
+		shift
+	done
+
 	# get the username
 	local euser=$1; shift
 	if [[ -z ${euser} ]] ; then
@@ -213,7 +225,7 @@ enewuser() {
 		;;
 	esac
 
-	if [[ ! -e ${ROOT}/${ehome} ]] ; then
+	if [[ -n ${create_home} && ! -e ${ROOT}/${ehome} ]] ; then
 		einfo " - Creating ${ehome} in ${ROOT}"
 		mkdir -p "${ROOT}/${ehome}"
 		chown "${euser}" "${ROOT}/${ehome}"
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 06/19] user.eclass: Support forcing specified UID/GID

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/user.eclass | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index 0577df81ae78..92a07bb6b41b 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -71,13 +71,15 @@ egetent() {
 }
 
 # @FUNCTION: enewuser
-# @USAGE: <user> [-M] [uid] [shell] [homedir] [groups]
+# @USAGE: <user> [-F] [-M] [uid] [shell] [homedir] [groups]
 # @DESCRIPTION:
 # Same as enewgroup, you are not required to understand how to properly add
 # a user to the system.  The only required parameter is the username.
 # Default uid is (pass -1 for this) next available, default shell is
 # /bin/false, default homedir is /dev/null, and there are no default groups.
 #
+# If -F is passed, enewuser will always enforce specified UID and fail if it
+# can not be assigned.
 # If -M is passed, enewuser does not create the home directory if it does not
 # exist.
 enewuser() {
@@ -87,9 +89,10 @@ enewuser() {
 	fi
 	_assert_pkg_ebuild_phase ${FUNCNAME}
 
-	local create_home=1
+	local create_home=1 force_uid=
 	while [[ $1 == -* ]]; do
 		case $1 in
+			-F) force_uid=1;;
 			-M) create_home=;;
 			*) die "${FUNCNAME}: invalid option ${1}";;
 		esac
@@ -117,6 +120,7 @@ enewuser() {
 	if [[ -n ${euid} && ${euid} != -1 ]] ; then
 		if [[ ${euid} -gt 0 ]] ; then
 			if [[ -n $(egetent passwd ${euid}) ]] ; then
+				[[ -n ${force_uid} ]] && die "${FUNCNAME}: UID ${euid} already taken"
 				euid="next"
 			fi
 		else
@@ -124,6 +128,7 @@ enewuser() {
 			die "${euid} is not a valid UID"
 		fi
 	else
+		[[ -n ${force_uid} ]] && die "${FUNCNAME}: -F with uid==-1 makes no sense"
 		euid="next"
 	fi
 	if [[ ${euid} == "next" ]] ; then
@@ -240,6 +245,9 @@ enewuser() {
 # group to the system.  Just give it a group name to add and enewgroup will
 # do the rest.  You may specify the gid for the group or allow the group to
 # allocate the next available one.
+#
+# If -F is passed, enewgroup will always enforce specified GID and fail if it
+# can not be assigned.
 enewgroup() {
 	if [[ ${EUID} != 0 ]] ; then
 		einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
@@ -247,6 +255,15 @@ enewgroup() {
 	fi
 	_assert_pkg_ebuild_phase ${FUNCNAME}
 
+	local force_gid=
+	while [[ $1 == -* ]]; do
+		case $1 in
+			-F) force_gid=1;;
+			*) die "${FUNCNAME}: invalid option ${1}";;
+		esac
+		shift
+	done
+
 	# get the group
 	local egroup=$1; shift
 	if [[ -z ${egroup} ]] ; then
@@ -265,6 +282,7 @@ enewgroup() {
 	if [[ ! -z ${egid} ]] ; then
 		if [[ ${egid} -gt 0 ]] ; then
 			if [[ -n $(egetent group ${egid}) ]] ; then
+				[[ -n ${force_gid} ]] && die "${FUNCNAME}: GID ${egid} already taken"
 				egid="next available; requested gid taken"
 			fi
 		else
@@ -272,6 +290,7 @@ enewgroup() {
 			die "${egid} is not a valid GID"
 		fi
 	else
+		[[ -n ${force_gid} ]] && die "${FUNCNAME}: -F with gid==-1 makes no sense"
 		egid="next available"
 	fi
 	einfo " - Groupid: ${egid}"
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 07/19] user.eclass: Die if no free UID/GID is found

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/user.eclass | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index 92a07bb6b41b..8afbc101fac3 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -135,6 +135,7 @@ enewuser() {
 		for ((euid = 101; euid <= 999; euid++)); do
 			[[ -z $(egetent passwd ${euid}) ]] && break
 		done
+		[[ ${euid} -le 999 ]] || die "${FUNCNAME}: no free UID found"
 	fi
 	opts+=( -u ${euid} )
 	einfo " - Userid: ${euid}"
@@ -307,6 +308,7 @@ enewgroup() {
 			for ((egid = 101; egid <= 999; egid++)) ; do
 				[[ -z $(egetent group ${egid}) ]] && break
 			done
+			[[ ${egid} -le 999 ]] || die "${FUNCNAME}: no free GID found"
 		fi
 	}
 
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 08/19] user.eclass: Factor out finding nologin into separate function

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/user.eclass | 39 ++++++++++++++++++++++++++-------------
 1 file changed, 26 insertions(+), 13 deletions(-)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index 8afbc101fac3..54d7a3fdbe28 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -70,6 +70,31 @@ egetent() {
 	esac
 }
 
+# @FUNCTION: user_get_nologin
+# @INTERNAL
+# @DESCRIPTION:
+# Find an appropriate 'nologin' shell for the platform, and output
+# its path.
+user_get_nologin() {
+	local eshell
+
+	for eshell in /sbin/nologin /usr/sbin/nologin /bin/false /usr/bin/false /dev/null ; do
+		[[ -x ${ROOT}${eshell} ]] && break
+	done
+
+	if [[ ${eshell} == "/dev/null" ]] ; then
+		ewarn "Unable to identify the shell to use, proceeding with userland default."
+		case ${USERLAND} in
+			GNU)    eshell="/bin/false" ;;
+			BSD)    eshell="/sbin/nologin" ;;
+			Darwin) eshell="/usr/sbin/nologin" ;;
+			*) die "Unable to identify the default shell for userland ${USERLAND}"
+		esac
+	fi
+
+	echo "${eshell}"
+}
+
 # @FUNCTION: enewuser
 # @USAGE: <user> [-F] [-M] [uid] [shell] [homedir] [groups]
 # @DESCRIPTION:
@@ -152,19 +177,7 @@ enewuser() {
 			die "Pass '-1' as the shell parameter"
 		fi
 	else
-		for eshell in /sbin/nologin /usr/sbin/nologin /bin/false /usr/bin/false /dev/null ; do
-			[[ -x ${ROOT}${eshell} ]] && break
-		done
-
-		if [[ ${eshell} == "/dev/null" ]] ; then
-			eerror "Unable to identify the shell to use, proceeding with userland default."
-			case ${USERLAND} in
-				GNU)    eshell="/bin/false" ;;
-				BSD)    eshell="/sbin/nologin" ;;
-				Darwin) eshell="/usr/sbin/nologin" ;;
-				*) die "Unable to identify the default shell for userland ${USERLAND}"
-			esac
-		fi
+		eshell=$(user_get_nologin)
 	fi
 	einfo " - Shell: ${eshell}"
 	opts+=( -s "${eshell}" )
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 09/19] user.eclass: Introduce esetshell

[Michał Górny]

---
 eclass/user.eclass | 61 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index 54d7a3fdbe28..3bd381b0c089 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -465,4 +465,65 @@ esethome() {
 	esac
 }
 
+# @FUNCTION: esetshell
+# @USAGE: <user> <shell>
+# @DESCRIPTION:
+# Update the shell in a platform-agnostic way.
+# Required parameters is the username and the new shell.
+# Specify -1 if you want to set shell to platform-specific nologin.
+esetshell() {
+	_assert_pkg_ebuild_phase ${FUNCNAME}
+
+	# get the username
+	local euser=$1; shift
+	if [[ -z ${euser} ]] ; then
+		eerror "No username specified !"
+		die "Cannot call esetshell without a username"
+	fi
+
+	# lets see if the username already exists
+	if [[ -z $(egetent passwd "${euser}") ]] ; then
+		ewarn "User does not exist, cannot set shell -- skipping."
+		return 1
+	fi
+
+	# handle shell
+	local eshell=$1; shift
+	if [[ -z ${eshell} ]] ; then
+		eerror "No shell specified !"
+		die "Cannot call esetshell without a shell or '-1'"
+	fi
+
+	if [[ ${eshell} == "-1" ]] ; then
+		eshell=$(user_get_nologin)
+	fi
+
+	# exit with no message if shell is up to date
+	if [[ $(egetshell "${euser}") == ${eshell} ]]; then
+		return 0
+	fi
+
+	einfo "Updating shell for user '${euser}' ..."
+	einfo " - Shell: ${eshell}"
+
+	# update the shell
+	case ${CHOST} in
+	*-freebsd*|*-dragonfly*)
+		pw usermod "${euser}" -s "${eshell}" && return 0
+		[[ $? == 8 ]] && eerror "${euser} is in use, cannot update shell"
+		eerror "There was an error when attempting to update the shell for ${euser}"
+		eerror "Please update it manually on your system:"
+		eerror "\t pw usermod \"${euser}\" -s \"${eshell}\""
+		;;
+
+	*)
+		usermod -s "${eshell}" "${euser}" && return 0
+		[[ $? == 8 ]] && eerror "${euser} is in use, cannot update shell"
+		eerror "There was an error when attempting to update the shell for ${euser}"
+		eerror "Please update it manually on your system (as root):"
+		eerror "\t usermod -s \"${eshell}\" \"${euser}\""
+		;;
+	esac
+}
+
 fi
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 10/19] user.eclass: Introduce eget{user,group}name

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/user.eclass | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index 3bd381b0c089..e4e2732b11e0 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -351,6 +351,30 @@ enewgroup() {
 	esac
 }
 
+# @FUNCTION: egetusername
+# @USAGE: <uid>
+# @DESCRIPTION:
+# Gets the username for given UID.
+egetusername() {
+	local pos
+
+	[[ $# -eq 1 ]] || die "usage: egetusername <uid>"
+
+	egetent passwd "$1" | cut -d: -f1
+}
+
+# @FUNCTION: egetgroupname
+# @USAGE: <gid>
+# @DESCRIPTION:
+# Gets the group name for given GID.
+egetgroupname() {
+	local pos
+
+	[[ $# -eq 1 ]] || die "usage: egetgroupname <gid>"
+
+	egetent group "$1" | cut -d: -f1
+}
+
 # @FUNCTION: egethome
 # @USAGE: <user>
 # @DESCRIPTION:
-- 
2.22.0.rc3

Re: [gentoo-dev] [PATCH v3 10/19] user.eclass: Introduce eget{user,group}name

[Michael Orlitzky]

On 6/9/19 7:28 AM, Michał Górny wrote:
>  
> +# @FUNCTION: egetusername
> +# @USAGE: <uid>
> +# @DESCRIPTION:
> +# Gets the username for given UID.
> +egetusername() {
> +	local pos
> +
> +	[[ $# -eq 1 ]] || die "usage: egetusername <uid>"
> +
> +	egetent passwd "$1" | cut -d: -f1
> +}

Unused local variable?


> +egetgroupname() {
> +	local pos
> +
> +	[[ $# -eq 1 ]] || die "usage: egetgroupname <gid>"
> +
> +	egetent group "$1" | cut -d: -f1
> +}

Same.

[gentoo-dev] [PATCH v3 11/19] user.eclass: Also permit using functions in pkg_*rm phases

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/user.eclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index e4e2732b11e0..ceb805675cf6 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -18,7 +18,7 @@ _USER_ECLASS=1
 # @USAGE: <calling func name>
 _assert_pkg_ebuild_phase() {
 	case ${EBUILD_PHASE} in
-	setup|preinst|postinst) ;;
+	setup|preinst|postinst|prerm|postrm) ;;
 	*)
 		eerror "'$1()' called from '${EBUILD_PHASE}' phase which is not OK:"
 		eerror "You may only call from pkg_{setup,preinst,postinst} functions."
-- 
2.22.0.rc3

Re: [gentoo-dev] [PATCH v3 11/19] user.eclass: Also permit using functions in pkg_*rm phases

[Michael Orlitzky]

On 6/9/19 7:28 AM, Michał Górny wrote:
>  _assert_pkg_ebuild_phase() {
>  	case ${EBUILD_PHASE} in
> -	setup|preinst|postinst) ;;
> +	setup|preinst|postinst|prerm|postrm) ;;
>  	*)
>  		eerror "'$1()' called from '${EBUILD_PHASE}' phase which is not OK:"
>  		eerror "You may only call from pkg_{setup,preinst,postinst} functions."
> 

The error message needs an update, too.

[gentoo-dev] [PATCH v3 12/19] user.eclass: Support getting & setting comment field

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/user.eclass | 77 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index ceb805675cf6..f4f6c75f3b71 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -417,6 +417,27 @@ egetshell() {
 	egetent passwd "$1" | cut -d: -f${pos}
 }
 
+# @FUNCTION: egetcomment
+# @USAGE: <user>
+# @DESCRIPTION:
+# Gets the comment field for the specified user.
+egetcomment() {
+	local pos
+
+	[[ $# -eq 1 ]] || die "usage: egetshell <user>"
+
+	case ${CHOST} in
+	*-freebsd*|*-dragonfly*)
+		pos=8
+		;;
+	*)	# Linux, NetBSD, OpenBSD, etc...
+		pos=5
+		;;
+	esac
+
+	egetent passwd "$1" | cut -d: -f${pos}
+}
+
 # @FUNCTION: esethome
 # @USAGE: <user> <homedir>
 # @DESCRIPTION:
@@ -550,4 +571,60 @@ esetshell() {
 	esac
 }
 
+# @FUNCTION: esetcomment
+# @USAGE: <user> <comment>
+# @DESCRIPTION:
+# Update the comment field in a platform-agnostic way.
+# Required parameters is the username and the new comment.
+esetcomment() {
+	_assert_pkg_ebuild_phase ${FUNCNAME}
+
+	# get the username
+	local euser=$1; shift
+	if [[ -z ${euser} ]] ; then
+		eerror "No username specified !"
+		die "Cannot call esetcomment without a username"
+	fi
+
+	# lets see if the username already exists
+	if [[ -z $(egetent passwd "${euser}") ]] ; then
+		ewarn "User does not exist, cannot set comment -- skipping."
+		return 1
+	fi
+
+	# handle comment
+	local ecomment=$1; shift
+	if [[ -z ${ecomment} ]] ; then
+		eerror "No comment specified !"
+		die "Cannot call esetcomment without a comment"
+	fi
+
+	# exit with no message if comment is up to date
+	if [[ $(egetcomment "${euser}") == ${ecomment} ]]; then
+		return 0
+	fi
+
+	einfo "Updating comment for user '${euser}' ..."
+	einfo " - Comment: ${ecomment}"
+
+	# update the comment
+	case ${CHOST} in
+	*-freebsd*|*-dragonfly*)
+		pw usermod "${euser}" -c "${ecomment}" && return 0
+		[[ $? == 8 ]] && eerror "${euser} is in use, cannot update comment"
+		eerror "There was an error when attempting to update the comment for ${euser}"
+		eerror "Please update it manually on your system:"
+		eerror "\t pw usermod \"${euser}\" -c \"${ecomment}\""
+		;;
+
+	*)
+		usermod -c "${ecomment}" "${euser}" && return 0
+		[[ $? == 8 ]] && eerror "${euser} is in use, cannot update comment"
+		eerror "There was an error when attempting to update the comment for ${euser}"
+		eerror "Please update it manually on your system (as root):"
+		eerror "\t usermod -c \"${ecomment}\" \"${euser}\""
+		;;
+	esac
+}
+
 fi
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 13/19] user.eclass: Introduce e{get,set}groups

[Michał Górny]

---
 eclass/user.eclass | 88 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)

diff --git a/eclass/user.eclass b/eclass/user.eclass
index f4f6c75f3b71..23c3b953842f 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -438,6 +438,24 @@ egetcomment() {
 	egetent passwd "$1" | cut -d: -f${pos}
 }
 
+# @FUNCTION: egetgroups
+# @USAGE: <user>
+# @DESCRIPTION:
+# Gets all the groups user belongs to.  The primary group is returned
+# first, then all supplementary groups.  Groups are ','-separated.
+egetgroups() {
+	[[ $# -eq 1 ]] || die "usage: egetgroups <user>"
+
+	local egroups_arr
+	read -r -a egroups_arr < <(id -G -n "$1")
+
+	local defgroup=${egroups_arr[0]}
+	# sort supplementary groups to make comparison possible
+	readarray -t exgroups_arr < <(printf '%s\n' "${egroups_arr[@]:1}" | sort)
+	local exgroups=${exgroups_arr[*]}
+	echo "${defgroup}${exgroups:+,${exgroups// /,}}"
+}
+
 # @FUNCTION: esethome
 # @USAGE: <user> <homedir>
 # @DESCRIPTION:
@@ -627,4 +645,74 @@ esetcomment() {
 	esac
 }
 
+# @FUNCTION: esetgroups
+# @USAGE: <user> <groups>
+# @DESCRIPTION:
+# Update the group field in a platform-agnostic way.
+# Required parameters is the username and the new list of groups,
+# primary group first.
+esetgroups() {
+	_assert_pkg_ebuild_phase ${FUNCNAME}
+
+	[[ ${#} -eq 2 ]] || die "Usage: ${FUNCNAME} <user> <groups>"
+
+	# get the username
+	local euser=$1; shift
+
+	# lets see if the username already exists
+	if [[ -z $(egetent passwd "${euser}") ]] ; then
+		ewarn "User does not exist, cannot set group -- skipping."
+		return 1
+	fi
+
+	# handle group
+	local egroups=$1; shift
+
+	local g egroups_arr=()
+	IFS="," read -r -a egroups_arr <<<"${egroups}"
+	[[ ${#egroups_arr[@]} -gt 0 ]] || die "${FUNCNAME}: no groups specified"
+
+	for g in "${egroups_arr[@]}" ; do
+		if [[ -z $(egetent group "${g}") ]] ; then
+			eerror "You must add group ${g} to the system first"
+			die "${g} is not a valid GID"
+		fi
+	done
+
+	local defgroup=${egroups_arr[0]} exgroups_arr=()
+	# sort supplementary groups to make comparison possible
+	readarray -t exgroups_arr < <(printf '%s\n' "${egroups_arr[@]:1}" | sort)
+	local exgroups=${exgroups_arr[*]}
+	exgroups=${exgroups// /,}
+	egroups=${defgroup}${exgroups:+,${exgroups}}
+
+	# exit with no message if group membership is up to date
+	if [[ $(egetgroups "${euser}") == ${egroups} ]]; then
+		return 0
+	fi
+
+	local opts=( -g "${defgroup}" -G "${exgroups}" )
+	einfo "Updating groups for user '${euser}' ..."
+	einfo " - Groups: ${egroups}"
+
+	# update the group
+	case ${CHOST} in
+	*-freebsd*|*-dragonfly*)
+		pw usermod "${euser}" "${opts[@]}" && return 0
+		[[ $? == 8 ]] && eerror "${euser} is in use, cannot update groups"
+		eerror "There was an error when attempting to update the groups for ${euser}"
+		eerror "Please update it manually on your system:"
+		eerror "\t pw usermod \"${euser}\" ${opts[*]}"
+		;;
+
+	*)
+		usermod "${opts[@]}" "${euser}" && return 0
+		[[ $? == 8 ]] && eerror "${euser} is in use, cannot update groups"
+		eerror "There was an error when attempting to update the groups for ${euser}"
+		eerror "Please update it manually on your system (as root):"
+		eerror "\t usermod ${opts[*]} \"${euser}\""
+		;;
+	esac
+}
+
 fi
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 14/19] acct-group.eclass: A new eclass to maintain group accounts

[Michał Górny]

A GLEP 81-compliant eclass to create group packages.
---
 eclass/acct-group.eclass | 124 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 124 insertions(+)
 create mode 100644 eclass/acct-group.eclass

diff --git a/eclass/acct-group.eclass b/eclass/acct-group.eclass
new file mode 100644
index 000000000000..4b28615387c0
--- /dev/null
+++ b/eclass/acct-group.eclass
@@ -0,0 +1,124 @@
+# Copyright 2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: acct-group.eclass
+# @MAINTAINER:
+# Michał Górny <mgorny@gentoo.org>
+# @AUTHOR:
+# Michael Orlitzky <mjo@gentoo.org>
+# Michał Górny <mgorny@gentoo.org>
+# @BLURB: Eclass used to create and maintain a single group entry
+# @DESCRIPTION:
+# This eclass represents and creates a single group entry.  The name
+# of the group is derived from ${PN}, while (preferred) GID needs to
+# be specified via ACCT_GROUP_ID.  Packages (and users) needing the group
+# in question should depend on the package providing it.
+#
+# Example:
+# If your package needs group 'foo', you create 'acct-group/foo' package
+# and add an ebuild with the following contents:
+#
+# @CODE
+# EAPI=7
+# inherit acct-group
+# ACCT_GROUP_ID=200
+# @CODE
+#
+# Then you add appropriate dependency to your package.  The dependency
+# type(s) should be:
+# - DEPEND (+ RDEPEND) if the group is already needed at build time,
+# - RDEPEND if it is needed at install time (e.g. you 'fowners' files
+#   in pkg_preinst) or run time.
+
+if [[ -z ${_ACCT_GROUP_ECLASS} ]]; then
+_ACCT_GROUP_ECLASS=1
+
+case ${EAPI:-0} in
+	7) ;;
+	*) die "EAPI=${EAPI} not supported";;
+esac
+
+inherit user
+
+[[ ${CATEGORY} == acct-group ]] ||
+	die "Ebuild error: this eclass can be used only in acct-group category!"
+
+
+# << Eclass variables >>
+
+# @ECLASS-VARIABLE: ACCT_GROUP_NAME
+# @INTERNAL
+# @DESCRIPTION:
+# The name of the group.  This is forced to ${PN} and the policy
+# prohibits it from being changed.
+ACCT_GROUP_NAME=${PN}
+readonly ACCT_GROUP_NAME
+
+# @ECLASS-VARIABLE: ACCT_GROUP_ID
+# @REQUIRED
+# @DESCRIPTION:
+# Preferred GID for the new group.  This variable is obligatory, and its
+# value must be unique across all group packages.
+
+# @ECLASS-VARIABLE: ACCT_GROUP_ENFORCE_ID
+# @DESCRIPTION:
+# If set to a non-null value, the eclass will require the group to have
+# specified GID.  If the group already exists with another GID, or
+# the GID is taken by another group, the install will fail.
+: ${ACCT_GROUP_ENFORCE_ID:=}
+
+
+# << Boilerplate ebuild variables >>
+: ${DESCRIPTION:="Service group: ${ACCT_GROUP_NAME}"}
+: ${HOMEPAGE:=https://www.gentoo.org/}
+: ${SLOT:=0}
+: ${KEYWORDS:=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris}
+S=${WORKDIR}
+
+
+# << Phase functions >>
+EXPORT_FUNCTIONS pkg_pretend pkg_preinst
+
+# @FUNCTION: acct-group_pkg_pretend
+# @DESCRIPTION:
+# Performs sanity checks for correct eclass usage, and early-checks
+# whether requested GID can be enforced.
+acct-group_pkg_pretend() {
+	debug-print-function ${FUNCNAME} "${@}"
+
+	# verify ACCT_GROUP_ID
+	[[ -n ${ACCT_GROUP_ID} ]] || die "Ebuild error: ACCT_GROUP_ID must be set!"
+	[[ ${ACCT_GROUP_ID} -ge 0 ]] || die "Ebuild errors: ACCT_GROUP_ID=${ACCT_GROUP_ID} invalid!"
+
+	# check for ACCT_GROUP_ID collisions early
+	if [[ -n ${ACCT_GROUP_ENFORCE_ID} ]]; then
+		local group_by_id=$(egetgroupname "${ACCT_GROUP_ID}")
+		local group_by_name=$(egetent group "${ACCT_GROUP_NAME}")
+		if [[ -n ${group_by_id} ]]; then
+			if [[ ${group_by_id} != ${ACCT_GROUP_NAME} ]]; then
+				eerror "The required GID is already taken by another group."
+				eerror "  GID: ${ACCT_GROUP_ID}"
+				eerror "  needed for: ${ACCT_GROUP_NAME}"
+				eerror "  current group: ${group_by_id}"
+				die "GID ${ACCT_GROUP_ID} taken already"
+			fi
+		elif [[ -n ${group_by_name} ]]; then
+			eerror "The requested group exists already with wrong GID."
+			eerror "  groupname: ${ACCT_GROUP_NAME}"
+			eerror "  requested UID: ${ACCT_GROUP_ID}"
+			eerror "  current entry: ${group_by_name}"
+			die "Group ${ACCT_GROUP_NAME} exists with wrong GID"
+		fi
+	fi
+}
+
+# @FUNCTION: acct-group_pkg_preinst
+# @DESCRIPTION:
+# Creates the group if it does not exist yet.
+acct-group_pkg_preinst() {
+	debug-print-function ${FUNCNAME} "${@}"
+
+	enewgroup -F "${ACCT_GROUP_NAME}" "${ACCT_GROUP_ID}"
+}
+
+fi
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 15/19] acct-user.eclass: A new eclass to maintain user accounts

[Michał Górny]

A GLEP 81-compliant eclass to create user account packages.
---
 eclass/acct-user.eclass | 249 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 249 insertions(+)
 create mode 100644 eclass/acct-user.eclass

diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass
new file mode 100644
index 000000000000..b856a350083d
--- /dev/null
+++ b/eclass/acct-user.eclass
@@ -0,0 +1,249 @@
+# Copyright 2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: acct-user.eclass
+# @MAINTAINER:
+# Michał Górny <mgorny@gentoo.org>
+# @AUTHOR:
+# Michael Orlitzky <mjo@gentoo.org>
+# Michał Górny <mgorny@gentoo.org>
+# @BLURB: Eclass used to create and maintain a single user entry
+# @DESCRIPTION:
+# This eclass represents and creates a single user entry.  The name
+# of the user is derived from ${PN}, while (preferred) UID needs to
+# be specified via ACCT_USER_ID.  Additional variables are provided
+# to override the default home directory, shell and add group
+# membership.  Packages needing the user in question should depend
+# on the package providing it.
+#
+# The ebuild needs to call acct-user_add_deps after specifying
+# ACCT_USER_GROUPS.
+#
+# Example:
+# If your package needs user 'foo' belonging to same-named group, you
+# create 'acct-user/foo' package and add an ebuild with the following
+# contents:
+#
+# @CODE
+# EAPI=7
+# inherit acct-user
+# ACCT_USER_ID=200
+# ACCT_USER_GROUPS=( foo )
+# acct-user_add_deps
+# @CODE
+#
+# Then you add appropriate dependency to your package.  The dependency
+# type(s) should be:
+# - DEPEND (+ RDEPEND) if the user is already needed at build time,
+# - RDEPEND if it is needed at install time (e.g. you 'fowners' files
+#   in pkg_preinst) or run time.
+
+if [[ -z ${_ACCT_USER_ECLASS} ]]; then
+_ACCT_USER_ECLASS=1
+
+case ${EAPI:-0} in
+	7) ;;
+	*) die "EAPI=${EAPI} not supported";;
+esac
+
+inherit user
+
+[[ ${CATEGORY} == acct-user ]] ||
+	die "Ebuild error: this eclass can be used only in acct-user category!"
+
+
+# << Eclass variables >>
+
+# @ECLASS-VARIABLE: ACCT_USER_NAME
+# @INTERNAL
+# @DESCRIPTION:
+# The name of the user.  This is forced to ${PN} and the policy prohibits
+# it from being changed.
+ACCT_USER_NAME=${PN}
+readonly ACCT_USER_NAME
+
+# @ECLASS-VARIABLE: ACCT_USER_ID
+# @REQUIRED
+# @DESCRIPTION:
+# Preferred UID for the new user.  This variable is obligatory, and its
+# value must be unique across all user packages.
+
+# @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID
+# @DESCRIPTION:
+# If set to a non-null value, the eclass will require the user to have
+# specified UID.  If the user already exists with another UID, or
+# the UID is taken by another user, the install will fail.
+: ${ACCT_USER_ENFORCE_ID:=}
+
+# @ECLASS-VARIABLE: ACCT_USER_SHELL
+# @DESCRIPTION:
+# The shell to use for the user.  If not specified, a 'nologin' variant
+# for the system is used.
+: ${ACCT_USER_SHELL:=-1}
+
+# @ECLASS-VARIABLE: ACCT_USER_HOME
+# @DESCRIPTION:
+# The home directory for the user.  If not specified, /dev/null is used.
+# The directory will be created with appropriate permissions if it does
+# not exist.  When updating, existing home directory will not be moved.
+: ${ACCT_USER_HOME:=/dev/null}
+
+# @ECLASS-VARIABLE: ACCT_USER_HOME_OWNER
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# The ownership to use for the home directory, in chown ([user][:group])
+# syntax.  Defaults to the newly created user, and its primary group.
+
+# @ECLASS-VARIABLE: ACCT_USER_HOME_PERMS
+# @DESCRIPTION:
+# The permissions to use for the home directory, in chmod (octal
+# or verbose) form.
+: ${ACCT_USER_HOME_PERMS:=0755}
+
+# @ECLASS-VARIABLE: ACCT_USER_GROUPS
+# @REQUIRED
+# @DESCRIPTION:
+# List of groups the user should belong to.  This must be a bash
+# array. 
+
+
+# << Boilerplate ebuild variables >>
+: ${DESCRIPTION:="Service user: ${ACCT_USER_NAME}"}
+: ${HOMEPAGE:=https://www.gentoo.org/}
+: ${SLOT:=0}
+: ${KEYWORDS:=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris}
+S=${WORKDIR}
+
+
+# << API functions >>
+
+# @FUNCTION: acct-user_add_deps
+# @DESCRIPTION:
+# Generate appropriate RDEPEND from ACCT_USER_GROUPS.  This must be
+# called if ACCT_USER_GROUPS are set.
+acct-user_add_deps() {
+	debug-print-function ${FUNCNAME} "${@}"
+
+	# ACCT_USER_GROUPS sanity check
+	if ! declare -p ACCT_USER_GROUPS &>/dev/null; then
+		die 'ACCT_USER_GROUPS must be specified.'
+	elif [[ $(declare -p ACCT_USER_GROUPS) != "declare -a"* ]]; then
+		die 'ACCT_USER_GROUPS must be an array.'
+	fi
+
+	RDEPEND+=${ACCT_USER_GROUPS[*]/#/ acct-group/}
+	_ACCT_USER_ADD_DEPS_CALLED=1
+}
+
+
+# << Phase functions >>
+EXPORT_FUNCTIONS pkg_pretend src_install pkg_preinst pkg_postinst \
+	pkg_prerm
+
+# @FUNCTION: acct-user_pkg_pretend
+# @DESCRIPTION:
+# Performs sanity checks for correct eclass usage, and early-checks
+# whether requested UID can be enforced.
+acct-user_pkg_pretend() {
+	debug-print-function ${FUNCNAME} "${@}"
+
+	# verify that acct-user_add_deps() has been called
+	# (it verifies ACCT_USER_GROUPS itself)
+	if [[ -z ${_ACCT_USER_ADD_DEPS_CALLED} ]]; then
+		die "Ebuild error: acct-user_add_deps must have been called in global scope!"
+	fi
+
+	# verify ACCT_USER_ID
+	[[ -n ${ACCT_USER_ID} ]] || die "Ebuild error: ACCT_USER_ID must be set!"
+	[[ ${ACCT_USER_ID} -ge 0 ]] || die "Ebuild errors: ACCT_USER_ID=${ACCT_USER_ID} invalid!"
+
+	# check for ACCT_USER_ID collisions early
+	if [[ -n ${ACCT_USER_ENFORCE_ID} ]]; then
+		local user_by_id=$(egetusername "${ACCT_USER_ID}")
+		local user_by_name=$(egetent passwd "${ACCT_USER_NAME}")
+		if [[ -n ${user_by_id} ]]; then
+			if [[ ${user_by_id} != ${ACCT_USER_NAME} ]]; then
+				eerror "The required UID is already taken by another user."
+				eerror "  UID: ${ACCT_USER_ID}"
+				eerror "  needed for: ${ACCT_USER_NAME}"
+				eerror "  current user: ${user_by_id}"
+				die "UID ${ACCT_USER_ID} taken already"
+			fi
+		elif [[ -n ${user_by_name} ]]; then
+			eerror "The requested user exists already with wrong UID."
+			eerror "  username: ${ACCT_USER_NAME}"
+			eerror "  requested UID: ${ACCT_USER_ID}"
+			eerror "  current entry: ${user_by_name}"
+			die "Username ${ACCT_USER_NAME} exists with wrong UID"
+		fi
+	fi
+}
+
+# @FUNCTION: acct-user_src_install
+# @DESCRIPTION:
+# Installs a keep-file into the user's home directory to ensure it is
+# owned by the package.
+acct-user_src_install() {
+	debug-print-function ${FUNCNAME} "${@}"
+
+	if [[ ${ACCT_USER_HOME} != /dev/null ]]; then
+		# note: we can't set permissions here since the user isn't
+		# created yet
+		keepdir "${ACCT_USER_HOME}"
+	fi
+}
+
+# @FUNCTION: acct-user_pkg_preinst
+# @DESCRIPTION:
+# Creates the user if it does not exist yet.  Sets permissions
+# of the home directory in install image.
+acct-user_pkg_preinst() {
+	debug-print-function ${FUNCNAME} "${@}"
+
+	local groups=${ACCT_USER_GROUPS[*]}
+	enewuser -F -M "${ACCT_USER_NAME}" "${ACCT_USER_ID}" \
+		"${ACCT_USER_SHELL}" "${ACCT_USER_HOME}" "${groups// /,}"
+
+	if [[ ${ACCT_USER_HOME} != /dev/null ]]; then
+		# default ownership to user:group
+		if [[ -z ${ACCT_USER_HOME_OWNER} ]]; then
+			ACCT_USER_HOME_OWNER=${ACCT_USER_NAME}
+			if [[ -n ${ACCT_USER_GROUPS[0]} ]]; then
+				ACCT_USER_HOME_OWNER+=":${ACCT_USER_GROUPS[0]}"
+			fi
+		fi
+		fowners "${ACCT_USER_HOME_OWNER}" "${ACCT_USER_HOME}"
+		fperms "${ACCT_USER_HOME_PERMS}" "${ACCT_USER_HOME}"
+	fi
+}
+
+# @FUNCTION: acct-user_pkg_postinst
+# @DESCRIPTION:
+# Updates user properties if necessary.  This needs to be done after
+# new home directory is installed.
+acct-user_pkg_postinst() {
+	debug-print-function ${FUNCNAME} "${@}"
+
+	# NB: eset* functions check current value
+	esethome "${ACCT_USER_NAME}" "${ACCT_USER_HOME}"
+	esetshell "${ACCT_USER_NAME}" "${ACCT_USER_SHELL}"
+	local groups=${ACCT_USER_GROUPS[*]}
+	esetgroups "${ACCT_USER_NAME}" "${groups// /,}"
+	# comment field can not contain colons
+	esetcomment "${ACCT_USER_NAME}" "${DESCRIPTION//[:,=]/;}"
+}
+
+# @FUNCTION: acct-user_pkg_prerm
+# @DESCRIPTION:
+# Ensures that the user account is locked out when it is removed.
+acct-user_pkg_prerm() {
+	debug-print-function ${FUNCNAME} "${@}"
+
+	if [[ -z ${REPLACED_BY_VERSION} ]]; then
+		esetshell "${ACCT_USER_NAME}" -1
+		esetcomment "${ACCT_USER_NAME}" \
+			"$(egetcomment "${ACCT_USER_NAME}"); user account removed @ $(date +%Y-%m-%d)"
+	fi
+}
+
+fi
-- 
2.22.0.rc3

Re: [gentoo-dev] [PATCH v3 15/19] acct-user.eclass: A new eclass to maintain user accounts

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 463 bytes --]

On Sun, 2019-06-09 at 13:28 +0200, Michał Górny wrote:
> +                       ACCT_USER_HOME_OWNER=${ACCT_USER_NAME}
> +                       if [[ -n ${ACCT_USER_GROUPS[0]} ]]; then
> +                               ACCT_USER_HOME_OWNER+=":${ACCT_USER_GROUPS[0]}"
> +                       fi

I've just noticed that this can be simplified to:

ACCT_USER_HOME_OWNER=${ACCT_USER_NAME}:${ACCT_USER_GROUPS[0]}

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

[gentoo-dev] [PATCH v3 16/19] acct-user.eclass: Supporting locking & unlocking accounts

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/acct-user.eclass | 127 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 127 insertions(+)

diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass
index b856a350083d..23b99e6dc9c3 100644
--- a/eclass/acct-user.eclass
+++ b/eclass/acct-user.eclass
@@ -136,6 +136,131 @@ acct-user_add_deps() {
 }
 
 
+# << Helper functions >>
+
+# @FUNCTION: eislocked
+# @INTERNAL
+# @USAGE: <user>
+# @DESCRIPTION:
+# Check whether the specified user account is currently locked.
+# Returns 0 if it is locked, 1 if it is not, 2 if the platform
+# does not support determining it.
+eislocked() {
+	[[ $# -eq 1 ]] || die "usage: ${FUNCNAME} <user>"
+
+	if [[ ${EUID} != 0 ]] ; then
+		einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
+		return 0
+	fi
+
+	case ${CHOST} in
+	*-freebsd*|*-dragonfly*|*-netbsd*)
+		[[ $(egetent "$1" | cut -d: -f2) == '*LOCKED*'* ]]
+		;;
+
+	*-openbsd*)
+		return 2
+		;;
+
+	*)
+		# NB: 'no password' and 'locked' are indistinguishable
+		# but we also expire the account which is more clear
+		[[ $(getent shadow ftp | cut -d: -f2) == '!'* ]] &&
+			[[ $(getent shadow ftp | cut -d: -f8) == 1 ]]
+		;;
+	esac
+}
+
+# @FUNCTION: elockuser
+# @INTERNAL
+# @USAGE: <user>
+# @DESCRIPTION:
+# Lock the specified user account, using the available platform-specific
+# functions.  This should prevent any login to the account.
+#
+# Established lock can be reverted using eunlockuser.
+#
+# This function returns 0 if locking succeeded, 2 if it is not supported
+# by the platform code or dies if it fails.
+elockuser() {
+	[[ $# -eq 1 ]] || die "usage: ${FUNCNAME} <user>"
+
+	if [[ ${EUID} != 0 ]] ; then
+		einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
+		return 0
+	fi
+
+	eislocked "$1"
+	[[ $? -eq 0 ]] && return 0
+
+	case ${CHOST} in
+	*-freebsd*|*-dragonfly*)
+		pw lock "$1" || die "Locking account $1 failed"
+		pw user mod "$1" -e 1 || die "Expiring account $1 failed"
+		;;
+
+	*-netbsd*)
+		usermod -C yes "$1" || die "Locking account $1 failed"
+		;;
+
+	*-openbsd*)
+		return 2
+		;;
+
+	*)
+		usermod -e 1 -L "$1" || die "Locking account $1 failed"
+		;;
+	esac
+
+	elog "User account $1 locked"
+	return 0
+}
+
+# @FUNCTION: eunlockuser
+# @INTERNAL
+# @USAGE: <user>
+# @DESCRIPTION:
+# Unlock the specified user account, using the available platform-
+# specific functions.
+#
+# This function returns 0 if unlocking succeeded, 1 if it is not
+# supported by the platform code or dies if it fails.
+eunlockuser() {
+	[[ $# -eq 1 ]] || die "usage: ${FUNCNAME} <user>"
+
+	if [[ ${EUID} != 0 ]] ; then
+		einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
+		return 0
+	fi
+
+	eislocked "$1"
+	[[ $? -eq 1 ]] && return 0
+
+	case ${CHOST} in
+	*-freebsd*|*-dragonfly*)
+		pw user mod "$1" -e 0 || die "Unexpiring account $1 failed"
+		pw unlock "$1" || die "Unlocking account $1 failed"
+		;;
+
+	*-netbsd*)
+		usermod -C no "$1" || die "Unlocking account $1 failed"
+		;;
+
+	*-openbsd*)
+		return 1
+		;;
+
+	*)
+		# silence warning if account does not have a password
+		usermod -e "" -U "$1" 2>/dev/null || die "Unlocking account $1 failed"
+		;;
+	esac
+
+	ewarn "User account $1 unlocked after reinstating."
+	return 0
+}
+
+
 # << Phase functions >>
 EXPORT_FUNCTIONS pkg_pretend src_install pkg_preinst pkg_postinst \
 	pkg_prerm
@@ -231,6 +356,7 @@ acct-user_pkg_postinst() {
 	esetgroups "${ACCT_USER_NAME}" "${groups// /,}"
 	# comment field can not contain colons
 	esetcomment "${ACCT_USER_NAME}" "${DESCRIPTION//[:,=]/;}"
+	eunlockuser "${ACCT_USER_NAME}"
 }
 
 # @FUNCTION: acct-user_pkg_prerm
@@ -243,6 +369,7 @@ acct-user_pkg_prerm() {
 		esetshell "${ACCT_USER_NAME}" -1
 		esetcomment "${ACCT_USER_NAME}" \
 			"$(egetcomment "${ACCT_USER_NAME}"); user account removed @ $(date +%Y-%m-%d)"
+		elockuser "${ACCT_USER_NAME}"
 	fi
 }
 
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 17/19] acct-group/ftp: Add 'ftp' group (GID 21)

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 acct-group/ftp/ftp-0.ebuild | 8 ++++++++
 acct-group/ftp/metadata.xml | 5 +++++
 profiles/categories         | 1 +
 3 files changed, 14 insertions(+)
 create mode 100644 acct-group/ftp/ftp-0.ebuild
 create mode 100644 acct-group/ftp/metadata.xml

diff --git a/acct-group/ftp/ftp-0.ebuild b/acct-group/ftp/ftp-0.ebuild
new file mode 100644
index 000000000000..d0912739a2fe
--- /dev/null
+++ b/acct-group/ftp/ftp-0.ebuild
@@ -0,0 +1,8 @@
+# Copyright 2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-group
+
+ACCT_GROUP_ID=21
diff --git a/acct-group/ftp/metadata.xml b/acct-group/ftp/metadata.xml
new file mode 100644
index 000000000000..7a38bb900964
--- /dev/null
+++ b/acct-group/ftp/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>
diff --git a/profiles/categories b/profiles/categories
index 4ff0d5562001..ebfc72f70759 100644
--- a/profiles/categories
+++ b/profiles/categories
@@ -1,3 +1,4 @@
+acct-group
 app-accessibility
 app-admin
 app-antivirus
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 18/19] acct-user/ftp: Add 'ftp' user (UID 21)

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 acct-user/ftp/ftp-0.ebuild | 13 +++++++++++++
 acct-user/ftp/metadata.xml |  5 +++++
 profiles/categories        |  1 +
 3 files changed, 19 insertions(+)
 create mode 100644 acct-user/ftp/ftp-0.ebuild
 create mode 100644 acct-user/ftp/metadata.xml

diff --git a/acct-user/ftp/ftp-0.ebuild b/acct-user/ftp/ftp-0.ebuild
new file mode 100644
index 000000000000..86a3ef04f278
--- /dev/null
+++ b/acct-user/ftp/ftp-0.ebuild
@@ -0,0 +1,13 @@
+# Copyright 2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-user
+
+ACCT_USER_ID=21
+ACCT_USER_HOME=/home/ftp
+ACCT_USER_HOME_OWNER=root:ftp
+ACCT_USER_GROUPS=( ftp )
+
+acct-user_add_deps
diff --git a/acct-user/ftp/metadata.xml b/acct-user/ftp/metadata.xml
new file mode 100644
index 000000000000..7a38bb900964
--- /dev/null
+++ b/acct-user/ftp/metadata.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>
diff --git a/profiles/categories b/profiles/categories
index ebfc72f70759..0f45f8cd1732 100644
--- a/profiles/categories
+++ b/profiles/categories
@@ -1,4 +1,5 @@
 acct-group
+acct-user
 app-accessibility
 app-admin
 app-antivirus
-- 
2.22.0.rc3

[gentoo-dev] [PATCH v3 19/19] net-ftp/ftpbase: Utilize {group,user}/ftp

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 net-ftp/ftpbase/ftpbase-0.01-r3.ebuild | 39 ++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 net-ftp/ftpbase/ftpbase-0.01-r3.ebuild

diff --git a/net-ftp/ftpbase/ftpbase-0.01-r3.ebuild b/net-ftp/ftpbase/ftpbase-0.01-r3.ebuild
new file mode 100644
index 000000000000..c333840faa18
--- /dev/null
+++ b/net-ftp/ftpbase/ftpbase-0.01-r3.ebuild
@@ -0,0 +1,39 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit eutils pam user
+
+DESCRIPTION="FTP layout package"
+HOMEPAGE="https://www.gentoo.org/"
+SRC_URI=""
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="pam"
+
+DEPEND="pam? ( virtual/pam )
+	!<net-ftp/proftpd-1.2.10-r6
+	!<net-ftp/pure-ftpd-1.0.20-r2
+	!<net-ftp/vsftpd-2.0.3-r1"
+RDEPEND="
+	acct-group/ftp
+	acct-user/ftp"
+
+S=${WORKDIR}
+
+src_install() {
+	# The ftpusers file is a list of people who are NOT allowed
+	# to use the ftp service.
+	insinto /etc
+	doins "${FILESDIR}/ftpusers" || die
+
+	cp "${FILESDIR}/ftp-pamd-include" "${T}" || die
+	if use elibc_FreeBSD; then
+		sed -i -e "/pam_listfile.so/s/^.*$/account  required  pam_ftpusers.so no_warn disallow/" \
+			"${T}"/ftp-pamd-include || die
+	fi
+	newpamd "${T}"/ftp-pamd-include ftp
+}
-- 
2.22.0.rc3