[gentoo-dev] [PATCH 2/2] install-qa-check.d: allow acct-user home directories under /home.

[Michael Orlitzky <mjo@gentoo.org>]

In rare cases, a system user will need a real home directory to store
per-user configuration data and/or be accessed interactively by a
human being. In those cases, /home/${username} is an appropriate place
for the user's home directory. Using /home is allowed and encouraged
by the FHS, and there are no real technical obstacles to it aside from
an install-time QA warning about the path.

Before GLEP81, the efficacy of this check was unarguable. With
enewuser, you could still set a user's home directory to a location
under /home, but the lack of a "keepdir" meant that it would fly under
the radar during the QA check. As a result, the QA check would only
flag truly problematic files. With GLEP81, however, an implementation
detail leads this check to flag the user's home directory.

This commit makes an exception for the home directory /home/${PN}
itself, and the /home/${PN}/.keep* file it contains. This lets us
migrate existing user.eclass ebuilds to GLEP81 without triggering a
new QA warning on a dummy file.

This will be useful in at least two real situations:

  * The "amavis" user exists to launch the amavisd daemon, but much of
    the configuration for that user is created in $HOME by a human who
    is logged in as "amavis" interactively. This is user data by any
    definition, and should be stored in /home/amavis rather than
    dumping it in the daemon's working directory.

  * The "spamd" user gets its SpamAssassin configuration the same way
    local users do in a traditional UNIX mail setup: by reading it out
    of $HOME. This is user data, even though it happens to affect the
    daemon. With user.eclass, /home/spamd is already used as the home
    directory. When migrating to GLEP81, we should not break existing
    systems and force a migration just to avoid an old warning.

There are other potential uses as well. If I want to share (real
human) user accounts across multiple Gentoo installs per the design of
GLEP81, then I can do that with acct-user packages in an overlay. The
user packages ensure that the same UIDs and GIDs get used on every
system, but if I do this with my "mjo" account, I'm going to want
/home/mjo to be my home directory. There's nothing wrong with that,
so we shouldn't warn about it.
---
 metadata/install-qa-check.d/08gentoo-paths | 27 ++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/metadata/install-qa-check.d/08gentoo-paths b/metadata/install-qa-check.d/08gentoo-paths
index 5161aef9922..ab9bd64d0e0 100644
--- a/metadata/install-qa-check.d/08gentoo-paths
+++ b/metadata/install-qa-check.d/08gentoo-paths
@@ -19,6 +19,10 @@ gentoo_path_check() {
 		boot dev etc opt srv usr var
 	)
 
+	# We make an exception and allow acct-user packages to install to
+	# /home in rare circumstances.
+	[[ "${CATEGORY}" == "acct-user" ]] && allowed_paths_toplevel+=( home )
+
 	# directories in /usr which can be installed to by ebuilds
 	# /usr/games is not included as it is banned nowadays
 	local allowed_paths_usr=(
@@ -61,6 +65,29 @@ gentoo_path_check() {
 		fi
 	done
 
+	# Normally ebuilds should not install anything under /home. If this
+	# is a GLEP81 user package, however, we make an exception for the
+	# user's home directory itself and the ".keep" file within it. This
+	# allows GLEP81 user packages to have home directories under /home,
+	# which can be useful if the account is meant to be used by a human
+	# to store configuration data or run maintenance tasks.
+	if [[ "${CATEGORY}" == "acct-user" ]]; then
+		local f found=()
+		while read -r -d '' f; do
+			found+=( "${f}" )
+		done < <(find -L "${ED%/}/home" \
+					  -mindepth 1 \
+					  -maxdepth 2 \
+					  ! -path "${ED%/}/home/${PN}" \
+					  ! -path "${ED%/}/home/${PN}/.keep*" \
+					  -print0)
+
+		if [[ ${found[@]} ]]; then
+			# mimic the output for non-acct-user packages.
+			bad_paths+=( "/home" )
+		fi
+	fi
+
 	${shopt_save}
 
 	# report
-- 
2.24.1