[gentoo-dev] [PATCH v3] acct-user.eclass: allow opt-out of user modification

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-dev] [PATCH v3] acct-user.eclass: allow opt-out of user modification
@ 2021-01-08 22:45 Thomas Deutschmann
  2021-01-10 19:35 ` Michał Górny
  0 siblings, 1 reply; 2+ messages in thread
From: Thomas Deutschmann @ 2021-01-08 22:45 UTC (permalink / raw
  To: gentoo-dev

In some setups where users are changed/managed not only via ebuilds,
for example through configuration management systems, it could be
problematic if acct-user.eclass will restore user/group settings
to values set in ebuild.

Setting ACCT_USER_NO_MODIFY to a non-zero value will allow system
administrator to disable modification of any existing user.

Note: Lock/unlock when acct-* package will be installed/removed
      will still happen.

Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
---

 v3: 
   - Fixed eclass documentation
   - Honor 80 chars limit
   - Prefixed internal variable ACCT_USER_ALREADY_EXISTS

 eclass/acct-user.eclass | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass
index 47890e48409a..dcda661d39ea 100644
--- a/eclass/acct-user.eclass
+++ b/eclass/acct-user.eclass
@@ -72,6 +72,11 @@ readonly ACCT_USER_NAME
 # Overlays should set this to -1 to dynamically allocate UID.  Using -1
 # in ::gentoo is prohibited by policy.
 
+# @ECLASS-VARIABLE: _ACCT_USER_ALREADY_EXISTS
+# @INTERNAL
+# @DESCRIPTION:
+# Status variable which indicates if user already exists.
+
 # @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID
 # @DESCRIPTION:
 # If set to a non-null value, the eclass will require the user to have
@@ -79,6 +84,13 @@ readonly ACCT_USER_NAME
 # the UID is taken by another user, the install will fail.
 : ${ACCT_USER_ENFORCE_ID:=}
 
+# @ECLASS-VARIABLE: ACCT_USER_NO_MODIFY
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, the eclass will not make any changes
+# to an already existing user.
+: ${ACCT_USER_NO_MODIFY:=}
+
 # @ECLASS-VARIABLE: ACCT_USER_SHELL
 # @DESCRIPTION:
 # The shell to use for the user.  If not specified, a 'nologin' variant
@@ -344,6 +356,13 @@ acct-user_src_install() {
 acct-user_pkg_preinst() {
 	debug-print-function ${FUNCNAME} "${@}"
 
+	# check if user already exists
+	_ACCT_USER_ALREADY_EXISTS=
+	if [[ -n $(egetent passwd "${ACCT_USER_NAME}") ]]; then
+		_ACCT_USER_ALREADY_EXISTS=yes
+	fi
+	readonly _ACCT_USER_ALREADY_EXISTS
+
 	local groups=${ACCT_USER_GROUPS[*]}
 	enewuser ${ACCT_USER_ENFORCE_ID:+-F} -M "${ACCT_USER_NAME}" \
 		"${ACCT_USER_ID}" "${ACCT_USER_SHELL}" "${ACCT_USER_HOME}" \
@@ -379,6 +398,14 @@ acct-user_pkg_postinst() {
 		return 0
 	fi
 
+	if [[ -n ${ACCT_USER_NO_MODIFY} && -n ${_ACCT_USER_ALREADY_EXISTS} ]] ; then
+		eunlockuser "${ACCT_USER_NAME}"
+
+		ewarn "User ${ACCT_USER_NAME} already exists; Not touching existing user"
+		ewarn "due to set ACCT_USER_NO_MODIFY."
+		return 0
+	fi
+
 	# NB: eset* functions check current value
 	esethome "${ACCT_USER_NAME}" "${ACCT_USER_HOME}"
 	esetshell "${ACCT_USER_NAME}" "${ACCT_USER_SHELL}"
-- 
2.30.0



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [gentoo-dev] [PATCH v3] acct-user.eclass: allow opt-out of user modification
  2021-01-08 22:45 [gentoo-dev] [PATCH v3] acct-user.eclass: allow opt-out of user modification Thomas Deutschmann
@ 2021-01-10 19:35 ` Michał Górny
  0 siblings, 0 replies; 2+ messages in thread
From: Michał Górny @ 2021-01-10 19:35 UTC (permalink / raw
  To: gentoo-dev

On Fri, 2021-01-08 at 23:45 +0100, Thomas Deutschmann wrote:
> In some setups where users are changed/managed not only via ebuilds,
> for example through configuration management systems, it could be
> problematic if acct-user.eclass will restore user/group settings
> to values set in ebuild.
> 
> Setting ACCT_USER_NO_MODIFY to a non-zero value will allow system
> administrator to disable modification of any existing user.
> 
> Note: Lock/unlock when acct-* package will be installed/removed
>       will still happen.
> 
> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
> ---
> 
>  v3: 
>    - Fixed eclass documentation
>    - Honor 80 chars limit
>    - Prefixed internal variable ACCT_USER_ALREADY_EXISTS
> 
>  eclass/acct-user.eclass | 27 +++++++++++++++++++++++++++
>  1 file changed, 27 insertions(+)
> 
> diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass
> index 47890e48409a..dcda661d39ea 100644
> --- a/eclass/acct-user.eclass
> +++ b/eclass/acct-user.eclass
> @@ -72,6 +72,11 @@ readonly ACCT_USER_NAME
>  # Overlays should set this to -1 to dynamically allocate UID.  Using -1
>  # in ::gentoo is prohibited by policy.
>  
> 
> 
> 
> 
> 
> 
> 
> +# @ECLASS-VARIABLE: _ACCT_USER_ALREADY_EXISTS
> +# @INTERNAL
> +# @DESCRIPTION:
> +# Status variable which indicates if user already exists.
> +
>  # @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID
>  # @DESCRIPTION:
>  # If set to a non-null value, the eclass will require the user to have
> @@ -79,6 +84,13 @@ readonly ACCT_USER_NAME
>  # the UID is taken by another user, the install will fail.
>  : ${ACCT_USER_ENFORCE_ID:=}
>  
> 
> 
> 
> 
> 
> 
> 
> +# @ECLASS-VARIABLE: ACCT_USER_NO_MODIFY
> +# @DEFAULT_UNSET
> +# @DESCRIPTION:
> +# If set to a non-null value, the eclass will not make any changes
> +# to an already existing user.
> +: ${ACCT_USER_NO_MODIFY:=}
> +
>  # @ECLASS-VARIABLE: ACCT_USER_SHELL
>  # @DESCRIPTION:
>  # The shell to use for the user.  If not specified, a 'nologin' variant
> @@ -344,6 +356,13 @@ acct-user_src_install() {
>  acct-user_pkg_preinst() {
>  	debug-print-function ${FUNCNAME} "${@}"
>  
> 
> 
> 
> 
> 
> 
> 
> +	# check if user already exists
> +	_ACCT_USER_ALREADY_EXISTS=
> +	if [[ -n $(egetent passwd "${ACCT_USER_NAME}") ]]; then
> +		_ACCT_USER_ALREADY_EXISTS=yes

=1 is used elsewhere in the eclass.

> +	fi
> +	readonly _ACCT_USER_ALREADY_EXISTS
> +
>  	local groups=${ACCT_USER_GROUPS[*]}
>  	enewuser ${ACCT_USER_ENFORCE_ID:+-F} -M "${ACCT_USER_NAME}" \
>  		"${ACCT_USER_ID}" "${ACCT_USER_SHELL}" "${ACCT_USER_HOME}" \
> @@ -379,6 +398,14 @@ acct-user_pkg_postinst() {
>  		return 0
>  	fi
>  
> 
> 
> 
> 
> 
> 
> 
> +	if [[ -n ${ACCT_USER_NO_MODIFY} && -n ${_ACCT_USER_ALREADY_EXISTS} ]] ; then

Nit: inconsistent style of ']];'.

> +		eunlockuser "${ACCT_USER_NAME}"
> +
> +		ewarn "User ${ACCT_USER_NAME} already exists; Not touching existing user"
> +		ewarn "due to set ACCT_USER_NO_MODIFY."
> +		return 0
> +	fi
> +
>  	# NB: eset* functions check current value
>  	esethome "${ACCT_USER_NAME}" "${ACCT_USER_HOME}"
>  	esetshell "${ACCT_USER_NAME}" "${ACCT_USER_SHELL}"

-- 
Best regards,
Michał Górny




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-01-10 19:35 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-01-08 22:45 [gentoo-dev] [PATCH v3] acct-user.eclass: allow opt-out of user modification Thomas Deutschmann
2021-01-10 19:35 ` Michał Górny

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox