From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0CBA61382C5 for ; Fri, 8 Jan 2021 22:46:20 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1625FE086C; Fri, 8 Jan 2021 22:46:15 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 77449E0828 for ; Fri, 8 Jan 2021 22:46:14 +0000 (UTC) From: Thomas Deutschmann To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] [PATCH v3] acct-user.eclass: allow opt-out of user modification Date: Fri, 8 Jan 2021 23:45:53 +0100 Message-Id: <20210108224553.12282-1-whissi@gentoo.org> X-Mailer: git-send-email 2.30.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: cf746d46-0bb6-4680-88cd-68e0e2b953ba X-Archives-Hash: 33f04fc429a506a8a45c79b5486adb8b In some setups where users are changed/managed not only via ebuilds, for example through configuration management systems, it could be problematic if acct-user.eclass will restore user/group settings to values set in ebuild. Setting ACCT_USER_NO_MODIFY to a non-zero value will allow system administrator to disable modification of any existing user. Note: Lock/unlock when acct-* package will be installed/removed will still happen. Signed-off-by: Thomas Deutschmann --- v3: - Fixed eclass documentation - Honor 80 chars limit - Prefixed internal variable ACCT_USER_ALREADY_EXISTS eclass/acct-user.eclass | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass index 47890e48409a..dcda661d39ea 100644 --- a/eclass/acct-user.eclass +++ b/eclass/acct-user.eclass @@ -72,6 +72,11 @@ readonly ACCT_USER_NAME # Overlays should set this to -1 to dynamically allocate UID. Using -1 # in ::gentoo is prohibited by policy. +# @ECLASS-VARIABLE: _ACCT_USER_ALREADY_EXISTS +# @INTERNAL +# @DESCRIPTION: +# Status variable which indicates if user already exists. + # @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID # @DESCRIPTION: # If set to a non-null value, the eclass will require the user to have @@ -79,6 +84,13 @@ readonly ACCT_USER_NAME # the UID is taken by another user, the install will fail. : ${ACCT_USER_ENFORCE_ID:=} +# @ECLASS-VARIABLE: ACCT_USER_NO_MODIFY +# @DEFAULT_UNSET +# @DESCRIPTION: +# If set to a non-null value, the eclass will not make any changes +# to an already existing user. +: ${ACCT_USER_NO_MODIFY:=} + # @ECLASS-VARIABLE: ACCT_USER_SHELL # @DESCRIPTION: # The shell to use for the user. If not specified, a 'nologin' variant @@ -344,6 +356,13 @@ acct-user_src_install() { acct-user_pkg_preinst() { debug-print-function ${FUNCNAME} "${@}" + # check if user already exists + _ACCT_USER_ALREADY_EXISTS= + if [[ -n $(egetent passwd "${ACCT_USER_NAME}") ]]; then + _ACCT_USER_ALREADY_EXISTS=yes + fi + readonly _ACCT_USER_ALREADY_EXISTS + local groups=${ACCT_USER_GROUPS[*]} enewuser ${ACCT_USER_ENFORCE_ID:+-F} -M "${ACCT_USER_NAME}" \ "${ACCT_USER_ID}" "${ACCT_USER_SHELL}" "${ACCT_USER_HOME}" \ @@ -379,6 +398,14 @@ acct-user_pkg_postinst() { return 0 fi + if [[ -n ${ACCT_USER_NO_MODIFY} && -n ${_ACCT_USER_ALREADY_EXISTS} ]] ; then + eunlockuser "${ACCT_USER_NAME}" + + ewarn "User ${ACCT_USER_NAME} already exists; Not touching existing user" + ewarn "due to set ACCT_USER_NO_MODIFY." + return 0 + fi + # NB: eset* functions check current value esethome "${ACCT_USER_NAME}" "${ACCT_USER_HOME}" esetshell "${ACCT_USER_NAME}" "${ACCT_USER_SHELL}" -- 2.30.0