public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
From: Michael Orlitzky <mjo@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] [PATCH] acct-user.eclass: don't modify existing user by default
Date: Sun, 3 Jan 2021 22:18:48 -0500	[thread overview]
Message-ID: <60fac781-e080-999c-e83e-c657d5b89d18@gentoo.org> (raw)
In-Reply-To: <20210104013558.20072-1-whissi@gentoo.org>

On 1/3/21 8:35 PM, Thomas Deutschmann wrote:
> Modifying an existing user is a bad default and makes Gentoo
> special because it is common for system administrators to make
> modifications to user (i.e. putting an user into another service's
> group to allow that user to access service in question) and it
> would be unexpected to see these changes reverted during normal
> world upgrade (which could break services).

It would be nice if this was well-supported by the official way of 
modifying system users/groups; that is, by using an overlay with 
modified user/group ebuilds.

Right now it's awkward to do because of the way the eclasses are 
structured. For example, some of our servers allow the "postfix" user to 
write to OpenDKIM's socket, but only on our *outgoing* mail servers (not 
on the incoming MX, where no signing takes place.) This is accomplished 
by creating an acct-group/dkimsocket ebuild (ok so far), and then by 
overriding the acct-user/postfix ebuild:

   EAPI=7

   inherit acct-user

   DESCRIPTION="user for postfix daemon"
   IUSE="dkimsocket"
   ACCT_USER_ID=207
   ACCT_USER_GROUPS=( postfix mail )
   acct-user_add_deps

   # This needs to be done outside of acct-user_add_deps because we can't
   # test use flags in global scope, and therefore we can't add groups
   # to ACCT_USER_GROUPS before calling acct-user_add_deps.
   RDEPEND+=" dkimsocket? ( acct-group/dkimsocket )"

   pkg_setup() {
       # https://wiki.gentoo.org/wiki/OpenDKIM
       #
       # Even though we added the group to RDEPEND manually, we still
       # need to add it to the array.
       if use dkimsocket; then
           ACCT_USER_GROUPS+=( dkimsocket )
       fi
   }

That's the common case of adding a system user to a group, and it's 
pretty ugly, so it's no wonder that people want to use "usermod" and 
then ignore subsequent changes by the PM.

And there's probably a backwards-compatible way we could support 
USE-conditional supplementary groups.


  parent reply	other threads:[~2021-01-04  3:18 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-04  1:35 [gentoo-dev] [PATCH] acct-user.eclass: don't modify existing user by default Thomas Deutschmann
2021-01-04  2:41 ` Mike Gilbert
2021-01-04  3:17   ` Alec Warner
2021-01-04  3:18 ` Michael Orlitzky [this message]
2021-01-04 14:46   ` Thomas Deutschmann
2021-01-04 15:24     ` Michael Orlitzky
2021-01-04 15:55       ` David Seifert
2021-01-04 16:18         ` Thomas Deutschmann
2021-01-04 16:28           ` Michał Górny
2021-01-04 16:30             ` Thomas Deutschmann
2021-01-04 16:34               ` Thomas Deutschmann
2021-01-04 16:38                 ` Michał Górny
2021-01-04 16:50                   ` Thomas Deutschmann
2021-01-04 16:56                     ` Michał Górny
2021-01-04 16:56                     ` Mike Gilbert
2021-01-04 16:54                 ` Mike Gilbert
2021-01-04  7:32 ` Robin H. Johnson
2021-01-04 16:45   ` [gentoo-dev] " James Cloos
2021-01-04 18:07     ` Michael Orlitzky
2021-01-04 18:20       ` Michał Górny
2021-01-04 18:38         ` Michael Orlitzky
2021-01-04 18:23       ` Thomas Deutschmann
2021-01-04 18:27         ` Michael Orlitzky
2021-01-04 18:32           ` Thomas Deutschmann
2021-01-04  9:23 ` [gentoo-dev] " Michał Górny
2021-01-04 14:05   ` Thomas Deutschmann
2021-01-04 16:10   ` Mike Gilbert
2021-01-04 16:14     ` Michał Górny
2021-01-04 16:20       ` Thomas Deutschmann
2021-01-08 18:11       ` Fabian Groffen
2021-01-08 18:14         ` Michał Górny
2021-01-08 18:23           ` Thomas Deutschmann
2021-01-08 18:32             ` Michał Górny
2021-01-08 15:48 ` Thomas Deutschmann
2021-01-08 16:03   ` Mike Gilbert
2021-01-08 16:29     ` Thomas Deutschmann
2021-01-08 16:50       ` Mike Gilbert
2021-01-08 17:06       ` Mike Gilbert
2021-01-08 18:10         ` Thomas Deutschmann
2021-01-08 18:31           ` Michał Górny
2021-01-08 19:15             ` Mike Gilbert
2021-01-08 17:16       ` Michał Górny

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=60fac781-e080-999c-e83e-c657d5b89d18@gentoo.org \
    --to=mjo@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox