From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-93589-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 2BF8B1382C5
	for <garchives@archives.gentoo.org>; Sun, 10 Jan 2021 19:35:24 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 86FA4E0AED;
	Sun, 10 Jan 2021 19:35:21 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 37E58E0ADD
	for <gentoo-dev@lists.gentoo.org>; Sun, 10 Jan 2021 19:35:21 +0000 (UTC)
Message-ID: <c015e2f47713d4945d111cd111dbd3633c3d8f4d.camel@gentoo.org>
Subject: Re: [gentoo-dev] [PATCH v3] acct-user.eclass: allow opt-out of user
 modification
From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= <mgorny@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Date: Sun, 10 Jan 2021 20:35:16 +0100
In-Reply-To: <20210108224553.12282-1-whissi@gentoo.org>
References: <20210108224553.12282-1-whissi@gentoo.org>
Organization: Gentoo
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.38.3 
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Archives-Salt: 349c4ee4-48d4-44c5-8485-cc6be1add443
X-Archives-Hash: b6a9b22f68c34093884f397c6225c63d

On Fri, 2021-01-08 at 23:45 +0100, Thomas Deutschmann wrote:
> In some setups where users are changed/managed not only via ebuilds,
> for example through configuration management systems, it could be
> problematic if acct-user.eclass will restore user/group settings
> to values set in ebuild.
> 
> Setting ACCT_USER_NO_MODIFY to a non-zero value will allow system
> administrator to disable modification of any existing user.
> 
> Note: Lock/unlock when acct-* package will be installed/removed
>       will still happen.
> 
> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
> ---
> 
>  v3: 
>    - Fixed eclass documentation
>    - Honor 80 chars limit
>    - Prefixed internal variable ACCT_USER_ALREADY_EXISTS
> 
>  eclass/acct-user.eclass | 27 +++++++++++++++++++++++++++
>  1 file changed, 27 insertions(+)
> 
> diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass
> index 47890e48409a..dcda661d39ea 100644
> --- a/eclass/acct-user.eclass
> +++ b/eclass/acct-user.eclass
> @@ -72,6 +72,11 @@ readonly ACCT_USER_NAME
>  # Overlays should set this to -1 to dynamically allocate UID.  Using -1
>  # in ::gentoo is prohibited by policy.
>  
> 
> 
> 
> 
> 
> 
> 
> +# @ECLASS-VARIABLE: _ACCT_USER_ALREADY_EXISTS
> +# @INTERNAL
> +# @DESCRIPTION:
> +# Status variable which indicates if user already exists.
> +
>  # @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID
>  # @DESCRIPTION:
>  # If set to a non-null value, the eclass will require the user to have
> @@ -79,6 +84,13 @@ readonly ACCT_USER_NAME
>  # the UID is taken by another user, the install will fail.
>  : ${ACCT_USER_ENFORCE_ID:=}
>  
> 
> 
> 
> 
> 
> 
> 
> +# @ECLASS-VARIABLE: ACCT_USER_NO_MODIFY
> +# @DEFAULT_UNSET
> +# @DESCRIPTION:
> +# If set to a non-null value, the eclass will not make any changes
> +# to an already existing user.
> +: ${ACCT_USER_NO_MODIFY:=}
> +
>  # @ECLASS-VARIABLE: ACCT_USER_SHELL
>  # @DESCRIPTION:
>  # The shell to use for the user.  If not specified, a 'nologin' variant
> @@ -344,6 +356,13 @@ acct-user_src_install() {
>  acct-user_pkg_preinst() {
>  	debug-print-function ${FUNCNAME} "${@}"
>  
> 
> 
> 
> 
> 
> 
> 
> +	# check if user already exists
> +	_ACCT_USER_ALREADY_EXISTS=
> +	if [[ -n $(egetent passwd "${ACCT_USER_NAME}") ]]; then
> +		_ACCT_USER_ALREADY_EXISTS=yes

=1 is used elsewhere in the eclass.

> +	fi
> +	readonly _ACCT_USER_ALREADY_EXISTS
> +
>  	local groups=${ACCT_USER_GROUPS[*]}
>  	enewuser ${ACCT_USER_ENFORCE_ID:+-F} -M "${ACCT_USER_NAME}" \
>  		"${ACCT_USER_ID}" "${ACCT_USER_SHELL}" "${ACCT_USER_HOME}" \
> @@ -379,6 +398,14 @@ acct-user_pkg_postinst() {
>  		return 0
>  	fi
>  
> 
> 
> 
> 
> 
> 
> 
> +	if [[ -n ${ACCT_USER_NO_MODIFY} && -n ${_ACCT_USER_ALREADY_EXISTS} ]] ; then

Nit: inconsistent style of ']];'.

> +		eunlockuser "${ACCT_USER_NAME}"
> +
> +		ewarn "User ${ACCT_USER_NAME} already exists; Not touching existing user"
> +		ewarn "due to set ACCT_USER_NO_MODIFY."
> +		return 0
> +	fi
> +
>  	# NB: eset* functions check current value
>  	esethome "${ACCT_USER_NAME}" "${ACCT_USER_HOME}"
>  	esetshell "${ACCT_USER_NAME}" "${ACCT_USER_SHELL}"

-- 
Best regards,
Michał Górny