1 |
On 1/3/21 8:35 PM, Thomas Deutschmann wrote: |
2 |
> Modifying an existing user is a bad default and makes Gentoo |
3 |
> special because it is common for system administrators to make |
4 |
> modifications to user (i.e. putting an user into another service's |
5 |
> group to allow that user to access service in question) and it |
6 |
> would be unexpected to see these changes reverted during normal |
7 |
> world upgrade (which could break services). |
8 |
|
9 |
It would be nice if this was well-supported by the official way of |
10 |
modifying system users/groups; that is, by using an overlay with |
11 |
modified user/group ebuilds. |
12 |
|
13 |
Right now it's awkward to do because of the way the eclasses are |
14 |
structured. For example, some of our servers allow the "postfix" user to |
15 |
write to OpenDKIM's socket, but only on our *outgoing* mail servers (not |
16 |
on the incoming MX, where no signing takes place.) This is accomplished |
17 |
by creating an acct-group/dkimsocket ebuild (ok so far), and then by |
18 |
overriding the acct-user/postfix ebuild: |
19 |
|
20 |
EAPI=7 |
21 |
|
22 |
inherit acct-user |
23 |
|
24 |
DESCRIPTION="user for postfix daemon" |
25 |
IUSE="dkimsocket" |
26 |
ACCT_USER_ID=207 |
27 |
ACCT_USER_GROUPS=( postfix mail ) |
28 |
acct-user_add_deps |
29 |
|
30 |
# This needs to be done outside of acct-user_add_deps because we can't |
31 |
# test use flags in global scope, and therefore we can't add groups |
32 |
# to ACCT_USER_GROUPS before calling acct-user_add_deps. |
33 |
RDEPEND+=" dkimsocket? ( acct-group/dkimsocket )" |
34 |
|
35 |
pkg_setup() { |
36 |
# https://wiki.gentoo.org/wiki/OpenDKIM |
37 |
# |
38 |
# Even though we added the group to RDEPEND manually, we still |
39 |
# need to add it to the array. |
40 |
if use dkimsocket; then |
41 |
ACCT_USER_GROUPS+=( dkimsocket ) |
42 |
fi |
43 |
} |
44 |
|
45 |
That's the common case of adding a system user to a group, and it's |
46 |
pretty ugly, so it's no wonder that people want to use "usermod" and |
47 |
then ignore subsequent changes by the PM. |
48 |
|
49 |
And there's probably a backwards-compatible way we could support |
50 |
USE-conditional supplementary groups. |