| 1 |
On 1/3/21 8:35 PM, Thomas Deutschmann wrote: |
| 2 |
> Modifying an existing user is a bad default and makes Gentoo |
| 3 |
> special because it is common for system administrators to make |
| 4 |
> modifications to user (i.e. putting an user into another service's |
| 5 |
> group to allow that user to access service in question) and it |
| 6 |
> would be unexpected to see these changes reverted during normal |
| 7 |
> world upgrade (which could break services). |
| 8 |
|
| 9 |
It would be nice if this was well-supported by the official way of |
| 10 |
modifying system users/groups; that is, by using an overlay with |
| 11 |
modified user/group ebuilds. |
| 12 |
|
| 13 |
Right now it's awkward to do because of the way the eclasses are |
| 14 |
structured. For example, some of our servers allow the "postfix" user to |
| 15 |
write to OpenDKIM's socket, but only on our *outgoing* mail servers (not |
| 16 |
on the incoming MX, where no signing takes place.) This is accomplished |
| 17 |
by creating an acct-group/dkimsocket ebuild (ok so far), and then by |
| 18 |
overriding the acct-user/postfix ebuild: |
| 19 |
|
| 20 |
EAPI=7 |
| 21 |
|
| 22 |
inherit acct-user |
| 23 |
|
| 24 |
DESCRIPTION="user for postfix daemon" |
| 25 |
IUSE="dkimsocket" |
| 26 |
ACCT_USER_ID=207 |
| 27 |
ACCT_USER_GROUPS=( postfix mail ) |
| 28 |
acct-user_add_deps |
| 29 |
|
| 30 |
# This needs to be done outside of acct-user_add_deps because we can't |
| 31 |
# test use flags in global scope, and therefore we can't add groups |
| 32 |
# to ACCT_USER_GROUPS before calling acct-user_add_deps. |
| 33 |
RDEPEND+=" dkimsocket? ( acct-group/dkimsocket )" |
| 34 |
|
| 35 |
pkg_setup() { |
| 36 |
# https://wiki.gentoo.org/wiki/OpenDKIM |
| 37 |
# |
| 38 |
# Even though we added the group to RDEPEND manually, we still |
| 39 |
# need to add it to the array. |
| 40 |
if use dkimsocket; then |
| 41 |
ACCT_USER_GROUPS+=( dkimsocket ) |
| 42 |
fi |
| 43 |
} |
| 44 |
|
| 45 |
That's the common case of adding a system user to a group, and it's |
| 46 |
pretty ugly, so it's no wonder that people want to use "usermod" and |
| 47 |
then ignore subsequent changes by the PM. |
| 48 |
|
| 49 |
And there's probably a backwards-compatible way we could support |
| 50 |
USE-conditional supplementary groups. |
Archives