Gentoo Archives: gentoo-dev

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] [PATCH] acct-user.eclass: don't modify existing user by default
Date: Mon, 04 Jan 2021 01:36:30
Message-Id: 20210104013558.20072-1-whissi@gentoo.org
1 Modifying an existing user is a bad default and makes Gentoo
2 special because it is common for system administrators to make
3 modifications to user (i.e. putting an user into another service's
4 group to allow that user to access service in question) and it
5 would be unexpected to see these changes reverted during normal
6 world upgrade (which could break services).
7
8 This commit will make Gentoo behave like any other Linux distribution
9 by respecting any user modifications by default. However, we will retain
10 the functionality to reset system user and groups and users interested
11 in this feature can opt-in by setting
12 ACCT_USER_ALLOW_EXISTING_USER_TO_BE_MODIFIED to a non-zero value in
13 their make.conf.
14
15 Signed-off-by: Thomas Deutschmann <whissi@g.o>
16 ---
17 eclass/acct-user.eclass | 40 ++++++++++++++++++++++++++++++++++++++--
18 1 file changed, 38 insertions(+), 2 deletions(-)
19
20 diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass
21 index 22b0038fbff7..d60b1e53b4bb 100644
22 --- a/eclass/acct-user.eclass
23 +++ b/eclass/acct-user.eclass
24 @@ -72,6 +72,11 @@ readonly ACCT_USER_NAME
25 # Overlays should set this to -1 to dynamically allocate UID. Using -1
26 # in ::gentoo is prohibited by policy.
27
28 +# @ECLASS-VARIABLE: ACCT_USER_ALREADY_EXISTS
29 +# @INTERNAL
30 +# @DESCRIPTION:
31 +# Status variable which indicates if user already exists.
32 +
33 # @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID
34 # @DESCRIPTION:
35 # If set to a non-null value, the eclass will require the user to have
36 @@ -79,6 +84,13 @@ readonly ACCT_USER_NAME
37 # the UID is taken by another user, the install will fail.
38 : ${ACCT_USER_ENFORCE_ID:=}
39
40 +# @ECLASS-VARIABLE: ACCT_USER_ALLOW_EXISTING_USER_TO_BE_MODIFIED
41 +# @DESCRIPTION:
42 +# If set to a non-null value, the eclass is allowed to make changes
43 +# to an already existing user which will include overriding any
44 +# changes made by system administrator.
45 +: ${ACCT_USER_ALLOW_EXISTING_USER_TO_BE_MODIFIED:=}
46 +
47 # @ECLASS-VARIABLE: ACCT_USER_SHELL
48 # @DESCRIPTION:
49 # The shell to use for the user. If not specified, a 'nologin' variant
50 @@ -266,8 +278,8 @@ eunlockuser() {
51
52
53 # << Phase functions >>
54 -EXPORT_FUNCTIONS pkg_pretend src_install pkg_preinst pkg_postinst \
55 - pkg_prerm
56 +EXPORT_FUNCTIONS pkg_pretend pkg_setup src_install pkg_preinst \
57 + pkg_postinst pkg_prerm
58
59 # @FUNCTION: acct-user_pkg_pretend
60 # @DESCRIPTION:
61 @@ -309,6 +321,20 @@ acct-user_pkg_pretend() {
62 fi
63 }
64
65 +# @FUNCTION: acct-user_pkg_setup
66 +# @DESCRIPTION:
67 +# Initialize internal environment variable(s).
68 +acct-user_pkg_setup() {
69 + debug-print-function ${FUNCNAME} "${@}"
70 +
71 + # check if user already exists
72 + ACCT_USER_ALREADY_EXISTS=
73 + if [[ -n $(egetent passwd "${ACCT_USER_NAME}") ]]; then
74 + ACCT_USER_ALREADY_EXISTS=yes
75 + fi
76 + readonly ACCT_USER_ALREADY_EXISTS
77 +}
78 +
79 # @FUNCTION: acct-user_src_install
80 # @DESCRIPTION:
81 # Installs a keep-file into the user's home directory to ensure it is
82 @@ -379,6 +405,16 @@ acct-user_pkg_postinst() {
83 return 0
84 fi
85
86 + if [[ -z ${ACCT_USER_ALLOW_EXISTING_USER_TO_BE_MODIFIED} && -n ${ACCT_USER_ALREADY_EXISTS} ]] ; then
87 + eunlockuser "${ACCT_USER_NAME}"
88 +
89 + einfo "User ${ACCT_USER_NAME} already exists; Not touching existing user."
90 + einfo "NOTE: If you want to allow package manager to reset user settings"
91 + einfo " like home, shell, groups... set ACCT_USER_ALLOW_EXISTING_USER_TO_BE_MODIFIED"
92 + einfo " to a non-null value in your make.conf."
93 + return 0
94 + fi
95 +
96 # NB: eset* functions check current value
97 esethome "${ACCT_USER_NAME}" "${ACCT_USER_HOME}"
98 esetshell "${ACCT_USER_NAME}" "${ACCT_USER_SHELL}"
99 --
100 2.30.0

Replies