Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [PATCH v3] acct-user.eclass: allow opt-out of user modification
Date: Sun, 10 Jan 2021 19:35:24
Message-Id: c015e2f47713d4945d111cd111dbd3633c3d8f4d.camel@gentoo.org
In Reply to: [gentoo-dev] [PATCH v3] acct-user.eclass: allow opt-out of user modification by Thomas Deutschmann
1 On Fri, 2021-01-08 at 23:45 +0100, Thomas Deutschmann wrote:
2 > In some setups where users are changed/managed not only via ebuilds,
3 > for example through configuration management systems, it could be
4 > problematic if acct-user.eclass will restore user/group settings
5 > to values set in ebuild.
6 >
7 > Setting ACCT_USER_NO_MODIFY to a non-zero value will allow system
8 > administrator to disable modification of any existing user.
9 >
10 > Note: Lock/unlock when acct-* package will be installed/removed
11 >       will still happen.
12 >
13 > Signed-off-by: Thomas Deutschmann <whissi@g.o>
14 > ---
15 >
16 >  v3:
17 >    - Fixed eclass documentation
18 >    - Honor 80 chars limit
19 >    - Prefixed internal variable ACCT_USER_ALREADY_EXISTS
20 >
21 >  eclass/acct-user.eclass | 27 +++++++++++++++++++++++++++
22 >  1 file changed, 27 insertions(+)
23 >
24 > diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass
25 > index 47890e48409a..dcda661d39ea 100644
26 > --- a/eclass/acct-user.eclass
27 > +++ b/eclass/acct-user.eclass
28 > @@ -72,6 +72,11 @@ readonly ACCT_USER_NAME
29 >  # Overlays should set this to -1 to dynamically allocate UID. Using -1
30 >  # in ::gentoo is prohibited by policy.
31 >  
32 >
33 >
34 >
35 >
36 >
37 >
38 >
39 > +# @ECLASS-VARIABLE: _ACCT_USER_ALREADY_EXISTS
40 > +# @INTERNAL
41 > +# @DESCRIPTION:
42 > +# Status variable which indicates if user already exists.
43 > +
44 >  # @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID
45 >  # @DESCRIPTION:
46 >  # If set to a non-null value, the eclass will require the user to have
47 > @@ -79,6 +84,13 @@ readonly ACCT_USER_NAME
48 >  # the UID is taken by another user, the install will fail.
49 >  : ${ACCT_USER_ENFORCE_ID:=}
50 >  
51 >
52 >
53 >
54 >
55 >
56 >
57 >
58 > +# @ECLASS-VARIABLE: ACCT_USER_NO_MODIFY
59 > +# @DEFAULT_UNSET
60 > +# @DESCRIPTION:
61 > +# If set to a non-null value, the eclass will not make any changes
62 > +# to an already existing user.
63 > +: ${ACCT_USER_NO_MODIFY:=}
64 > +
65 >  # @ECLASS-VARIABLE: ACCT_USER_SHELL
66 >  # @DESCRIPTION:
67 >  # The shell to use for the user. If not specified, a 'nologin' variant
68 > @@ -344,6 +356,13 @@ acct-user_src_install() {
69 >  acct-user_pkg_preinst() {
70 >   debug-print-function ${FUNCNAME} "${@}"
71 >  
72 >
73 >
74 >
75 >
76 >
77 >
78 >
79 > + # check if user already exists
80 > + _ACCT_USER_ALREADY_EXISTS=
81 > + if [[ -n $(egetent passwd "${ACCT_USER_NAME}") ]]; then
82 > + _ACCT_USER_ALREADY_EXISTS=yes
83
84 =1 is used elsewhere in the eclass.
85
86 > + fi
87 > + readonly _ACCT_USER_ALREADY_EXISTS
88 > +
89 >   local groups=${ACCT_USER_GROUPS[*]}
90 >   enewuser ${ACCT_USER_ENFORCE_ID:+-F} -M "${ACCT_USER_NAME}" \
91 >   "${ACCT_USER_ID}" "${ACCT_USER_SHELL}" "${ACCT_USER_HOME}" \
92 > @@ -379,6 +398,14 @@ acct-user_pkg_postinst() {
93 >   return 0
94 >   fi
95 >  
96 >
97 >
98 >
99 >
100 >
101 >
102 >
103 > + if [[ -n ${ACCT_USER_NO_MODIFY} && -n ${_ACCT_USER_ALREADY_EXISTS} ]] ; then
104
105 Nit: inconsistent style of ']];'.
106
107 > + eunlockuser "${ACCT_USER_NAME}"
108 > +
109 > + ewarn "User ${ACCT_USER_NAME} already exists; Not touching existing user"
110 > + ewarn "due to set ACCT_USER_NO_MODIFY."
111 > + return 0
112 > + fi
113 > +
114 >   # NB: eset* functions check current value
115 >   esethome "${ACCT_USER_NAME}" "${ACCT_USER_HOME}"
116 >   esetshell "${ACCT_USER_NAME}" "${ACCT_USER_SHELL}"
117
118 --
119 Best regards,
120 Michał Górny