On Fri, 2021-01-08 at 21:19 +0100, Thomas Deutschmann wrote: > In some setups where users are changed/managed not only via ebuilds, > for example through configuration management systems, it could be > problematic if acct-user.eclass will restore user/group settings > to values set in ebuild. > > Setting ACCT_USER_NO_MODIFY to a non-zero value will allow system > administrator to disable modification of any existing user. > > Note: Lock/unlock when acct-* package will be installed/removed > will still happen. > > Signed-off-by: Thomas Deutschmann <whi...@gentoo.org> > --- > > v2: Keep current behavior; Add opt-out > > eclass/acct-user.eclass | 25 +++++++++++++++++++++++++ > 1 file changed, 25 insertions(+) > > diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass > index 47890e48409a..560ae6b0ac90 100644 > --- a/eclass/acct-user.eclass > +++ b/eclass/acct-user.eclass > @@ -72,6 +72,11 @@ readonly ACCT_USER_NAME > # Overlays should set this to -1 to dynamically allocate UID. Using -1 > # in ::gentoo is prohibited by policy. > > > > > +# @ECLASS-VARIABLE: ACCT_USER_ALREADY_EXISTS > +# @INTERNAL > +# @DESCRIPTION: > +# Status variable which indicates if user already exists.
Please prefix internal variables with an underscore. > + > # @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID > # @DESCRIPTION: > # If set to a non-null value, the eclass will require the user to have > @@ -79,6 +84,12 @@ readonly ACCT_USER_NAME > # the UID is taken by another user, the install will fail. > : ${ACCT_USER_ENFORCE_ID:=} > > > > > > > > > +# @ECLASS-VARIABLE: ACCT_USER_NO_MODIFY > +# @DESCRIPTION: > +# If set to a non-null value, the eclass will not make any changes > +# to an already existing user. > +: ${ACCT_USER_NO_MODIFY:=} @DEFAULT_UNSET would be better. > + > # @ECLASS-VARIABLE: ACCT_USER_SHELL > # @DESCRIPTION: > # The shell to use for the user. If not specified, a 'nologin' variant > @@ -344,6 +355,13 @@ acct-user_src_install() { > acct-user_pkg_preinst() { > debug-print-function ${FUNCNAME} "${@}" > > > > > > > > > > > > > > > > > + # check if user already exists > + ACCT_USER_ALREADY_EXISTS= > + if [[ -n $(egetent passwd "${ACCT_USER_NAME}") ]]; then > + ACCT_USER_ALREADY_EXISTS=yes > + fi > + readonly ACCT_USER_ALREADY_EXISTS > + > local groups=${ACCT_USER_GROUPS[*]} > enewuser ${ACCT_USER_ENFORCE_ID:+-F} -M "${ACCT_USER_NAME}" \ > "${ACCT_USER_ID}" "${ACCT_USER_SHELL}" "${ACCT_USER_HOME}" \ > @@ -379,6 +397,13 @@ acct-user_pkg_postinst() { > return 0 > fi > > > > > > > > > > > > > > > > > + if [[ -n ${ACCT_USER_NO_MODIFY} && -n ${ACCT_USER_ALREADY_EXISTS} ]] ; > then > + eunlockuser "${ACCT_USER_NAME}" > + > + ewarn "User ${ACCT_USER_NAME} already exists; Not touching > existing user due to set ACCT_USER_NO_MODIFY." I think you need to wrap the message, it seems to exceed 80 chars. > + return 0 > + fi > + > # NB: eset* functions check current value > esethome "${ACCT_USER_NAME}" "${ACCT_USER_HOME}" > esetshell "${ACCT_USER_NAME}" "${ACCT_USER_SHELL}" -- Best regards, Michał Górny