On Fri, 2021-01-08 at 21:19 +0100, Thomas Deutschmann wrote:
> In some setups where users are changed/managed not only via ebuilds,
> for example through configuration management systems, it could be
> problematic if acct-user.eclass will restore user/group settings
> to values set in ebuild.
>
> Setting ACCT_USER_NO_MODIFY to a non-zero value will allow system
> administrator to disable modification of any existing user.
>
> Note: Lock/unlock when acct-* package will be installed/removed
> will still happen.
>
> Signed-off-by: Thomas Deutschmann <whi...@gentoo.org>
> ---
>
> v2: Keep current behavior; Add opt-out
>
> eclass/acct-user.eclass | 25 +++++++++++++++++++++++++
> 1 file changed, 25 insertions(+)
>
> diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass
> index 47890e48409a..560ae6b0ac90 100644
> --- a/eclass/acct-user.eclass
> +++ b/eclass/acct-user.eclass
> @@ -72,6 +72,11 @@ readonly ACCT_USER_NAME
> # Overlays should set this to -1 to dynamically allocate UID. Using -1
> # in ::gentoo is prohibited by policy.
>
>
>
>
> +# @ECLASS-VARIABLE: ACCT_USER_ALREADY_EXISTS
> +# @INTERNAL
> +# @DESCRIPTION:
> +# Status variable which indicates if user already exists.
Please prefix internal variables with an underscore.
> +
> # @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID
> # @DESCRIPTION:
> # If set to a non-null value, the eclass will require the user to have
> @@ -79,6 +84,12 @@ readonly ACCT_USER_NAME
> # the UID is taken by another user, the install will fail.
> : ${ACCT_USER_ENFORCE_ID:=}
>
>
>
>
>
>
>
>
> +# @ECLASS-VARIABLE: ACCT_USER_NO_MODIFY
> +# @DESCRIPTION:
> +# If set to a non-null value, the eclass will not make any changes
> +# to an already existing user.
> +: ${ACCT_USER_NO_MODIFY:=}
@DEFAULT_UNSET would be better.
> +
> # @ECLASS-VARIABLE: ACCT_USER_SHELL
> # @DESCRIPTION:
> # The shell to use for the user. If not specified, a 'nologin' variant
> @@ -344,6 +355,13 @@ acct-user_src_install() {
> acct-user_pkg_preinst() {
> debug-print-function ${FUNCNAME} "${@}"
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> + # check if user already exists
> + ACCT_USER_ALREADY_EXISTS=
> + if [[ -n $(egetent passwd "${ACCT_USER_NAME}") ]]; then
> + ACCT_USER_ALREADY_EXISTS=yes
> + fi
> + readonly ACCT_USER_ALREADY_EXISTS
> +
> local groups=${ACCT_USER_GROUPS[*]}
> enewuser ${ACCT_USER_ENFORCE_ID:+-F} -M "${ACCT_USER_NAME}" \
> "${ACCT_USER_ID}" "${ACCT_USER_SHELL}" "${ACCT_USER_HOME}" \
> @@ -379,6 +397,13 @@ acct-user_pkg_postinst() {
> return 0
> fi
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> + if [[ -n ${ACCT_USER_NO_MODIFY} && -n ${ACCT_USER_ALREADY_EXISTS} ]] ;
> then
> + eunlockuser "${ACCT_USER_NAME}"
> +
> + ewarn "User ${ACCT_USER_NAME} already exists; Not touching
> existing user due to set ACCT_USER_NO_MODIFY."
I think you need to wrap the message, it seems to exceed 80 chars.
> + return 0
> + fi
> +
> # NB: eset* functions check current value
> esethome "${ACCT_USER_NAME}" "${ACCT_USER_HOME}"
> esetshell "${ACCT_USER_NAME}" "${ACCT_USER_SHELL}"
--
Best regards,
Michał Górny
