Re: [gentoo-dev] [PATCH 0/9] User/group package draft implementation
On Thu, 30 May 2019 14:50:30 +0200 Michał Górny wrote: > Please review the following patches, implementing the user/group package > concept. The patches incorporate some of the feedback to the proposed > GLEP, and I'd like to get them reviewed before I submit the next GLEP > update. They are based on earlier work by mjo. I like the idea and the changes look good. I gather this doesn't address the ROOT problem. That's fine, it wasn't one of the stated goals, I just want to keep it in mind. I still stand by what I said in https://bugs.gentoo.org/541406#c2. The various tools such as useradd do have a -R option to specify a root directory but this performs an actual chroot, making it useless for non-native environments. Even if this somehow worked or if it were run through QEMU, it would still not be sufficient because Portage needs to know about these users and groups from the perspective of the build system. I believe what is needed is some way to intelligently sync the accounts between / and ROOT. If a user or group already exists in / then use the same ID in ROOT. If it doesn't already exist then create it in / first, ensuring that the new ID doesn't clash with one already in ROOT. If there is an unresolvable ID clash then error out. If we're looking to keep all UIDs/GIDs fixed going forwards then clashes obviously become less of an issue. Since writing the above, I've become aware that you can bind mount individual files such as /etc/passwd and there are also new tricks like user namespacing. We could probably come up with something workable but this hasn't reached the top of my pile. -- James Le Cuirot (chewi) Gentoo Linux Developer pgp7vErIW_k0d.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Announcing RISC-V
On Wed, 29 May 2019 10:27:34 -0700 (PDT) Palmer Dabbelt wrote: > On Mon, 20 May 2019 02:44:18 PDT (-0700), aball...@gentoo.org wrote: > > On Sat, 18 May 2019 20:47:28 +0200 > > Michał Górny wrote: > > > >> On Fri, 2019-05-03 at 23:34 +0200, Andreas K. Huettel wrote: > >> > * We will initially add two profiles to profile.desc: > >> > default/linux/riscv/17.0/rv64gc/lp64d (non-multilib, 64bit > >> > hardfloat) default/linux/riscv/17.0/rv64gc (multilib lp64d/lp64, > >> > i.e. hard/softfloat) > >> > >> I still don't understand the purpose of this multilib. If you have > >> a hardfloat CPU, why would you ever build some of the software > >> softfloat? > > > > One reason I could imagine is that the hardfloat isn't IEEE 754 > > compliant. Searching through the RISC-V spec, it does not seem to be > > the case here (ie: it is required to be compliant) so I'm also > > wondering what is the point here. > > The RISC-V floating-point extensions are IEEE-754 compliant, but > they're optional. We have chips without floating-point units, but > right now all the Linux capable chips have FPUs. As far as I know > there are no Linux binaries that anyone cares about that are compiled > for systems without hardware floating-point units, but I may be wrong > about that one. It was my understanding that FPU is not optional for rv64gc, is that correct ? > The non-FPU systems are much more interesting in embedded land, where > lots of users don't have FPUs. That's less relevant for Gentoo, but > I do use crossdev embedded toolchains. You'll probably not be using multilib here but rather a specific CHOST and/or flags to enable softfloat everywhere. [...] Alexis.
[gentoo-dev] [PATCH 8/9] user/ftp: Add 'ftp' user (UID 21)
Signed-off-by: Michał Górny --- profiles/categories | 1 + user/ftp/ftp-0.ebuild | 19 +++ user/ftp/metadata.xml | 5 + 3 files changed, 25 insertions(+) create mode 100644 user/ftp/ftp-0.ebuild create mode 100644 user/ftp/metadata.xml diff --git a/profiles/categories b/profiles/categories index acbade9601ea..db35420df398 100644 --- a/profiles/categories +++ b/profiles/categories @@ -148,6 +148,7 @@ sys-kernel sys-libs sys-power sys-process +user virtual www-apache www-apps diff --git a/user/ftp/ftp-0.ebuild b/user/ftp/ftp-0.ebuild new file mode 100644 index ..f02b52e12deb --- /dev/null +++ b/user/ftp/ftp-0.ebuild @@ -0,0 +1,19 @@ +# Copyright 2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit sys-user + +SYS_USER_ID=21 +SYS_USER_HOME=/home/ftp +SYS_USER_GROUPS=( ftp ) + +sys-user_add_deps + +pkg_preinst() { + sys-user_pkg_preinst + + # override home directory ownership + fowners root:ftp "${SYS_USER_HOME}" +} diff --git a/user/ftp/metadata.xml b/user/ftp/metadata.xml new file mode 100644 index ..7a38bb900964 --- /dev/null +++ b/user/ftp/metadata.xml @@ -0,0 +1,5 @@ + +http://www.gentoo.org/dtd/metadata.dtd;> + + + -- 2.22.0.rc1
[gentoo-dev] [PATCH 7/9] group/ftp: Add 'ftp' group (GID 21)
Signed-off-by: Michał Górny --- group/ftp/ftp-0.ebuild | 8 group/ftp/metadata.xml | 5 + profiles/categories| 1 + 3 files changed, 14 insertions(+) create mode 100644 group/ftp/ftp-0.ebuild create mode 100644 group/ftp/metadata.xml diff --git a/group/ftp/ftp-0.ebuild b/group/ftp/ftp-0.ebuild new file mode 100644 index ..e9fc60499b9a --- /dev/null +++ b/group/ftp/ftp-0.ebuild @@ -0,0 +1,8 @@ +# Copyright 2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit sys-group + +SYS_GROUP_ID=21 diff --git a/group/ftp/metadata.xml b/group/ftp/metadata.xml new file mode 100644 index ..7a38bb900964 --- /dev/null +++ b/group/ftp/metadata.xml @@ -0,0 +1,5 @@ + +http://www.gentoo.org/dtd/metadata.dtd;> + + + diff --git a/profiles/categories b/profiles/categories index 4ff0d5562001..acbade9601ea 100644 --- a/profiles/categories +++ b/profiles/categories @@ -76,6 +76,7 @@ gnome-extra gnustep-apps gnustep-base gnustep-libs +group gui-apps gui-libs gui-wm -- 2.22.0.rc1
[gentoo-dev] [PATCH 9/9] net-ftp/ftpbase: Utilize {group,user}/ftp
Signed-off-by: Michał Górny --- net-ftp/ftpbase/ftpbase-0.01-r3.ebuild | 39 ++ 1 file changed, 39 insertions(+) create mode 100644 net-ftp/ftpbase/ftpbase-0.01-r3.ebuild diff --git a/net-ftp/ftpbase/ftpbase-0.01-r3.ebuild b/net-ftp/ftpbase/ftpbase-0.01-r3.ebuild new file mode 100644 index ..8944ba3a6778 --- /dev/null +++ b/net-ftp/ftpbase/ftpbase-0.01-r3.ebuild @@ -0,0 +1,39 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit eutils pam user + +DESCRIPTION="FTP layout package" +HOMEPAGE="https://www.gentoo.org/; +SRC_URI="" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd" +IUSE="pam" + +DEPEND="pam? ( virtual/pam ) + !
[gentoo-dev] [PATCH 5/9] user.eclass: Die if no free UID/GID is found
Signed-off-by: Michał Górny --- eclass/user.eclass | 2 ++ 1 file changed, 2 insertions(+) diff --git a/eclass/user.eclass b/eclass/user.eclass index 1ffeaae29569..b16c4c6d69b7 100644 --- a/eclass/user.eclass +++ b/eclass/user.eclass @@ -160,6 +160,7 @@ enewuser() { for ((euid = 101; euid <= 999; euid++)); do [[ -z $(egetent passwd ${euid}) ]] && break done + [[ ${euid} -le 999 ]] || die "${FUNCNAME}: no free UID found" fi opts+=( -u ${euid} ) einfo " - Userid: ${euid}" @@ -344,6 +345,7 @@ enewgroup() { for ((egid = 101; egid <= 999; egid++)) ; do [[ -z $(egetent group ${egid}) ]] && break done + [[ ${egid} -le 999 ]] || die "${FUNCNAME}: no free GID found" fi } -- 2.22.0.rc1
[gentoo-dev] [PATCH 6/9] {group,user}.eclass: WIP eclasses to maintain users/groups
--- eclass/sys-group.eclass | 105 eclass/sys-user.eclass | 206 2 files changed, 311 insertions(+) create mode 100644 eclass/sys-group.eclass create mode 100644 eclass/sys-user.eclass diff --git a/eclass/sys-group.eclass b/eclass/sys-group.eclass new file mode 100644 index ..3960db16b5d6 --- /dev/null +++ b/eclass/sys-group.eclass @@ -0,0 +1,105 @@ +# Copyright 2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# @ECLASS: sys-group.eclass +# @MAINTAINER: +# Michał Górny +# @AUTHOR: +# Michael Orlitzky +# Michał Górny +# @BLURB: Eclass used to create and maintain a single group entry +# @DESCRIPTION: +# This eclass represents and creates a single group entry. The name +# of the group is derived from ${PN}, while (preferred) GID needs to +# be specified via SYS_GROUP_ID. Packages (and users) needing the group +# in question should depend on the package providing it. +# +# Example: +# If your package needs group 'foo', you create 'group/foo' package +# and add an ebuild with the following contents: +# +# @CODE +# EAPI=7 +# inherit sys-group +# SYS_GROUP_ID=200 +# @CODE +# +# Then you add appropriate dependency to your package. The dependency +# type(s) should be: +# - DEPEND (+ RDEPEND) if the group is already needed at build time, +# - RDEPEND if it is needed at install time (e.g. you 'fowners' files +# in pkg_preinst), +# - PDEPEND if it is only needed at runtime. + + +if [[ -z ${_SYS_GROUP_ECLASS} ]]; then +_SYS_GROUP_ECLASS=1 + +case ${EAPI:-0} in + 7) ;; + *) die "EAPI=${EAPI} not supported";; +esac + +inherit user + + +# << Eclass variables >> + +# @ECLASS-VARIABLE: SYS_GROUP_ID +# @REQUIRED +# @DESCRIPTION: +# Preferred GID for the new group. This variable is obligatory, and its +# value must be unique across all group packages. + +# @ECLASS-VARIABLE: SYS_GROUP_ENFORCE_ID +# @DESCRIPTION: +# If set to a non-null value, the eclass will require the group to have +# specified GID. If the group already exists with another GID, or +# the GID is taken by another group, the install will fail. +: ${SYS_GROUP_ENFORCE_ID:=} + + +# << Boilerplate ebuild variables >> +: ${DESCRIPTION:="System group: ${PN}"} +: ${HOMEPAGE:=https://www.gentoo.org/} +: ${SLOT:=0} +: ${KEYWORDS:=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris} +S=${WORKDIR} + + +# << Phase functions >> +EXPORT_FUNCTIONS pkg_pretend pkg_preinst + +# @FUNCTION: sys-group_pkg_pretend +# @DESCRIPTION: +# Performs sanity checks for correct eclass usage, and early-checks +# whether requested GID can be enforced. +sys-group_pkg_pretend() { + debug-print-function ${FUNCNAME} "${@}" + + # verify SYS_GROUP_ID + [[ -n ${SYS_GROUP_ID} ]] || die "Ebuild error: SYS_GROUP_ID must be set!" + [[ ${SYS_GROUP_ID} -ge 0 ]] || die "Ebuild errors: SYS_GROUP_ID=${SYS_GROUP_ID} invalid!" + + # check for SYS_GROUP_ID collisions early + if [[ -n ${SYS_GROUP_ENFORCE_ID} ]]; then + local grp=$(egetent group "${SYS_GROUP_ID}") + if [[ -n ${grp} ]]; then + eerror "The required GID is already taken by another group." + eerror " GID: ${SYS_GROUP_ID} (needed for ${PN})" + eerror " current group: ${grp}" + die "GID ${SYS_GROUP_ID} taken already" + fi + fi +} + +# @FUNCTION: sys-group_pkg_preinst +# @DESCRIPTION: +# Creates the group if it does not exist yet. +sys-group_pkg_preinst() { + debug-print-function ${FUNCNAME} "${@}" + + enewgroup -F "${PN}" "${SYS_GROUP_ID}" +} + +fi diff --git a/eclass/sys-user.eclass b/eclass/sys-user.eclass new file mode 100644 index ..de59af99a843 --- /dev/null +++ b/eclass/sys-user.eclass @@ -0,0 +1,206 @@ +# Copyright 2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# @ECLASS: sys-user.eclass +# @MAINTAINER: +# Michał Górny +# @AUTHOR: +# Michael Orlitzky +# Michał Górny +# @BLURB: Eclass used to create and maintain a single user entry +# @DESCRIPTION: +# This eclass represents and creates a single user entry. The name +# of the user is derived from ${PN}, while (preferred) UID needs to +# be specified via SYS_USER_ID. Additional variables are provided +# to override the default home directory, shell and add group +# membership. Packages needing the user in question should depend +# on the package providing it. +# +# Example: +# If your package needs user 'foo' belonging to same-named group, you +# create 'user/foo' package and add an ebuild with the following +# contents: +# +# @CODE +# EAPI=7 +# inherit sys-user +# SYS_USER_ID=200 +# SYS_USER_GROUPS=( foo ) +#
[gentoo-dev] [PATCH 4/9] user.eclass: Support forcing specified UID/GID
Signed-off-by: Michał Górny --- eclass/user.eclass | 23 +-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/eclass/user.eclass b/eclass/user.eclass index 7eda668974f0..1ffeaae29569 100644 --- a/eclass/user.eclass +++ b/eclass/user.eclass @@ -96,13 +96,15 @@ egetent() { } # @FUNCTION: enewuser -# @USAGE: [-M] [uid] [shell] [homedir] [groups] +# @USAGE: [-F] [-M] [uid] [shell] [homedir] [groups] # @DESCRIPTION: # Same as enewgroup, you are not required to understand how to properly add # a user to the system. The only required parameter is the username. # Default uid is (pass -1 for this) next available, default shell is # /bin/false, default homedir is /dev/null, and there are no default groups. # +# If -F is passed, enewuser will always enforce specified UID and fail if it +# can not be assigned. # If -M is passed, enewuser does not create the home directory if it does not # exist. enewuser() { @@ -112,9 +114,10 @@ enewuser() { fi _assert_pkg_ebuild_phase ${FUNCNAME} - local create_home=1 + local create_home=1 force_uid= while [[ $1 == -* ]]; do case $1 in + -F) force_uid=1;; -M) create_home=;; *) die "${FUNCNAME}: invalid option ${1}";; esac @@ -142,6 +145,7 @@ enewuser() { if [[ -n ${euid} && ${euid} != -1 ]] ; then if [[ ${euid} -gt 0 ]] ; then if [[ -n $(egetent passwd ${euid}) ]] ; then + [[ -n ${force_uid} ]] && die "${FUNCNAME}: UID ${euid} already taken" euid="next" fi else @@ -149,6 +153,7 @@ enewuser() { die "${euid} is not a valid UID" fi else + [[ -n ${force_uid} ]] && die "${FUNCNAME}: -F with uid==-1 makes no sense" euid="next" fi if [[ ${euid} == "next" ]] ; then @@ -277,6 +282,9 @@ enewuser() { # group to the system. Just give it a group name to add and enewgroup will # do the rest. You may specify the gid for the group or allow the group to # allocate the next available one. +# +# If -F is passed, enewgroup will always enforce specified GID and fail if it +# can not be assigned. enewgroup() { if [[ ${EUID} != 0 ]] ; then einfo "Insufficient privileges to execute ${FUNCNAME[0]}" @@ -284,6 +292,15 @@ enewgroup() { fi _assert_pkg_ebuild_phase ${FUNCNAME} + local force_gid= + while [[ $1 == -* ]]; do + case $1 in + -F) force_gid=1;; + *) die "${FUNCNAME}: invalid option ${1}";; + esac + shift + done + # get the group local egroup=$1; shift if [[ -z ${egroup} ]] ; then @@ -302,6 +319,7 @@ enewgroup() { if [[ ! -z ${egid} ]] ; then if [[ ${egid} -gt 0 ]] ; then if [[ -n $(egetent group ${egid}) ]] ; then + [[ -n ${force_gid} ]] && die "${FUNCNAME}: GID ${egid} already taken" egid="next available; requested gid taken" fi else @@ -309,6 +327,7 @@ enewgroup() { die "${egid} is not a valid GID" fi else + [[ -n ${force_gid} ]] && die "${FUNCNAME}: -F with gid==-1 makes no sense" egid="next available" fi einfo " - Groupid: ${egid}" -- 2.22.0.rc1
[gentoo-dev] [PATCH 3/9] user.eclass: Support disabling home directory creation
Signed-off-by: Michał Górny --- eclass/user.eclass | 16 ++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/eclass/user.eclass b/eclass/user.eclass index 6be7d9f3..7eda668974f0 100644 --- a/eclass/user.eclass +++ b/eclass/user.eclass @@ -96,12 +96,15 @@ egetent() { } # @FUNCTION: enewuser -# @USAGE: [uid] [shell] [homedir] [groups] +# @USAGE: [-M] [uid] [shell] [homedir] [groups] # @DESCRIPTION: # Same as enewgroup, you are not required to understand how to properly add # a user to the system. The only required parameter is the username. # Default uid is (pass -1 for this) next available, default shell is # /bin/false, default homedir is /dev/null, and there are no default groups. +# +# If -M is passed, enewuser does not create the home directory if it does not +# exist. enewuser() { if [[ ${EUID} != 0 ]] ; then einfo "Insufficient privileges to execute ${FUNCNAME[0]}" @@ -109,6 +112,15 @@ enewuser() { fi _assert_pkg_ebuild_phase ${FUNCNAME} + local create_home=1 + while [[ $1 == -* ]]; do + case $1 in + -M) create_home=;; + *) die "${FUNCNAME}: invalid option ${1}";; + esac + shift + done + # get the username local euser=$1; shift if [[ -z ${euser} ]] ; then @@ -250,7 +262,7 @@ enewuser() { ;; esac - if [[ ! -e ${ROOT}/${ehome} ]] ; then + if [[ -n ${create_home} && ! -e ${ROOT}/${ehome} ]] ; then einfo " - Creating ${ehome} in ${ROOT}" mkdir -p "${ROOT}/${ehome}" chown "${euser}" "${ROOT}/${ehome}" -- 2.22.0.rc1
[gentoo-dev] [PATCH 2/9] user.eclass: Prevent automated home creation in useradd
Pass '-M' to prevent useradd from automatically creating the home directory (depending on system configuration). We create the home directory ourselves anyway, and we have better control over how it's created this way. Signed-off-by: Michał Górny --- eclass/user.eclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eclass/user.eclass b/eclass/user.eclass index a6c6ad82b7a0..6be7d9f3 100644 --- a/eclass/user.eclass +++ b/eclass/user.eclass @@ -246,7 +246,7 @@ enewuser() { ;; *) - useradd -N -r "${opts[@]}" "${euser}" || die + useradd -M -N -r "${opts[@]}" "${euser}" || die ;; esac -- 2.22.0.rc1
[gentoo-dev] [PATCH 0/9] User/group package draft implementation
Hi, Please review the following patches, implementing the user/group package concept. The patches incorporate some of the feedback to the proposed GLEP, and I'd like to get them reviewed before I submit the next GLEP update. They are based on earlier work by mjo. To recap: the idea is to replace direct calls to enewgroup/enewuser with special packages in user/ & group/ categories that represent the users/groups needed by a package. They create the user/group if necessary and track its usage. When it is no longer needed, the package is unmerged and the user gets a clear signal that the user/ group might be removed (but we do not remove them automatically to stay on the safe side). The patch set consists of three parts: a. Updates and fixes to user.eclass, to provide a good portability base for the new eclasses. b. sys-group and sys-user eclasses, used to implement said packages. c. Example conversion of 'ftp' user+group, and respective update of net-ftp/ftpbase. TIA for your feedback. -- Best regards, Michał Górny Michał Górny (9): user.eclass: Do not create user-group automatically user.eclass: Prevent automated home creation in useradd user.eclass: Support disabling home directory creation user.eclass: Support forcing specified UID/GID user.eclass: Die if no free UID/GID is found {group,user}.eclass: WIP eclasses to maintain users/groups group/ftp: Add 'ftp' group (GID 21) user/ftp: Add 'ftp' user (UID 21) net-ftp/ftpbase: Utilize {group,user}/ftp eclass/sys-group.eclass| 105 + eclass/sys-user.eclass | 206 + eclass/user.eclass | 39 - group/ftp/ftp-0.ebuild | 8 + group/ftp/metadata.xml | 5 + net-ftp/ftpbase/ftpbase-0.01-r3.ebuild | 39 + profiles/categories| 2 + user/ftp/ftp-0.ebuild | 19 +++ user/ftp/metadata.xml | 5 + 9 files changed, 425 insertions(+), 3 deletions(-) create mode 100644 eclass/sys-group.eclass create mode 100644 eclass/sys-user.eclass create mode 100644 group/ftp/ftp-0.ebuild create mode 100644 group/ftp/metadata.xml create mode 100644 net-ftp/ftpbase/ftpbase-0.01-r3.ebuild create mode 100644 user/ftp/ftp-0.ebuild create mode 100644 user/ftp/metadata.xml -- 2.22.0.rc1
[gentoo-dev] [PATCH 1/9] user.eclass: Do not create user-group automatically
Closes: https://bugs.gentoo.org/512220 Signed-off-by: Michał Górny --- eclass/user.eclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eclass/user.eclass b/eclass/user.eclass index f6a10a6bee28..a6c6ad82b7a0 100644 --- a/eclass/user.eclass +++ b/eclass/user.eclass @@ -246,7 +246,7 @@ enewuser() { ;; *) - useradd -r "${opts[@]}" "${euser}" || die + useradd -N -r "${opts[@]}" "${euser}" || die ;; esac -- 2.22.0.rc1