[gentoo-dev] EAPI 2 must die
Hi all, for the package maintainers among you, here's the list of remaining EAPI=2 packages. Please help getting the number down to zero soon!!! Cheers, Andreas app-emulation/ganeti-instance-debootstrap-0.11 app-misc/dnetc-2.9108.517 app-misc/dnetc-2.9110.519b dev-dotnet/flickrnet-bin-2.2-r1 dev-java/glassfish-jms-api-1.1.2.2.04 dev-java/jlayer-1.0.1 dev-java/resin-servlet-api-3.1.12 dev-libs/bglibs-1.106-r1 dev-lisp/clisp-2.48-r1 dev-lua/toluapp-1.0.93 dev-tex/culmus-latex-0.7 dev-tex/dvipost-1.1-r2 media-fonts/culmus-0.120-r4 net-analyzer/nagtrap-0.1.3 net-libs/cvm-0.76 net-misc/adjtimex-1.29-r1 net-misc/asterisk-extra-sounds-1.4.11 net-misc/asterisk-moh-opsound-2.03 net-misc/cfengine-2.2.10-r4 net-misc/tokyotyrant-1.1.41-r1 sci-libs/openfoam-bin-1.6 sys-apps/cobalt-panel-utils-1.0.2 sys-apps/powerpc-utils-1.1.3.18-r2 sys-boot/netboot-0.10.2 sys-process/fuser-bsd-1142334561 www-apache/mod_tidy-0.5.5-r1 Already masked for removal: app-accessibility/festival-2.1-r1 dev-java/glassfish-connector-api-1.1.2.2.04 dev-util/antlrworks-1.2.3 dev-util/pmd-4.2.5 net-mail/qmail-qfilter-2.1-r1 net-misc/mindterm-3.4 -- Andreas K. Hüttel dilfri...@gentoo.org Gentoo Linux developer (council, toolchain, base-system, perl, libreoffice)
Re: [gentoo-dev] [PATCH v2 6/9] acct-{group,user}.eclass: WIP eclasses to maintain users/groups
On Wed, 2019-06-05 at 17:14 -0400, Michael Orlitzky wrote:
> On 6/5/19 5:12 AM, Michał Górny wrote:
> > +
> > + # check for ACCT_USER_ID collisions early
> > + if [[ -n ${ACCT_USER_ENFORCE_ID} ]]; then
> > + local pwd=$(egetent passwd "${ACCT_USER_ID}")
> > + if [[ -n ${pwd} ]]; then
> > + eerror "The required UID is already taken by another
> > user."
> > + eerror " UID: ${ACCT_USER_ID} (needed for ${PN})"
> > + eerror " current user: ${pwd}"
> > + die "UID ${ACCT_USER_ID} taken already"
> > + fi
> > + fi
> > +}
>
> If we set ACCT_USER_ENFORCE_ID=true in ftp-0.ebuild and then "emerge
> acct-user/ftp" again, the second one dies with
>
> * The required UID is already taken by another user.
> * UID: 21 (needed for ftp)
>
> This prevents "emerge -e @world" from working, and would prevent an
> upgrade to ftp-1.ebuild in the future.
>
> We could augment the checks to ignore the existing user/group if its
> name agrees with the one we're trying to create, but now I'm having deja
> vu. I think this is another reason why I decided to go with a dummy file
> installed under /var/lib to catch collisions: the PM will necessarily
> ignore collisions from the same package.
Good catch. Let's see what others have to say.
If we're going to check for username patches, we'd need another
user.eclass portability knob.
--
Best regards,
Michał Górny
signature.asc
Description: This is a digitally signed message part
Re: [gentoo-dev] [PATCH v2 6/9] acct-{group,user}.eclass: WIP eclasses to maintain users/groups
On Wed, 2019-06-05 at 21:10 +0200, Pacho Ramos wrote: > El mié, 05-06-2019 a las 11:12 +0200, Michał Górny escribió: > > [...] > > +# Then you add appropriate dependency to your package. The dependency > > +# type(s) should be: > > +# - DEPEND (+ RDEPEND) if the group is already needed at build time, > > +# - RDEPEND if it is needed at install time (e.g. you 'fowners' files > > +# in pkg_preinst), > > +# - PDEPEND if it is only needed at runtime. > > Maybe is a stupid question but, why is PDEPEND preferred over RDEPEND for > packages needing the group only at runtime? To delay user creation as far as possible, in case the package failed to build. Not that it will usually work since Portage will install the user early anyway. > > If I don't misremember, PDEPEND was meant to be used to avoid circular deps > issues, while using RDEPEND otherwise > > Thanks :) -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] [PATCH v2 6/9] acct-{group,user}.eclass: WIP eclasses to maintain users/groups
On Wed, 2019-06-05 at 13:46 +0200, Ulrich Mueller wrote:
> > > > > > On Wed, 05 Jun 2019, Michał Górny wrote:
> > +# @FUNCTION: acct-group_pkg_pretend
> > +# @DESCRIPTION:
> > +# Performs sanity checks for correct eclass usage, and early-checks
> > +# whether requested GID can be enforced.
> > +acct-group_pkg_pretend() {
> > + debug-print-function ${FUNCNAME} "${@}"
> > +
> > + # verify ACCT_GROUP_ID
> > + [[ -n ${ACCT_GROUP_ID} ]] || die "Ebuild error: ACCT_GROUP_ID must be
> > set!"
> > + [[ ${ACCT_GROUP_ID} -ge 0 ]] || die "Ebuild errors:
> > ACCT_GROUP_ID=${ACCT_GROUP_ID} invalid!"
>
> Add a sanity check for [[ ${CATEGORY} == acct-group ]] too?
Done. I've actually went for adding it in global scope since CATEGORY
is reliably available there already.
>
> > +
> > + # check for ACCT_GROUP_ID collisions early
> > + if [[ -n ${ACCT_GROUP_ENFORCE_ID} ]]; then
> > + local grp=$(egetent group "${ACCT_GROUP_ID}")
> > + if [[ -n ${grp} ]]; then
> > + eerror "The required GID is already taken by another
> > group."
> > + eerror " GID: ${ACCT_GROUP_ID} (needed for ${PN})"
> > + eerror " current group: ${grp}"
> > + die "GID ${ACCT_GROUP_ID} taken already"
> > + fi
> > + fi
> > +}
> > [...]
> > +# @FUNCTION: acct-user_pkg_pretend
>
> And a similar check for acct-user here.
>
> Ulrich
--
Best regards,
Michał Górny
signature.asc
Description: This is a digitally signed message part
[gentoo-dev] last rites: dev-util/antlrworks
# Andreas K. Hüttel (5 Jun 2019) # Unhandled version bumps since 2015, bug 293306. EAPI=2. # Removal in 30 days unless updated. dev-util/antlrworks -- Andreas K. Hüttel dilfri...@gentoo.org Gentoo Linux developer (council, toolchain, base-system, perl, libreoffice) signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] [PATCH v2 6/9] acct-{group,user}.eclass: WIP eclasses to maintain users/groups
On 6/5/19 5:12 AM, Michał Górny wrote:
> +
> + # check for ACCT_USER_ID collisions early
> + if [[ -n ${ACCT_USER_ENFORCE_ID} ]]; then
> + local pwd=$(egetent passwd "${ACCT_USER_ID}")
> + if [[ -n ${pwd} ]]; then
> + eerror "The required UID is already taken by another
> user."
> + eerror " UID: ${ACCT_USER_ID} (needed for ${PN})"
> + eerror " current user: ${pwd}"
> + die "UID ${ACCT_USER_ID} taken already"
> + fi
> + fi
> +}
If we set ACCT_USER_ENFORCE_ID=true in ftp-0.ebuild and then "emerge
acct-user/ftp" again, the second one dies with
* The required UID is already taken by another user.
* UID: 21 (needed for ftp)
This prevents "emerge -e @world" from working, and would prevent an
upgrade to ftp-1.ebuild in the future.
We could augment the checks to ignore the existing user/group if its
name agrees with the one we're trying to create, but now I'm having deja
vu. I think this is another reason why I decided to go with a dummy file
installed under /var/lib to catch collisions: the PM will necessarily
ignore collisions from the same package.
Re: [gentoo-dev] [PATCH v2 6/9] acct-{group,user}.eclass: WIP eclasses to maintain users/groups
El mié, 05-06-2019 a las 11:12 +0200, Michał Górny escribió: > [...] > +# Then you add appropriate dependency to your package. The dependency > +# type(s) should be: > +# - DEPEND (+ RDEPEND) if the group is already needed at build time, > +# - RDEPEND if it is needed at install time (e.g. you 'fowners' files > +# in pkg_preinst), > +# - PDEPEND if it is only needed at runtime. Maybe is a stupid question but, why is PDEPEND preferred over RDEPEND for packages needing the group only at runtime? If I don't misremember, PDEPEND was meant to be used to avoid circular deps issues, while using RDEPEND otherwise Thanks :) signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] [PATCH v2] glep-xxxx: User and group management via dedicated packages
> On Wed, 05 Jun 2019, Michael Orlitzky wrote: > Should we require a mailing list review for new user/group packages? > It's difficult to modify a user once you've settled on a UID, home > directory, and shell; so it pays to get things right the first time. > The need is more apparent with fixed UIDs: if a popular package "steals" > a UID that some other package needs, then that other package is going to > be difficult or impossible to install (especially if it ultimately > depends on the popular package). > A mailing list review could elicit a "hey, my package NEEDS that UID, > and yours doesn't care" before it's too late. Policy requires such a review since a long time, at least for hardcoded user and group IDs: https://devmanual.gentoo.org/ebuild-writing/users-and-groups/ signature.asc Description: PGP signature
Re: [gentoo-dev] [PATCH v2] glep-xxxx: User and group management via dedicated packages
On Wed, 2019-06-05 at 12:15 -0400, Michael Orlitzky wrote: > Should we require a mailing list review for new user/group packages? > > It's difficult to modify a user once you've settled on a UID, home > directory, and shell; so it pays to get things right the first time. Sounds like a good idea. I'll keep in mind for the next iteration of this GLEP. > The need is more apparent with fixed UIDs: if a popular package "steals" > a UID that some other package needs, then that other package is going to > be difficult or impossible to install (especially if it ultimately > depends on the popular package). > > A mailing list review could elicit a "hey, my package NEEDS that UID, > and yours doesn't care" before it's too late. I've already seen a major issue today: we have multiple packages using 'git' user and requiring different setup for it (e.g. home directory). This is already a big problem, and having proper review should decrease the chance of things like this happening again. And yes, we will need to figure out a good solution once we start porting users. -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] [PATCH v2] glep-xxxx: User and group management via dedicated packages
Should we require a mailing list review for new user/group packages? It's difficult to modify a user once you've settled on a UID, home directory, and shell; so it pays to get things right the first time. The need is more apparent with fixed UIDs: if a popular package "steals" a UID that some other package needs, then that other package is going to be difficult or impossible to install (especially if it ultimately depends on the popular package). A mailing list review could elicit a "hey, my package NEEDS that UID, and yours doesn't care" before it's too late.
[gentoo-dev] last rites: dev-java/glassfish-connector-api
# Andreas K. Hüttel (5 Jun 2019) # Fails to build, bug 680252. EAPI=2. Removal in 30 days # unless fixed. dev-java/glassfish-connector-api -- Andreas K. Hüttel dilfri...@gentoo.org Gentoo Linux developer (council, toolchain, base-system, perl, libreoffice) signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] [PATCH v2 6/9] acct-{group,user}.eclass: WIP eclasses to maintain users/groups
> On Wed, 05 Jun 2019, Michał Górny wrote:
> +# @FUNCTION: acct-group_pkg_pretend
> +# @DESCRIPTION:
> +# Performs sanity checks for correct eclass usage, and early-checks
> +# whether requested GID can be enforced.
> +acct-group_pkg_pretend() {
> + debug-print-function ${FUNCNAME} "${@}"
> +
> + # verify ACCT_GROUP_ID
> + [[ -n ${ACCT_GROUP_ID} ]] || die "Ebuild error: ACCT_GROUP_ID must be
> set!"
> + [[ ${ACCT_GROUP_ID} -ge 0 ]] || die "Ebuild errors:
> ACCT_GROUP_ID=${ACCT_GROUP_ID} invalid!"
Add a sanity check for [[ ${CATEGORY} == acct-group ]] too?
> +
> + # check for ACCT_GROUP_ID collisions early
> + if [[ -n ${ACCT_GROUP_ENFORCE_ID} ]]; then
> + local grp=$(egetent group "${ACCT_GROUP_ID}")
> + if [[ -n ${grp} ]]; then
> + eerror "The required GID is already taken by another
> group."
> + eerror " GID: ${ACCT_GROUP_ID} (needed for ${PN})"
> + eerror " current group: ${grp}"
> + die "GID ${ACCT_GROUP_ID} taken already"
> + fi
> + fi
> +}
> [...]
> +# @FUNCTION: acct-user_pkg_pretend
And a similar check for acct-user here.
Ulrich
signature.asc
Description: PGP signature
[gentoo-dev] [PATCH v2] glep-xxxx: User and group management via dedicated packages
Here's the updated GLEP text. It has a few small changes based on feedback, and links reference implementation submitted to the ml. Signed-off-by: Michał Górny --- glep-.rst | 233 ++ 1 file changed, 233 insertions(+) create mode 100644 glep-.rst diff --git a/glep-.rst b/glep-.rst new file mode 100644 index 000..19555a6 --- /dev/null +++ b/glep-.rst @@ -0,0 +1,233 @@ +--- +GLEP: +Title: User and group management via dedicated packages +Author: Michał Górny , +Michael Orlitzky +Type: Standards Track +Status: Draft +Version: 1 +Created: 2019-05-29 +Last-Modified: 2019-06-05 +Post-History: 2019-05-29 +Content-Type: text/x-rst +Requires: +Replaces: 27 +--- + +Abstract + + +A new approach for user/group management is proposed. Regular packages +in dedicated categories are used to represent and create user and group +accounts. Dependencies are used to request users and group from within +regular packages, and to track their usage. + + +Motivation +== + +User management in Gentoo is currently ad-hoc. Users and groups are +created through calling system tools directly in packages needing them. +There is no systematic way of tracking which packages need specific +users or groups, and determining which ones are obsolete. Coordinating +properties of users and groups used by multiple packages must be done +manually by developers. + +GLEP 27 originally attempted to address the problem. Posted in 2004, +it never had reached the reference implementation state, and became +obsolete. [#GLEP27]_ + +A good system user and group management proposal should address: + +1. Tracking usage of users and groups, and determining which ones + are obsolete. + +2. Sharing users and groups reliably between different packages. + +3. Maintaining fixed UIDs/GIDs that are consistent between different + systems. + +4. Providing local overrides for user/group properties. + +5. Ensuring that users and groups are not created unnecessarily + at build time. + +6. Providing support for centralized account management (e.g. LDAP). + +At the same time, the proposal should avoid unnecessary complexity +to avoid sharing the fate of GLEP 27. This proposal aims to address +those points without requiring a new EAPI or any changes in the package +manager. + + +Specification += + +Logical structure +- + +In this proposal, system users and groups are represented by regular +packages. Those packages logically represent the ownership of +the respective users and group, and technically implement their +creation. + +User packages are placed in ``acct-user`` category. Each user package +defines the properties of the particular user, and must be named after +the user it creates. It must depend at build and run time on the groups +the user belongs to. + +Group packages are placed in ``acct-group`` category. Each group +package defines the properties of the particular group, and must be +named after the group it creates. + +All user and group packages must define preferred fixed UIDs/GIDs, +and they must be unique within the repository. The packages should +indicate whether the value needs to be strictly enforced, or whether +another UID/GID can be used when the user exists already or requested +UID/GID is taken. + +Packages needing a specific user or group use dependencies to pull +the required user/group packages. If the user is needed at build time, +a build time dependency (``DEPEND``) must be used. If the user is +needed at install time, a run time dependency (``RDEPEND``) must be +used. If the user is only needed after the package is installed, +``PDEPEND`` must be used. + + +Maintaining users/groups + + +The primary technical function of user and group packages is to create +the users and groups. This is done via invoking the respective system +tools at ``pkg_preinst`` phase. This is done only if the user/group +does not exist on the system already. + +Normally, the packages should not modify existing users, in order not +to overwrite local modifications. If an explicit update is necessary, +the package should compare the existing values against expected previous +properties, and update them only if they were not changed. + +The package must not remove users/groups. When the account is no longer +needed, the tooling must ensure that it is locked from access. However, +any cleanup actions must be done with explicit user approval, +and therefore should be addressed by separate tooling. + + +Home directory ownership + + +If the user in question uses a regular home directory (i.e. not +``/dev/null``), the user package should maintain the directory +via ``keepdir`` command. This allows for clean removal of the home +directory if it is no longer needed. The package manager will also +apply correct permissions if the directory does not exist yet. + +Note
[gentoo-dev] [PATCH v2 8/9] acct-user/ftp: Add 'ftp' user (UID 21)
Signed-off-by: Michał Górny --- acct-user/ftp/ftp-0.ebuild | 13 + acct-user/ftp/metadata.xml | 5 + profiles/categories| 1 + 3 files changed, 19 insertions(+) create mode 100644 acct-user/ftp/ftp-0.ebuild create mode 100644 acct-user/ftp/metadata.xml diff --git a/acct-user/ftp/ftp-0.ebuild b/acct-user/ftp/ftp-0.ebuild new file mode 100644 index ..86a3ef04f278 --- /dev/null +++ b/acct-user/ftp/ftp-0.ebuild @@ -0,0 +1,13 @@ +# Copyright 2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit acct-user + +ACCT_USER_ID=21 +ACCT_USER_HOME=/home/ftp +ACCT_USER_HOME_OWNER=root:ftp +ACCT_USER_GROUPS=( ftp ) + +acct-user_add_deps diff --git a/acct-user/ftp/metadata.xml b/acct-user/ftp/metadata.xml new file mode 100644 index ..7a38bb900964 --- /dev/null +++ b/acct-user/ftp/metadata.xml @@ -0,0 +1,5 @@ + +http://www.gentoo.org/dtd/metadata.dtd;> + + + diff --git a/profiles/categories b/profiles/categories index ebfc72f70759..0f45f8cd1732 100644 --- a/profiles/categories +++ b/profiles/categories @@ -1,4 +1,5 @@ acct-group +acct-user app-accessibility app-admin app-antivirus -- 2.22.0.rc3
[gentoo-dev] [PATCH v2 9/9] net-ftp/ftpbase: Utilize {group,user}/ftp
Signed-off-by: Michał Górny --- net-ftp/ftpbase/ftpbase-0.01-r3.ebuild | 39 ++ 1 file changed, 39 insertions(+) create mode 100644 net-ftp/ftpbase/ftpbase-0.01-r3.ebuild diff --git a/net-ftp/ftpbase/ftpbase-0.01-r3.ebuild b/net-ftp/ftpbase/ftpbase-0.01-r3.ebuild new file mode 100644 index ..fe3338141437 --- /dev/null +++ b/net-ftp/ftpbase/ftpbase-0.01-r3.ebuild @@ -0,0 +1,39 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit eutils pam user + +DESCRIPTION="FTP layout package" +HOMEPAGE="https://www.gentoo.org/; +SRC_URI="" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd" +IUSE="pam" + +DEPEND="pam? ( virtual/pam ) + !
[gentoo-dev] [PATCH v2 5/9] user.eclass: Die if no free UID/GID is found
Signed-off-by: Michał Górny
---
eclass/user.eclass | 2 ++
1 file changed, 2 insertions(+)
diff --git a/eclass/user.eclass b/eclass/user.eclass
index 1ffeaae29569..b16c4c6d69b7 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -160,6 +160,7 @@ enewuser() {
for ((euid = 101; euid <= 999; euid++)); do
[[ -z $(egetent passwd ${euid}) ]] && break
done
+ [[ ${euid} -le 999 ]] || die "${FUNCNAME}: no free UID found"
fi
opts+=( -u ${euid} )
einfo " - Userid: ${euid}"
@@ -344,6 +345,7 @@ enewgroup() {
for ((egid = 101; egid <= 999; egid++)) ; do
[[ -z $(egetent group ${egid}) ]] && break
done
+ [[ ${egid} -le 999 ]] || die "${FUNCNAME}: no free GID
found"
fi
}
--
2.22.0.rc3
[gentoo-dev] [PATCH v2 6/9] acct-{group,user}.eclass: WIP eclasses to maintain users/groups
---
eclass/acct-group.eclass | 105 +++
eclass/acct-user.eclass | 217 +++
2 files changed, 322 insertions(+)
create mode 100644 eclass/acct-group.eclass
create mode 100644 eclass/acct-user.eclass
diff --git a/eclass/acct-group.eclass b/eclass/acct-group.eclass
new file mode 100644
index ..8b3b2202aa35
--- /dev/null
+++ b/eclass/acct-group.eclass
@@ -0,0 +1,105 @@
+# Copyright 2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: acct-group.eclass
+# @MAINTAINER:
+# Michał Górny
+# @AUTHOR:
+# Michael Orlitzky
+# Michał Górny
+# @BLURB: Eclass used to create and maintain a single group entry
+# @DESCRIPTION:
+# This eclass represents and creates a single group entry. The name
+# of the group is derived from ${PN}, while (preferred) GID needs to
+# be specified via ACCT_GROUP_ID. Packages (and users) needing the group
+# in question should depend on the package providing it.
+#
+# Example:
+# If your package needs group 'foo', you create 'acct-group/foo' package
+# and add an ebuild with the following contents:
+#
+# @CODE
+# EAPI=7
+# inherit acct-group
+# ACCT_GROUP_ID=200
+# @CODE
+#
+# Then you add appropriate dependency to your package. The dependency
+# type(s) should be:
+# - DEPEND (+ RDEPEND) if the group is already needed at build time,
+# - RDEPEND if it is needed at install time (e.g. you 'fowners' files
+# in pkg_preinst),
+# - PDEPEND if it is only needed at runtime.
+
+
+if [[ -z ${_ACCT_GROUP_ECLASS} ]]; then
+_ACCT_GROUP_ECLASS=1
+
+case ${EAPI:-0} in
+ 7) ;;
+ *) die "EAPI=${EAPI} not supported";;
+esac
+
+inherit user
+
+
+# << Eclass variables >>
+
+# @ECLASS-VARIABLE: ACCT_GROUP_ID
+# @REQUIRED
+# @DESCRIPTION:
+# Preferred GID for the new group. This variable is obligatory, and its
+# value must be unique across all group packages.
+
+# @ECLASS-VARIABLE: ACCT_GROUP_ENFORCE_ID
+# @DESCRIPTION:
+# If set to a non-null value, the eclass will require the group to have
+# specified GID. If the group already exists with another GID, or
+# the GID is taken by another group, the install will fail.
+: ${ACCT_GROUP_ENFORCE_ID:=}
+
+
+# << Boilerplate ebuild variables >>
+: ${DESCRIPTION:="Service group: ${PN}"}
+: ${HOMEPAGE:=https://www.gentoo.org/}
+: ${SLOT:=0}
+: ${KEYWORDS:=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390
sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux
~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris
~x64-solaris ~x86-solaris}
+S=${WORKDIR}
+
+
+# << Phase functions >>
+EXPORT_FUNCTIONS pkg_pretend pkg_preinst
+
+# @FUNCTION: acct-group_pkg_pretend
+# @DESCRIPTION:
+# Performs sanity checks for correct eclass usage, and early-checks
+# whether requested GID can be enforced.
+acct-group_pkg_pretend() {
+ debug-print-function ${FUNCNAME} "${@}"
+
+ # verify ACCT_GROUP_ID
+ [[ -n ${ACCT_GROUP_ID} ]] || die "Ebuild error: ACCT_GROUP_ID must be
set!"
+ [[ ${ACCT_GROUP_ID} -ge 0 ]] || die "Ebuild errors:
ACCT_GROUP_ID=${ACCT_GROUP_ID} invalid!"
+
+ # check for ACCT_GROUP_ID collisions early
+ if [[ -n ${ACCT_GROUP_ENFORCE_ID} ]]; then
+ local grp=$(egetent group "${ACCT_GROUP_ID}")
+ if [[ -n ${grp} ]]; then
+ eerror "The required GID is already taken by another
group."
+ eerror " GID: ${ACCT_GROUP_ID} (needed for ${PN})"
+ eerror " current group: ${grp}"
+ die "GID ${ACCT_GROUP_ID} taken already"
+ fi
+ fi
+}
+
+# @FUNCTION: acct-group_pkg_preinst
+# @DESCRIPTION:
+# Creates the group if it does not exist yet.
+acct-group_pkg_preinst() {
+ debug-print-function ${FUNCNAME} "${@}"
+
+ enewgroup -F "${PN}" "${ACCT_GROUP_ID}"
+}
+
+fi
diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass
new file mode 100644
index ..12bc3652f333
--- /dev/null
+++ b/eclass/acct-user.eclass
@@ -0,0 +1,217 @@
+# Copyright 2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: acct-user.eclass
+# @MAINTAINER:
+# Michał Górny
+# @AUTHOR:
+# Michael Orlitzky
+# Michał Górny
+# @BLURB: Eclass used to create and maintain a single user entry
+# @DESCRIPTION:
+# This eclass represents and creates a single user entry. The name
+# of the user is derived from ${PN}, while (preferred) UID needs to
+# be specified via ACCT_USER_ID. Additional variables are provided
+# to override the default home directory, shell and add group
+# membership. Packages needing the user in question should depend
+# on the package providing it.
+#
+# Example:
+# If your package needs user 'foo' belonging to same-named group, you
+# create 'acct-user/foo' package and add an ebuild with the following
+# contents:
+#
+# @CODE
+# EAPI=7
+# inherit acct-user
+#
[gentoo-dev] [PATCH v2 7/9] acct-group/ftp: Add 'ftp' group (GID 21)
Signed-off-by: Michał Górny --- acct-group/ftp/ftp-0.ebuild | 8 acct-group/ftp/metadata.xml | 5 + profiles/categories | 1 + 3 files changed, 14 insertions(+) create mode 100644 acct-group/ftp/ftp-0.ebuild create mode 100644 acct-group/ftp/metadata.xml diff --git a/acct-group/ftp/ftp-0.ebuild b/acct-group/ftp/ftp-0.ebuild new file mode 100644 index ..d0912739a2fe --- /dev/null +++ b/acct-group/ftp/ftp-0.ebuild @@ -0,0 +1,8 @@ +# Copyright 2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit acct-group + +ACCT_GROUP_ID=21 diff --git a/acct-group/ftp/metadata.xml b/acct-group/ftp/metadata.xml new file mode 100644 index ..7a38bb900964 --- /dev/null +++ b/acct-group/ftp/metadata.xml @@ -0,0 +1,5 @@ + +http://www.gentoo.org/dtd/metadata.dtd;> + + + diff --git a/profiles/categories b/profiles/categories index 4ff0d5562001..ebfc72f70759 100644 --- a/profiles/categories +++ b/profiles/categories @@ -1,3 +1,4 @@ +acct-group app-accessibility app-admin app-antivirus -- 2.22.0.rc3
[gentoo-dev] [PATCH v2 2/9] user.eclass: Prevent automated home creation in useradd
Pass '-M' to prevent useradd from automatically creating the home
directory (depending on system configuration). We create the home
directory ourselves anyway, and we have better control over how it's
created this way.
Signed-off-by: Michał Górny
---
eclass/user.eclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eclass/user.eclass b/eclass/user.eclass
index a6c6ad82b7a0..6be7d9f3 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -246,7 +246,7 @@ enewuser() {
;;
*)
- useradd -N -r "${opts[@]}" "${euser}" || die
+ useradd -M -N -r "${opts[@]}" "${euser}" || die
;;
esac
--
2.22.0.rc3
[gentoo-dev] [PATCH v2 3/9] user.eclass: Support disabling home directory creation
Signed-off-by: Michał Górny
---
eclass/user.eclass | 16 ++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/eclass/user.eclass b/eclass/user.eclass
index 6be7d9f3..7eda668974f0 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -96,12 +96,15 @@ egetent() {
}
# @FUNCTION: enewuser
-# @USAGE: [uid] [shell] [homedir] [groups]
+# @USAGE: [-M] [uid] [shell] [homedir] [groups]
# @DESCRIPTION:
# Same as enewgroup, you are not required to understand how to properly add
# a user to the system. The only required parameter is the username.
# Default uid is (pass -1 for this) next available, default shell is
# /bin/false, default homedir is /dev/null, and there are no default groups.
+#
+# If -M is passed, enewuser does not create the home directory if it does not
+# exist.
enewuser() {
if [[ ${EUID} != 0 ]] ; then
einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
@@ -109,6 +112,15 @@ enewuser() {
fi
_assert_pkg_ebuild_phase ${FUNCNAME}
+ local create_home=1
+ while [[ $1 == -* ]]; do
+ case $1 in
+ -M) create_home=;;
+ *) die "${FUNCNAME}: invalid option ${1}";;
+ esac
+ shift
+ done
+
# get the username
local euser=$1; shift
if [[ -z ${euser} ]] ; then
@@ -250,7 +262,7 @@ enewuser() {
;;
esac
- if [[ ! -e ${ROOT}/${ehome} ]] ; then
+ if [[ -n ${create_home} && ! -e ${ROOT}/${ehome} ]] ; then
einfo " - Creating ${ehome} in ${ROOT}"
mkdir -p "${ROOT}/${ehome}"
chown "${euser}" "${ROOT}/${ehome}"
--
2.22.0.rc3
[gentoo-dev] [PATCH v2 4/9] user.eclass: Support forcing specified UID/GID
Signed-off-by: Michał Górny
---
eclass/user.eclass | 23 +--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/eclass/user.eclass b/eclass/user.eclass
index 7eda668974f0..1ffeaae29569 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -96,13 +96,15 @@ egetent() {
}
# @FUNCTION: enewuser
-# @USAGE: [-M] [uid] [shell] [homedir] [groups]
+# @USAGE: [-F] [-M] [uid] [shell] [homedir] [groups]
# @DESCRIPTION:
# Same as enewgroup, you are not required to understand how to properly add
# a user to the system. The only required parameter is the username.
# Default uid is (pass -1 for this) next available, default shell is
# /bin/false, default homedir is /dev/null, and there are no default groups.
#
+# If -F is passed, enewuser will always enforce specified UID and fail if it
+# can not be assigned.
# If -M is passed, enewuser does not create the home directory if it does not
# exist.
enewuser() {
@@ -112,9 +114,10 @@ enewuser() {
fi
_assert_pkg_ebuild_phase ${FUNCNAME}
- local create_home=1
+ local create_home=1 force_uid=
while [[ $1 == -* ]]; do
case $1 in
+ -F) force_uid=1;;
-M) create_home=;;
*) die "${FUNCNAME}: invalid option ${1}";;
esac
@@ -142,6 +145,7 @@ enewuser() {
if [[ -n ${euid} && ${euid} != -1 ]] ; then
if [[ ${euid} -gt 0 ]] ; then
if [[ -n $(egetent passwd ${euid}) ]] ; then
+ [[ -n ${force_uid} ]] && die "${FUNCNAME}: UID
${euid} already taken"
euid="next"
fi
else
@@ -149,6 +153,7 @@ enewuser() {
die "${euid} is not a valid UID"
fi
else
+ [[ -n ${force_uid} ]] && die "${FUNCNAME}: -F with uid==-1
makes no sense"
euid="next"
fi
if [[ ${euid} == "next" ]] ; then
@@ -277,6 +282,9 @@ enewuser() {
# group to the system. Just give it a group name to add and enewgroup will
# do the rest. You may specify the gid for the group or allow the group to
# allocate the next available one.
+#
+# If -F is passed, enewgroup will always enforce specified GID and fail if it
+# can not be assigned.
enewgroup() {
if [[ ${EUID} != 0 ]] ; then
einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
@@ -284,6 +292,15 @@ enewgroup() {
fi
_assert_pkg_ebuild_phase ${FUNCNAME}
+ local force_gid=
+ while [[ $1 == -* ]]; do
+ case $1 in
+ -F) force_gid=1;;
+ *) die "${FUNCNAME}: invalid option ${1}";;
+ esac
+ shift
+ done
+
# get the group
local egroup=$1; shift
if [[ -z ${egroup} ]] ; then
@@ -302,6 +319,7 @@ enewgroup() {
if [[ ! -z ${egid} ]] ; then
if [[ ${egid} -gt 0 ]] ; then
if [[ -n $(egetent group ${egid}) ]] ; then
+ [[ -n ${force_gid} ]] && die "${FUNCNAME}: GID
${egid} already taken"
egid="next available; requested gid taken"
fi
else
@@ -309,6 +327,7 @@ enewgroup() {
die "${egid} is not a valid GID"
fi
else
+ [[ -n ${force_gid} ]] && die "${FUNCNAME}: -F with gid==-1
makes no sense"
egid="next available"
fi
einfo " - Groupid: ${egid}"
--
2.22.0.rc3
[gentoo-dev] [PATCH v2 1/9] user.eclass: Do not create user-group automatically
Closes: https://bugs.gentoo.org/512220
Signed-off-by: Michał Górny
---
eclass/user.eclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eclass/user.eclass b/eclass/user.eclass
index f6a10a6bee28..a6c6ad82b7a0 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -246,7 +246,7 @@ enewuser() {
;;
*)
- useradd -r "${opts[@]}" "${euser}" || die
+ useradd -N -r "${opts[@]}" "${euser}" || die
;;
esac
--
2.22.0.rc3
[gentoo-dev] [PATCH v2 0/9] User/group packages
Hi,
Here's the second iteration of user/group package implementation part.
Changes from v1:
- renamed categories and eclasses to acct-user and acct-group,
- added ACCT_USER_HOME_{OWNER,PERMS} to control ownership
and permissions of created home directories.
--
Best regards,
Michał Górny
Michał Górny (9):
user.eclass: Do not create user-group automatically
user.eclass: Prevent automated home creation in useradd
user.eclass: Support disabling home directory creation
user.eclass: Support forcing specified UID/GID
user.eclass: Die if no free UID/GID is found
acct-{group,user}.eclass: WIP eclasses to maintain users/groups
acct-group/ftp: Add 'ftp' group (GID 21)
acct-user/ftp: Add 'ftp' user (UID 21)
net-ftp/ftpbase: Utilize {group,user}/ftp
acct-group/ftp/ftp-0.ebuild| 8 +
acct-group/ftp/metadata.xml| 5 +
acct-user/ftp/ftp-0.ebuild | 13 ++
acct-user/ftp/metadata.xml | 5 +
eclass/acct-group.eclass | 105
eclass/acct-user.eclass| 217 +
eclass/user.eclass | 39 -
net-ftp/ftpbase/ftpbase-0.01-r3.ebuild | 39 +
profiles/categories| 2 +
9 files changed, 430 insertions(+), 3 deletions(-)
create mode 100644 acct-group/ftp/ftp-0.ebuild
create mode 100644 acct-group/ftp/metadata.xml
create mode 100644 acct-user/ftp/ftp-0.ebuild
create mode 100644 acct-user/ftp/metadata.xml
create mode 100644 eclass/acct-group.eclass
create mode 100644 eclass/acct-user.eclass
create mode 100644 net-ftp/ftpbase/ftpbase-0.01-r3.ebuild
--
2.22.0.rc3
