Skip to content

Commit

Permalink
acct-user.eclass: allow opt-out of user modification
Browse files Browse the repository at this point in the history
In some setups where users are changed/managed not only via ebuilds,
for example through configuration management systems, it could be
problematic if acct-user.eclass will restore user/group settings
to values set in ebuild.

Setting ACCT_USER_NO_MODIFY to a non-zero value will allow system
administrator to disable modification of any existing user.

Note: Lock/unlock when acct-* package will be installed/removed
      will still happen.

Signed-off-by: Thomas Deutschmann <[email protected]>
  • Loading branch information
Whissi committed Jan 10, 2021
1 parent b73f730 commit bac0aca
Showing 1 changed file with 27 additions and 0 deletions.
27 changes: 27 additions & 0 deletions eclass/acct-user.eclass
Original file line number Diff line number Diff line change
Expand Up @@ -73,13 +73,25 @@ readonly ACCT_USER_NAME
# Overlays should set this to -1 to dynamically allocate UID. Using -1
# in ::gentoo is prohibited by policy.

# @ECLASS-VARIABLE: _ACCT_USER_ALREADY_EXISTS
# @INTERNAL
# @DESCRIPTION:
# Status variable which indicates if user already exists.

# @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID
# @DESCRIPTION:
# If set to a non-null value, the eclass will require the user to have
# specified UID. If the user already exists with another UID, or
# the UID is taken by another user, the install will fail.
: ${ACCT_USER_ENFORCE_ID:=}

# @ECLASS-VARIABLE: ACCT_USER_NO_MODIFY
# @DEFAULT_UNSET
# @DESCRIPTION:
# If set to a non-null value, the eclass will not make any changes
# to an already existing user.
: ${ACCT_USER_NO_MODIFY:=}

# @ECLASS-VARIABLE: ACCT_USER_SHELL
# @DESCRIPTION:
# The shell to use for the user. If not specified, a 'nologin' variant
Expand Down Expand Up @@ -390,6 +402,13 @@ acct-user_src_install() {
acct-user_pkg_preinst() {
debug-print-function ${FUNCNAME} "${@}"

# check if user already exists
_ACCT_USER_ALREADY_EXISTS=
if [[ -n $(egetent passwd "${ACCT_USER_NAME}") ]]; then
_ACCT_USER_ALREADY_EXISTS=1
fi
readonly _ACCT_USER_ALREADY_EXISTS

enewuser ${ACCT_USER_ENFORCE_ID:+-F} -M "${ACCT_USER_NAME}" \
"${_ACCT_USER_ID}" "${_ACCT_USER_SHELL}" "${_ACCT_USER_HOME}" \
"${_ACCT_USER_GROUPS// /,}"
Expand Down Expand Up @@ -425,6 +444,14 @@ acct-user_pkg_postinst() {
return 0
fi

if [[ -n ${ACCT_USER_NO_MODIFY} && -n ${_ACCT_USER_ALREADY_EXISTS} ]]; then
eunlockuser "${ACCT_USER_NAME}"

ewarn "User ${ACCT_USER_NAME} already exists; Not touching existing user"
ewarn "due to set ACCT_USER_NO_MODIFY."
return 0
fi

# NB: eset* functions check current value
esethome "${ACCT_USER_NAME}" "${_ACCT_USER_HOME}"
esetshell "${ACCT_USER_NAME}" "${_ACCT_USER_SHELL}"
Expand Down

0 comments on commit bac0aca

Please sign in to comment.