373 lines
10 KiB
Bash
373 lines
10 KiB
Bash
# Copyright 2019 Gentoo Authors
|
|
# Distributed under the terms of the GNU General Public License v2
|
|
|
|
# @ECLASS: acct-user.eclass
|
|
# @MAINTAINER:
|
|
# Michał Górny <mgorny@gentoo.org>
|
|
# @AUTHOR:
|
|
# Michael Orlitzky <mjo@gentoo.org>
|
|
# Michał Górny <mgorny@gentoo.org>
|
|
# @BLURB: Eclass used to create and maintain a single user entry
|
|
# @DESCRIPTION:
|
|
# This eclass represents and creates a single user entry. The name
|
|
# of the user is derived from ${PN}, while (preferred) UID needs to
|
|
# be specified via ACCT_USER_ID. Additional variables are provided
|
|
# to override the default home directory, shell and add group
|
|
# membership. Packages needing the user in question should depend
|
|
# on the package providing it.
|
|
#
|
|
# The ebuild needs to call acct-user_add_deps after specifying
|
|
# ACCT_USER_GROUPS.
|
|
#
|
|
# Example:
|
|
# If your package needs user 'foo' belonging to same-named group, you
|
|
# create 'acct-user/foo' package and add an ebuild with the following
|
|
# contents:
|
|
#
|
|
# @CODE
|
|
# EAPI=7
|
|
# inherit acct-user
|
|
# ACCT_USER_ID=200
|
|
# ACCT_USER_GROUPS=( foo )
|
|
# acct-user_add_deps
|
|
# @CODE
|
|
#
|
|
# Then you add appropriate dependency to your package. The dependency
|
|
# type(s) should be:
|
|
# - DEPEND (+ RDEPEND) if the user is already needed at build time,
|
|
# - RDEPEND if it is needed at install time (e.g. you 'fowners' files
|
|
# in pkg_preinst) or run time.
|
|
|
|
if [[ -z ${_ACCT_USER_ECLASS} ]]; then
|
|
_ACCT_USER_ECLASS=1
|
|
|
|
case ${EAPI:-0} in
|
|
7) ;;
|
|
*) die "EAPI=${EAPI} not supported";;
|
|
esac
|
|
|
|
inherit user
|
|
|
|
[[ ${CATEGORY} == acct-user ]] ||
|
|
die "Ebuild error: this eclass can be used only in acct-user category!"
|
|
|
|
|
|
# << Eclass variables >>
|
|
|
|
# @ECLASS-VARIABLE: ACCT_USER_NAME
|
|
# @INTERNAL
|
|
# @DESCRIPTION:
|
|
# The name of the user. This is forced to ${PN} and the policy prohibits
|
|
# it from being changed.
|
|
ACCT_USER_NAME=${PN}
|
|
readonly ACCT_USER_NAME
|
|
|
|
# @ECLASS-VARIABLE: ACCT_USER_ID
|
|
# @REQUIRED
|
|
# @DESCRIPTION:
|
|
# Preferred UID for the new user. This variable is obligatory, and its
|
|
# value must be unique across all user packages.
|
|
|
|
# @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID
|
|
# @DESCRIPTION:
|
|
# If set to a non-null value, the eclass will require the user to have
|
|
# specified UID. If the user already exists with another UID, or
|
|
# the UID is taken by another user, the install will fail.
|
|
: ${ACCT_USER_ENFORCE_ID:=}
|
|
|
|
# @ECLASS-VARIABLE: ACCT_USER_SHELL
|
|
# @DESCRIPTION:
|
|
# The shell to use for the user. If not specified, a 'nologin' variant
|
|
# for the system is used.
|
|
: ${ACCT_USER_SHELL:=-1}
|
|
|
|
# @ECLASS-VARIABLE: ACCT_USER_HOME
|
|
# @DESCRIPTION:
|
|
# The home directory for the user. If not specified, /dev/null is used.
|
|
# The directory will be created with appropriate permissions if it does
|
|
# not exist. When updating, existing home directory will not be moved.
|
|
: ${ACCT_USER_HOME:=/dev/null}
|
|
|
|
# @ECLASS-VARIABLE: ACCT_USER_HOME_OWNER
|
|
# @DEFAULT_UNSET
|
|
# @DESCRIPTION:
|
|
# The ownership to use for the home directory, in chown ([user][:group])
|
|
# syntax. Defaults to the newly created user, and its primary group.
|
|
|
|
# @ECLASS-VARIABLE: ACCT_USER_HOME_PERMS
|
|
# @DESCRIPTION:
|
|
# The permissions to use for the home directory, in chmod (octal
|
|
# or verbose) form.
|
|
: ${ACCT_USER_HOME_PERMS:=0755}
|
|
|
|
# @ECLASS-VARIABLE: ACCT_USER_GROUPS
|
|
# @REQUIRED
|
|
# @DESCRIPTION:
|
|
# List of groups the user should belong to. This must be a bash
|
|
# array.
|
|
|
|
|
|
# << Boilerplate ebuild variables >>
|
|
: ${DESCRIPTION:="System user: ${ACCT_USER_NAME}"}
|
|
: ${HOMEPAGE:=https://www.gentoo.org/}
|
|
: ${SLOT:=0}
|
|
: ${KEYWORDS:=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris}
|
|
S=${WORKDIR}
|
|
|
|
|
|
# << API functions >>
|
|
|
|
# @FUNCTION: acct-user_add_deps
|
|
# @DESCRIPTION:
|
|
# Generate appropriate RDEPEND from ACCT_USER_GROUPS. This must be
|
|
# called if ACCT_USER_GROUPS are set.
|
|
acct-user_add_deps() {
|
|
debug-print-function ${FUNCNAME} "${@}"
|
|
|
|
# ACCT_USER_GROUPS sanity check
|
|
if [[ $(declare -p ACCT_USER_GROUPS) != "declare -a"* ]]; then
|
|
die 'ACCT_USER_GROUPS must be an array.'
|
|
elif [[ ${#ACCT_USER_GROUPS[@]} -eq 0 ]]; then
|
|
die 'ACCT_USER_GROUPS must not be empty.'
|
|
fi
|
|
|
|
RDEPEND+=${ACCT_USER_GROUPS[*]/#/ acct-group/}
|
|
_ACCT_USER_ADD_DEPS_CALLED=1
|
|
}
|
|
|
|
|
|
# << Helper functions >>
|
|
|
|
# @FUNCTION: eislocked
|
|
# @INTERNAL
|
|
# @USAGE: <user>
|
|
# @DESCRIPTION:
|
|
# Check whether the specified user account is currently locked.
|
|
# Returns 0 if it is locked, 1 if it is not, 2 if the platform
|
|
# does not support determining it.
|
|
eislocked() {
|
|
[[ $# -eq 1 ]] || die "usage: ${FUNCNAME} <user>"
|
|
|
|
if [[ ${EUID} != 0 ]] ; then
|
|
einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
|
|
return 0
|
|
fi
|
|
|
|
case ${CHOST} in
|
|
*-freebsd*|*-dragonfly*|*-netbsd*)
|
|
[[ $(egetent "$1" | cut -d: -f2) == '*LOCKED*'* ]]
|
|
;;
|
|
|
|
*-openbsd*)
|
|
return 2
|
|
;;
|
|
|
|
*)
|
|
# NB: 'no password' and 'locked' are indistinguishable
|
|
# but we also expire the account which is more clear
|
|
[[ $(getent shadow ftp | cut -d: -f2) == '!'* ]] &&
|
|
[[ $(getent shadow ftp | cut -d: -f8) == 1 ]]
|
|
;;
|
|
esac
|
|
}
|
|
|
|
# @FUNCTION: elockuser
|
|
# @INTERNAL
|
|
# @USAGE: <user>
|
|
# @DESCRIPTION:
|
|
# Lock the specified user account, using the available platform-specific
|
|
# functions. This should prevent any login to the account.
|
|
#
|
|
# Established lock can be reverted using eunlockuser.
|
|
#
|
|
# This function returns 0 if locking succeeded, 2 if it is not supported
|
|
# by the platform code or dies if it fails.
|
|
elockuser() {
|
|
[[ $# -eq 1 ]] || die "usage: ${FUNCNAME} <user>"
|
|
|
|
if [[ ${EUID} != 0 ]] ; then
|
|
einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
|
|
return 0
|
|
fi
|
|
|
|
eislocked "$1"
|
|
[[ $? -eq 0 ]] && return 0
|
|
|
|
case ${CHOST} in
|
|
*-freebsd*|*-dragonfly*)
|
|
pw lock "$1" || die "Locking account $1 failed"
|
|
pw user mod "$1" -e 1 || die "Expiring account $1 failed"
|
|
;;
|
|
|
|
*-netbsd*)
|
|
usermod -e 1 -C yes "$1" || die "Locking account $1 failed"
|
|
;;
|
|
|
|
*-openbsd*)
|
|
return 2
|
|
;;
|
|
|
|
*)
|
|
usermod -e 1 -L "$1" || die "Locking account $1 failed"
|
|
;;
|
|
esac
|
|
|
|
elog "User account $1 locked"
|
|
return 0
|
|
}
|
|
|
|
# @FUNCTION: eunlockuser
|
|
# @INTERNAL
|
|
# @USAGE: <user>
|
|
# @DESCRIPTION:
|
|
# Unlock the specified user account, using the available platform-
|
|
# specific functions.
|
|
#
|
|
# This function returns 0 if unlocking succeeded, 1 if it is not
|
|
# supported by the platform code or dies if it fails.
|
|
eunlockuser() {
|
|
[[ $# -eq 1 ]] || die "usage: ${FUNCNAME} <user>"
|
|
|
|
if [[ ${EUID} != 0 ]] ; then
|
|
einfo "Insufficient privileges to execute ${FUNCNAME[0]}"
|
|
return 0
|
|
fi
|
|
|
|
eislocked "$1"
|
|
[[ $? -eq 1 ]] && return 0
|
|
|
|
case ${CHOST} in
|
|
*-freebsd*|*-dragonfly*)
|
|
pw user mod "$1" -e 0 || die "Unexpiring account $1 failed"
|
|
pw unlock "$1" || die "Unlocking account $1 failed"
|
|
;;
|
|
|
|
*-netbsd*)
|
|
usermod -e 0 -C no "$1" || die "Unlocking account $1 failed"
|
|
;;
|
|
|
|
*-openbsd*)
|
|
return 1
|
|
;;
|
|
|
|
*)
|
|
# silence warning if account does not have a password
|
|
usermod -e "" -U "$1" 2>/dev/null || die "Unlocking account $1 failed"
|
|
;;
|
|
esac
|
|
|
|
ewarn "User account $1 unlocked after reinstating."
|
|
return 0
|
|
}
|
|
|
|
|
|
# << Phase functions >>
|
|
EXPORT_FUNCTIONS pkg_pretend src_install pkg_preinst pkg_postinst \
|
|
pkg_prerm
|
|
|
|
# @FUNCTION: acct-user_pkg_pretend
|
|
# @DESCRIPTION:
|
|
# Performs sanity checks for correct eclass usage, and early-checks
|
|
# whether requested UID can be enforced.
|
|
acct-user_pkg_pretend() {
|
|
debug-print-function ${FUNCNAME} "${@}"
|
|
|
|
# verify that acct-user_add_deps() has been called
|
|
# (it verifies ACCT_USER_GROUPS itself)
|
|
if [[ -z ${_ACCT_USER_ADD_DEPS_CALLED} ]]; then
|
|
die "Ebuild error: acct-user_add_deps must have been called in global scope!"
|
|
fi
|
|
|
|
# verify ACCT_USER_ID
|
|
[[ -n ${ACCT_USER_ID} ]] || die "Ebuild error: ACCT_USER_ID must be set!"
|
|
[[ ${ACCT_USER_ID} -ge 0 ]] || die "Ebuild errors: ACCT_USER_ID=${ACCT_USER_ID} invalid!"
|
|
|
|
# check for ACCT_USER_ID collisions early
|
|
if [[ -n ${ACCT_USER_ENFORCE_ID} ]]; then
|
|
local user_by_id=$(egetusername "${ACCT_USER_ID}")
|
|
local user_by_name=$(egetent passwd "${ACCT_USER_NAME}")
|
|
if [[ -n ${user_by_id} ]]; then
|
|
if [[ ${user_by_id} != ${ACCT_USER_NAME} ]]; then
|
|
eerror "The required UID is already taken by another user."
|
|
eerror " UID: ${ACCT_USER_ID}"
|
|
eerror " needed for: ${ACCT_USER_NAME}"
|
|
eerror " current user: ${user_by_id}"
|
|
die "UID ${ACCT_USER_ID} taken already"
|
|
fi
|
|
elif [[ -n ${user_by_name} ]]; then
|
|
eerror "The requested user exists already with wrong UID."
|
|
eerror " username: ${ACCT_USER_NAME}"
|
|
eerror " requested UID: ${ACCT_USER_ID}"
|
|
eerror " current entry: ${user_by_name}"
|
|
die "Username ${ACCT_USER_NAME} exists with wrong UID"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# @FUNCTION: acct-user_src_install
|
|
# @DESCRIPTION:
|
|
# Installs a keep-file into the user's home directory to ensure it is
|
|
# owned by the package.
|
|
acct-user_src_install() {
|
|
debug-print-function ${FUNCNAME} "${@}"
|
|
|
|
if [[ ${ACCT_USER_HOME} != /dev/null ]]; then
|
|
# note: we can't set permissions here since the user isn't
|
|
# created yet
|
|
keepdir "${ACCT_USER_HOME}"
|
|
fi
|
|
}
|
|
|
|
# @FUNCTION: acct-user_pkg_preinst
|
|
# @DESCRIPTION:
|
|
# Creates the user if it does not exist yet. Sets permissions
|
|
# of the home directory in install image.
|
|
acct-user_pkg_preinst() {
|
|
debug-print-function ${FUNCNAME} "${@}"
|
|
|
|
local groups=${ACCT_USER_GROUPS[*]}
|
|
enewuser -F -M "${ACCT_USER_NAME}" "${ACCT_USER_ID}" \
|
|
"${ACCT_USER_SHELL}" "${ACCT_USER_HOME}" "${groups// /,}"
|
|
|
|
if [[ ${ACCT_USER_HOME} != /dev/null ]]; then
|
|
# default ownership to user:group
|
|
if [[ -z ${ACCT_USER_HOME_OWNER} ]]; then
|
|
ACCT_USER_HOME_OWNER=${ACCT_USER_NAME}:${ACCT_USER_GROUPS[0]}
|
|
fi
|
|
fowners "${ACCT_USER_HOME_OWNER}" "${ACCT_USER_HOME}"
|
|
fperms "${ACCT_USER_HOME_PERMS}" "${ACCT_USER_HOME}"
|
|
fi
|
|
}
|
|
|
|
# @FUNCTION: acct-user_pkg_postinst
|
|
# @DESCRIPTION:
|
|
# Updates user properties if necessary. This needs to be done after
|
|
# new home directory is installed.
|
|
acct-user_pkg_postinst() {
|
|
debug-print-function ${FUNCNAME} "${@}"
|
|
|
|
# NB: eset* functions check current value
|
|
esethome "${ACCT_USER_NAME}" "${ACCT_USER_HOME}"
|
|
esetshell "${ACCT_USER_NAME}" "${ACCT_USER_SHELL}"
|
|
local groups=${ACCT_USER_GROUPS[*]}
|
|
esetgroups "${ACCT_USER_NAME}" "${groups// /,}"
|
|
# comment field can not contain colons
|
|
esetcomment "${ACCT_USER_NAME}" "${DESCRIPTION//[:,=]/;}"
|
|
eunlockuser "${ACCT_USER_NAME}"
|
|
}
|
|
|
|
# @FUNCTION: acct-user_pkg_prerm
|
|
# @DESCRIPTION:
|
|
# Ensures that the user account is locked out when it is removed.
|
|
acct-user_pkg_prerm() {
|
|
debug-print-function ${FUNCNAME} "${@}"
|
|
|
|
if [[ -z ${REPLACED_BY_VERSION} ]]; then
|
|
esetshell "${ACCT_USER_NAME}" -1
|
|
esetcomment "${ACCT_USER_NAME}" \
|
|
"$(egetcomment "${ACCT_USER_NAME}"); user account removed @ $(date +%Y-%m-%d)"
|
|
elockuser "${ACCT_USER_NAME}"
|
|
fi
|
|
}
|
|
|
|
fi
|