[gentoo-dev] [PATCH v3] acct-user.eclass: allow opt-out of user modification

Fri, 08 Jan 2021 14:46:22 -0800 

In some setups where users are changed/managed not only via ebuilds,
for example through configuration management systems, it could be
problematic if acct-user.eclass will restore user/group settings
to values set in ebuild.

Setting ACCT_USER_NO_MODIFY to a non-zero value will allow system
administrator to disable modification of any existing user.

Note: Lock/unlock when acct-* package will be installed/removed
      will still happen.

Signed-off-by: Thomas Deutschmann <whi...@gentoo.org>
---

 v3: 
   - Fixed eclass documentation
   - Honor 80 chars limit
   - Prefixed internal variable ACCT_USER_ALREADY_EXISTS

 eclass/acct-user.eclass | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/eclass/acct-user.eclass b/eclass/acct-user.eclass
index 47890e48409a..dcda661d39ea 100644
--- a/eclass/acct-user.eclass
+++ b/eclass/acct-user.eclass
@@ -72,6 +72,11 @@ readonly ACCT_USER_NAME
 # Overlays should set this to -1 to dynamically allocate UID.  Using -1
 # in ::gentoo is prohibited by policy.
 
+# @ECLASS-VARIABLE: _ACCT_USER_ALREADY_EXISTS
+# @INTERNAL
+# @DESCRIPTION:
+# Status variable which indicates if user already exists.
+
 # @ECLASS-VARIABLE: ACCT_USER_ENFORCE_ID
 # @DESCRIPTION:
 # If set to a non-null value, the eclass will require the user to have
@@ -79,6 +84,13 @@ readonly ACCT_USER_NAME
 # the UID is taken by another user, the install will fail.
 : ${ACCT_USER_ENFORCE_ID:=}
 
+# @ECLASS-VARIABLE: ACCT_USER_NO_MODIFY
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, the eclass will not make any changes
+# to an already existing user.
+: ${ACCT_USER_NO_MODIFY:=}
+
 # @ECLASS-VARIABLE: ACCT_USER_SHELL
 # @DESCRIPTION:
 # The shell to use for the user.  If not specified, a 'nologin' variant
@@ -344,6 +356,13 @@ acct-user_src_install() {
 acct-user_pkg_preinst() {
        debug-print-function ${FUNCNAME} "${@}"
 
+       # check if user already exists
+       _ACCT_USER_ALREADY_EXISTS=
+       if [[ -n $(egetent passwd "${ACCT_USER_NAME}") ]]; then
+               _ACCT_USER_ALREADY_EXISTS=yes
+       fi
+       readonly _ACCT_USER_ALREADY_EXISTS
+
        local groups=${ACCT_USER_GROUPS[*]}
        enewuser ${ACCT_USER_ENFORCE_ID:+-F} -M "${ACCT_USER_NAME}" \
                "${ACCT_USER_ID}" "${ACCT_USER_SHELL}" "${ACCT_USER_HOME}" \
@@ -379,6 +398,14 @@ acct-user_pkg_postinst() {
                return 0
        fi
 
+       if [[ -n ${ACCT_USER_NO_MODIFY} && -n ${_ACCT_USER_ALREADY_EXISTS} ]] ; 
then
+               eunlockuser "${ACCT_USER_NAME}"
+
+               ewarn "User ${ACCT_USER_NAME} already exists; Not touching 
existing user"
+               ewarn "due to set ACCT_USER_NO_MODIFY."
+               return 0
+       fi
+
        # NB: eset* functions check current value
        esethome "${ACCT_USER_NAME}" "${ACCT_USER_HOME}"
        esetshell "${ACCT_USER_NAME}" "${ACCT_USER_SHELL}"
-- 
2.30.0

Reply via email to