Respect UID and GID soft static allocation.

https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation https://fedorahosted.org/freeipa/ticket/4585 Reviewed-By: Martin Basti <[email protected]>
author: David Kupka <[email protected]> 2014-10-22 09:07:44 -0400
committer: Martin Kosek <[email protected]> 2014-11-05 15:22:51 +0100
commit: 71c24b187a8d4b8990c0899d2c907d600b7bcc21 (patch)
tree: 1da2b98f7600f04eb9dede9d67de3330930d503d
parent: 49a73e1d6b710d777d4cc3a3ac358491c3e0e85a (diff)
download: freeipa-71c24b187a8d4b8990c0899d2c907d600b7bcc21.tar.gz
freeipa-71c24b187a8d4b8990c0899d2c907d600b7bcc21.tar.xz
freeipa-71c24b187a8d4b8990c0899d2c907d600b7bcc21.zip
5 files changed, 73 insertions, 44 deletions
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 408447e43..f2ba81f44 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,7 +22,13 @@
 This module contains default platform-specific implementations of system tasks.
 '''
 
+import pwd
+import grp
 from ipaplatform.paths import paths
+from ipapython.ipa_log_manager import log_mgr
+from ipapython import ipautil
+
+log = log_mgr.get_logger(__name__)
 
 
 class BaseTaskNamespace(object):
@@ -150,5 +156,47 @@ class BaseTaskNamespace(object):
 
         return
 
+    def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+        """Create a system user with a corresponding group"""
+        try:
+            grp.getgrnam(group)
+        except KeyError:
+            log.debug('Adding group %s', group)
+            args = [paths.GROUPADD, '-r', group]
+            if gid:
+                args += ['-g', str(gid)]
+            try:
+                ipautil.run(args)
+                log.debug('Done adding group')
+            except ipautil.CalledProcessError as e:
+                log.critical('Failed to add group: %s', e)
+                raise
+        else:
+            log.debug('group %s exists', group)
+
+        try:
+            pwd.getpwnam(name)
+        except KeyError:
+            log.debug('Adding user %s', name)
+            args = [
+                paths.USERADD,
+                '-g', group,
+                '-d', homedir,
+                '-s', shell,
+                '-M', '-r', name,
+            ]
+            if uid:
+                args += ['-u', str(uid)]
+            if comment:
+                args += ['-c', comment]
+            try:
+                ipautil.run(args)
+                log.debug('Done adding user')
+            except ipautil.CalledProcessError as e:
+                log.critical('Failed to add user: %s', e)
+                raise
+        else:
+            log.debug('user %s exists', name)
+
 
 task_namespace = BaseTaskNamespace()
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 555516d90..3f5fc90b4 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -393,5 +393,28 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 
         return True
 
+    def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+        """
+        Create a system user with a corresponding group
+
+        According to https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation
+        some system users should have fixed UID, GID and other parameters set.
+        This values should be constant and may be hardcoded.
+        Add other values for other users when needed.
+        """
+        if name == 'pkiuser':
+            if uid is None:
+                uid = 17
+            if gid is None:
+                gid = 17
+            if comment is None:
+                comment = 'CA System User'
+        if name == 'dirsrv':
+            if comment is None:
+                comment = 'DS System User'
+
+        super(RedHatTaskNamespace, self).create_system_user(name, group,
+            homedir, shell, uid, gid, comment)
+
 
 tasks = RedHatTaskNamespace()
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 0c31d2164..6ccbe415e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -261,7 +261,7 @@ def is_step_one_done():
 
 def create_ca_user():
     """Create PKI user/group if it doesn't exist yet."""
-    installutils.create_system_user(
+    tasks.create_system_user(
         name=PKI_USER,
         group=PKI_USER,
         homedir=paths.VAR_LIB,
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index da5353471..4293c5c90 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -152,7 +152,7 @@ def is_ds_running(server_id=''):
 
 def create_ds_user():
     """Create DS user/group if it doesn't exist yet."""
-    installutils.create_system_user(
+    tasks.create_system_user(
         name=DS_USER,
         group=DS_USER,
         homedir=paths.VAR_LIB_DIRSRV,
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 1e010edc6..9cda26f16 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -29,8 +29,6 @@ from ConfigParser import SafeConfigParser, NoOptionError
 import traceback
 import textwrap
 from contextlib import contextmanager
-import pwd
-import grp
 
 from dns import resolver, rdatatype
 from dns.exception import DNSException
@@ -83,8 +81,6 @@ class ReplicaConfig:
 
     subject_base = ipautil.dn_attribute_property('_subject_base')
 
-log = log_mgr.get_logger(__name__)
-
 def get_fqdn():
     fqdn = ""
     try:
@@ -974,41 +970,3 @@ def load_external_cert(files, subject_base):
     ca_file.flush()
 
     return cert_file, ca_file
-
-
-def create_system_user(name, group, homedir, shell):
-    """Create a system user with a corresponding group"""
-    try:
-        grp.getgrnam(group)
-    except KeyError:
-        log.debug('Adding group %s', group)
-        args = [paths.GROUPADD, '-r', group]
-        try:
-            ipautil.run(args)
-            log.debug('Done adding group')
-        except ipautil.CalledProcessError as e:
-            log.critical('Failed to add group: %s', e)
-            raise
-    else:
-        log.debug('group %s exists', group)
-
-    try:
-        pwd.getpwnam(name)
-    except KeyError:
-        log.debug('Adding user %s', name)
-        args = [
-            paths.USERADD,
-            '-g', group,
-            '-c', 'DS System User',
-            '-d', homedir,
-            '-s', shell,
-            '-M', '-r', name,
-        ]
-        try:
-            ipautil.run(args)
-            log.debug('Done adding user')
-        except ipautil.CalledProcessError as e:
-            log.critical('Failed to add user: %s', e)
-            raise
-    else:
-        log.debug('user %s exists', name)
author	David Kupka <[email protected]>	2014-10-22 09:07:44 -0400
committer	Martin Kosek <[email protected]>	2014-11-05 15:22:51 +0100
commit	71c24b187a8d4b8990c0899d2c907d600b7bcc21 (patch)
tree	1da2b98f7600f04eb9dede9d67de3330930d503d
parent	49a73e1d6b710d777d4cc3a3ac358491c3e0e85a (diff)
download	freeipa-71c24b187a8d4b8990c0899d2c907d600b7bcc21.tar.gz freeipa-71c24b187a8d4b8990c0899d2c907d600b7bcc21.tar.xz freeipa-71c24b187a8d4b8990c0899d2c907d600b7bcc21.zip