Respect UID and GID soft static allocation.

https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation https://fedorahosted.org/freeipa/ticket/4585 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-10-22 09:07:44 -04:00 · 2014-10-22 09:07:44 -04:00 · 71c24b187a
commit 71c24b187a
parent 49a73e1d6b
5 changed files with 73 additions and 44 deletions
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@ -22,7 +22,13 @@
 This module contains default platform-specific implementations of system tasks.
 '''

+import pwd
+import grp
 from ipaplatform.paths import paths
+from ipapython.ipa_log_manager import log_mgr
+from ipapython import ipautil
+
+log = log_mgr.get_logger(__name__)


 class BaseTaskNamespace(object):
@ -150,5 +156,47 @@ class BaseTaskNamespace(object):

        return

+    def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+        """Create a system user with a corresponding group"""
+        try:
+            grp.getgrnam(group)
+        except KeyError:
+            log.debug('Adding group %s', group)
+            args = [paths.GROUPADD, '-r', group]
+            if gid:
+                args += ['-g', str(gid)]
+            try:
+                ipautil.run(args)
+                log.debug('Done adding group')
+            except ipautil.CalledProcessError as e:
+                log.critical('Failed to add group: %s', e)
+                raise
+        else:
+            log.debug('group %s exists', group)
+
+        try:
+            pwd.getpwnam(name)
+        except KeyError:
+            log.debug('Adding user %s', name)
+            args = [
+                paths.USERADD,
+                '-g', group,
+                '-d', homedir,
+                '-s', shell,
+                '-M', '-r', name,
+            ]
+            if uid:
+                args += ['-u', str(uid)]
+            if comment:
+                args += ['-c', comment]
+            try:
+                ipautil.run(args)
+                log.debug('Done adding user')
+            except ipautil.CalledProcessError as e:
+                log.critical('Failed to add user: %s', e)
+                raise
+        else:
+            log.debug('user %s exists', name)
+

 task_namespace = BaseTaskNamespace()
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@ -393,5 +393,28 @@ class RedHatTaskNamespace(BaseTaskNamespace):

        return True

+    def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+        """
+        Create a system user with a corresponding group
+
+        According to https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation
+        some system users should have fixed UID, GID and other parameters set.
+        This values should be constant and may be hardcoded.
+        Add other values for other users when needed.
+        """
+        if name == 'pkiuser':
+            if uid is None:
+                uid = 17
+            if gid is None:
+                gid = 17
+            if comment is None:
+                comment = 'CA System User'
+        if name == 'dirsrv':
+            if comment is None:
+                comment = 'DS System User'
+
+        super(RedHatTaskNamespace, self).create_system_user(name, group,
+            homedir, shell, uid, gid, comment)
+

 tasks = RedHatTaskNamespace()
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -261,7 +261,7 @@ def is_step_one_done():

 def create_ca_user():
    """Create PKI user/group if it doesn't exist yet."""
-    installutils.create_system_user(
+    tasks.create_system_user(
        name=PKI_USER,
        group=PKI_USER,
        homedir=paths.VAR_LIB,
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -152,7 +152,7 @@ def is_ds_running(server_id=''):

 def create_ds_user():
    """Create DS user/group if it doesn't exist yet."""
-    installutils.create_system_user(
+    tasks.create_system_user(
        name=DS_USER,
        group=DS_USER,
        homedir=paths.VAR_LIB_DIRSRV,
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@ -29,8 +29,6 @@ from ConfigParser import SafeConfigParser, NoOptionError
 import traceback
 import textwrap
 from contextlib import contextmanager
-import pwd
-import grp

 from dns import resolver, rdatatype
 from dns.exception import DNSException
@ -83,8 +81,6 @@ class ReplicaConfig:

    subject_base = ipautil.dn_attribute_property('_subject_base')

-log = log_mgr.get_logger(__name__)
-
 def get_fqdn():
    fqdn = ""
    try:
@ -974,41 +970,3 @@ def load_external_cert(files, subject_base):
    ca_file.flush()

    return cert_file, ca_file
-
-
-def create_system_user(name, group, homedir, shell):
-    """Create a system user with a corresponding group"""
-    try:
-        grp.getgrnam(group)
-    except KeyError:
-        log.debug('Adding group %s', group)
-        args = [paths.GROUPADD, '-r', group]
-        try:
-            ipautil.run(args)
-            log.debug('Done adding group')
-        except ipautil.CalledProcessError as e:
-            log.critical('Failed to add group: %s', e)
-            raise
-    else:
-        log.debug('group %s exists', group)
-
-    try:
-        pwd.getpwnam(name)
-    except KeyError:
-        log.debug('Adding user %s', name)
-        args = [
-            paths.USERADD,
-            '-g', group,
-            '-c', 'DS System User',
-            '-d', homedir,
-            '-s', shell,
-            '-M', '-r', name,
-        ]
-        try:
-            ipautil.run(args)
-            log.debug('Done adding user')
-        except ipautil.CalledProcessError as e:
-            log.critical('Failed to add user: %s', e)
-            raise
-    else:
-        log.debug('user %s exists', name)