From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id kIxnDTkRB2EdrwAAgWs5BA (envelope-from ) for ; Sun, 01 Aug 2021 23:25:13 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id aLALCTkRB2HKfQAAB5/wlQ (envelope-from ) for ; Sun, 01 Aug 2021 21:25:13 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7A623157CF for ; Sun, 1 Aug 2021 23:25:12 +0200 (CEST) Received: from localhost ([::1]:35916 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mAIxL-0003TL-Hq for larch@yhetil.org; Sun, 01 Aug 2021 17:25:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46758) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAIxC-0003Qg-II for guix-patches@gnu.org; Sun, 01 Aug 2021 17:25:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:53819) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mAIxC-00023K-AG for guix-patches@gnu.org; Sun, 01 Aug 2021 17:25:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mAIxB-0006MT-W4 for guix-patches@gnu.org; Sun, 01 Aug 2021 17:25:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#49814] [PATCH] accounts: Add . Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 01 Aug 2021 21:25:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 49814 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 49814@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.162785306524404 (code B ref -1); Sun, 01 Aug 2021 21:25:01 +0000 Received: (at submit) by debbugs.gnu.org; 1 Aug 2021 21:24:25 +0000 Received: from localhost ([127.0.0.1]:37132 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mAIwa-0006LY-Tq for submit@debbugs.gnu.org; Sun, 01 Aug 2021 17:24:25 -0400 Received: from lists.gnu.org ([209.51.188.17]:51164) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mAIwY-0006LQ-T7 for submit@debbugs.gnu.org; Sun, 01 Aug 2021 17:24:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46694) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAIwY-00037W-Me for guix-patches@gnu.org; Sun, 01 Aug 2021 17:24:22 -0400 Received: from relay10.mail.gandi.net ([217.70.178.230]:33033) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAIwW-0001bW-9G for guix-patches@gnu.org; Sun, 01 Aug 2021 17:24:22 -0400 Received: (Authenticated sender: brice@waegenei.re) by relay10.mail.gandi.net (Postfix) with ESMTPSA id 3F375240003 for ; Sun, 1 Aug 2021 21:24:15 +0000 (UTC) From: Brice Waegeneire Date: Sun, 1 Aug 2021 23:24:13 +0200 Message-Id: <20210801212413.8906-1-brice@waegenei.re> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=217.70.178.230; envelope-from=brice@waegenei.re; helo=relay10.mail.gandi.net X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1627853112; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=UkmgSEebTnQ71X0gAK24dxu2M5TH3K1ca5t/ClsMUXM=; b=khvCcVaCX85M1vA0Fal4ZiliV2HNsnolrgPzcOETBJ6b6K5sWsZcjQyy1CS2k58233AGi1 VdUtMUIEw2AC2rKM34BIjvwvx8mqDlZHKNpraL/BYtRuuEosoAay9YVgs81u9IzCV/jrMl t5mNOiP+izy5BWa2hJYF4Vrcls2b2bUk08xRQTi+Tvs8JI0DlpyhjFHC93yzfASU0Y+PMX CCNWwsjXS6lak4CnrDaLOvOstRqbpYemmmphIxhGFOjf7DvttppcfptE9OB++HP1IrEqZO 3WDsa+aSxbFVsmDhFcOusxmmFAu+dWP02eM8WfgFPZtmoFeb/siohiXDru+l7w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1627853112; a=rsa-sha256; cv=none; b=ps3VuaLtGUEeJ2lkXYrqH+twFDcIcamvQL54nuGT79OcmHGf2GPFldqR+h/RtIuNKnGMA8 W361y52YwSHSOCMt7WgBb4Oh+/phZ0x2daB9rxXBhcGmoGBr+3PvoSA+XdmdYaDkzZVpN/ eSeXc10DLmlXbnKP4xMVIK8bz/bTukp7ngh6z5II1mUtN3+k5vgLA43i5fZoXXZJVwXEdS vk9f9yudXLtG1qlNvdsvr3PHVb1jyQm3Aq1Z9mABNKdSUb00SC8uiLotNT5F12Tb+346Kq cO/etXX+H/M7viEJATK/DiQJ3dGnBTsq+72MXSfdsDzfMoKamXe3qhi7hOulNA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -1.42 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 7A623157CF X-Spam-Score: -1.42 X-Migadu-Scanner: scn1.migadu.com X-TUID: 9IAdAbVsuVJD Support adding supplementary groups to defined users by extending 'account-service-type'. * gnu/system/accounts.scm (group-membership): New record. (additional-group-members): New procedure. * gnu/system/shadow.scm (group-memberships->users-groups): New procedure. (account-activation accounts+groups): Add additional group memberships to the defined users. --- gnu/system/accounts.scm | 19 +++++++++++++++++++ gnu/system/shadow.scm | 30 +++++++++++++++++++++++++++++- 2 files changed, 48 insertions(+), 1 deletion(-) As I was answerd on IRC, it's already possible to add groups to an already defined 'operating-system' by modifying it's 'user' field. However this isn't that practical in my point of view. I would prefer to do such change from a service to be able to keep a potential new group and its members in proximity in the code. For example when adding a sgid dumpcap binary to be used by the wireshark group members, it makes sense to keep the membership of that group close to the definition of the new group and its sgid binary: --8<---------------cut here---------------start------------->8--- (simple-service 'wireshark-account account-service-type (list (user-group (name "wireshark") (system? #t)) (additional-group-members "wireshark" %sysadmins))) (simple-service 'wireshark-dumpcap setuid-program-service-type (list (setuid-program (program (file-append wireshark "/bin/dumpcap")) (setuid? #f) (setgid? #t) (group "wireshark")))) --8<---------------cut here---------------end--------------->8--- This patch add a new record to be used as as some of the values for the 'account-service-type' which already support 3 other different types. diff --git a/gnu/system/accounts.scm b/gnu/system/accounts.scm index 586cff1842..c12f5644d0 100644 --- a/gnu/system/accounts.scm +++ b/gnu/system/accounts.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019 Ludovic Courtès +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -39,6 +40,12 @@ user-group-id user-group-system? + group-membership + group-membership? + group-membership-name + group-membership-additional-members + additional-group-members + sexp->user-account sexp->user-group @@ -85,6 +92,12 @@ (system? user-group-system? ; Boolean (default #f))) +(define-record-type* + group-membership make-group-membership + group-membership? + (name group-membership-name) ; string + (additional-members group-membership-additional-members)) ; list of strings + (define (default-home-directory account) "Return the default home directory for ACCOUNT." (string-append "/home/" (user-account-name account))) @@ -112,3 +125,9 @@ user-account record." (create-home-directory? create-home-directory?) (shell shell) (password password) (system? system?))))) + +(define (additional-group-members group members) + "Return a object with name GROUPS and additional +MEMEBERS." + (group-membership (name group) + (additional-members members))) diff --git a/gnu/system/shadow.scm b/gnu/system/shadow.scm index 7c57222716..273c1f6d87 100644 --- a/gnu/system/shadow.scm +++ b/gnu/system/shadow.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2016 Alex Griffin ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; Copyright © 2020 Efraim Flashner +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -316,12 +317,39 @@ of user '~a' is undeclared") #$(user-account-password account) #$(user-account-system? account))) +(define (group-memberships->users-groups groups-memberships) + "Turn GROUP-MEMBERSHIPS, a list of object, into an alist +of users with additional group membership." + (let ((users (delete-duplicates (append-map group-membership-additional-members + groups-memberships)))) + (map (lambda (user) + (cons user + (filter-map + (lambda (group) + (and (member user (group-membership-additional-members group)) + (group-membership-name group))) + groups-memberships))) + users))) + (define (account-activation accounts+groups) "Return a gexp that activates ACCOUNTS+GROUPS, a list of and objects. Raise an error if a user account refers to a undefined group." + (define users-additional-groups + (group-memberships->users-groups (filter group-membership? accounts+groups))) + (define accounts - (delete-duplicates (filter user-account? accounts+groups) eq?)) + (map (lambda (user) + (let ((additional-groups (assoc-ref users-additional-groups + (user-account-name user)))) + (if additional-groups + (user-account + (inherit user) + (supplementary-groups + (delete-duplicates (append (user-account-supplementary-groups user) + additional-groups)))) + user))) + (delete-duplicates (filter user-account? accounts+groups) eq?))) (define user-specs (map user-account->gexp accounts)) -- 2.32.0