From: Vincent Legoll <vincent.legoll@gmail.com>
To: Leo Famulari <leo@famulari.name>
Cc: Alex Kost <alezost@gmail.com>,
24275@debbugs.gnu.org,
John Darrington <john@darrington.wattle.id.au>
Subject: bug#24275: Misnamed directory in GuixSD
Date: Tue, 23 Aug 2016 13:04:49 +0200 [thread overview]
Message-ID: <CAEwRq=rhhGh1MpZef30m=Ke6Zo9NB3ARULwuEqF5Jz3DO_sFLA@mail.gmail.com> (raw)
In-Reply-To: <20160822180903.GB17367@jasmine>
[-- Attachment #1: Type: text/plain, Size: 1741 bytes --]
Hello,
On Mon, Aug 22, 2016 at 8:09 PM, Leo Famulari <leo@famulari.name> wrote:
> On Mon, Aug 22, 2016 at 10:47:51AM +0200, Vincent Legoll wrote:
>>
>> > IIUC it happens because the home directory is created only when a user
>> > is added, and is not changed when the user is modified. See (gnu build
>> > activation) module:
>> >
>> > - 'add-user' runs "useradd" with "-d" option to create home dir
>>
>> Maybe the nobody user should be special cased, not to run useradd with
>> -d, the non existent directory, should really not exist for nobody. This is a
>> (very small ?) security enhancement, I think...
>
> My Debian system uses '/nonexistent' for the nobody user's passwd entry,
> but the directory does not actually exist.
>
>> If this is the way to go, I can have a shot at it...
>>
>> > - 'modify-user' runs "usermod" without "-d" (and without "--move-home")
>> >
>> > So the home of nobody was not changed for us to '/nonexistent' when the
>> > nobody user was changed.
>> >
>> > As for me, I wouldn't like to have this directory, and I think it
>> > shouldn't be created (if it is not really needed for nobody user).
>>
>> Ditto.
>
> I don't fully understand the implications of the change, but it seems
> like a worthwhile thing to try doing. At least you might learn something
> while implementing it :)
>
> I'll let more experienced people decide if it's the right thing to do.
I came with the attached patch, totally untested, probably wrong for some
cases...
The following is what I think I have implemented:
At account creation time, do not create directories for system? accounts.
At account modification, do not create directories, nor move existing ones,
but change them in /etc/passwd
WDYT ?
--
Vincent Legoll
[-- Attachment #2: 0001-Avoid-creating-system-user-s-home-directories.patch --]
[-- Type: text/x-patch, Size: 2346 bytes --]
From 8c83d8cebc3b440a523e714e652b266f7c37b380 Mon Sep 17 00:00:00 2001
From: Vincent Legoll <vincent.legoll@idgrilles.fr>
Date: Tue, 23 Aug 2016 12:37:57 +0200
Subject: [PATCH] Avoid creating system-user's home directories
* gnu/build/activation.scm (modify-user): pass -d to usermod command
(add-user): add system? condition to home
dir creation.
Signed-off-by: Vincent Legoll <vincent.legoll@idgrilles.fr>
---
gnu/build/activation.scm | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 6666cb4..c0f54ae 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -140,9 +140,13 @@ properties. Return #t on success."
'())
,@(if comment `("-c" ,comment) '())
,@(if home
- (if (file-exists? home)
- `("-d" ,home) ; avoid warning from 'useradd'
- `("-d" ,home "--create-home"))
+ ;; system? accounts may have non existent home
+ ;; directories (for example, user nobody)
+ (if system?
+ `("-d" ,home)
+ (if (file-exists? home)
+ `("-d" ,home) ; avoid warning from 'useradd'
+ `("-d" ,home "--create-home")))
'())
,@(if shell `("-s" ,shell) '())
,@(if password `("-p" ,password) '())
@@ -169,7 +173,10 @@ properties. Return #t on success."
`("-G" ,(string-join supplementary-groups ","))
'())
,@(if comment `("-c" ,comment) '())
- ;; Don't use '--move-home', so ignore HOME.
+ ;; The home directory could have changed, but may be a
+ ;; nonexistent one, so don't use '--move-home'. Manually
+ ;; cleaning things up may be needed in such a case
+ ,@(if home `("-d" ,home) '())
,@(if shell `("-s" ,shell) '())
,name)))
(zero? (apply system* "usermod" args))))
--
1.9.1
next prev parent reply other threads:[~2016-08-23 11:05 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-20 20:11 bug#24275: Misnamed directory in GuixSD John Darrington
2016-08-21 23:14 ` Leo Famulari
2016-08-22 8:21 ` Alex Kost
2016-08-22 8:47 ` Vincent Legoll
2016-08-22 18:09 ` Leo Famulari
2016-08-23 11:04 ` Vincent Legoll [this message]
2016-08-27 23:32 ` Ludovic Courtès
2016-08-27 23:49 ` Vincent Legoll
2016-08-28 13:48 ` Ludovic Courtès
2016-08-28 14:44 ` Vincent Legoll
2016-08-29 8:04 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEwRq=rhhGh1MpZef30m=Ke6Zo9NB3ARULwuEqF5Jz3DO_sFLA@mail.gmail.com' \
--to=vincent.legoll@gmail.com \
--cc=24275@debbugs.gnu.org \
--cc=alezost@gmail.com \
--cc=john@darrington.wattle.id.au \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.