Don't delete system users that are added during installation.

We don't want to run the risk of adding a user, uninstalling it, the system adding a new user (for another package install for example) and then re-installing IPA. This wreaks havoc with file and directory ownership. https://fedorahosted.org/freeipa/ticket/2423
author: Rob Crittenden <rcritten@redhat.com> 2012-02-28 23:05:06 -0500
committer: Martin Kosek <mkosek@redhat.com> 2012-02-29 22:36:41 +0100
commit: ee337ec46eea9bc185bfe9996721e7807f07da61 (patch)
tree: 032f804fc528b2478488167a8472dff64834517b
parent: d5fbb878eee78eeccae0baca12f38a29ed07085d (diff)
download: freeipa.git-ee337ec46eea9bc185bfe9996721e7807f07da61.tar.gz
freeipa.git-ee337ec46eea9bc185bfe9996721e7807f07da61.tar.xz
freeipa.git-ee337ec46eea9bc185bfe9996721e7807f07da61.zip
3 files changed, 9 insertions, 43 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 47f999b4..c379dd77 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -475,16 +475,6 @@ def uninstall():
 
     sstore._load()
     group_exists = sstore.restore_state("install", "group_exists")
-    if group_exists == False:
-        try:
-            grp.getgrnam(dsinstance.DS_GROUP)
-            try:
-                ipautil.run(["/usr/sbin/groupdel", dsinstance.DS_GROUP])
-            except ipautil.CalledProcessError, e:
-                root_logger.critical("failed to delete group %s" % e)
-                rv = 1
-        except KeyError:
-            root_logger.info("Group %s already removed", dsinstance.DS_GROUP)
 
     ipaservices.knownservices.ipa.disable()
 
@@ -855,16 +845,13 @@ def main():
     try:
         grp.getgrnam(dsinstance.DS_GROUP)
         root_logger.debug("ds group %s exists" % dsinstance.DS_GROUP)
-        group_exists = True
     except KeyError:
-        group_exists = False
         args = ["/usr/sbin/groupadd", "-r", dsinstance.DS_GROUP]
         try:
             ipautil.run(args)
             root_logger.debug("done adding DS group")
         except ipautil.CalledProcessError, e:
             root_logger.critical("failed to add DS group: %s" % e)
-    sstore.backup_state("install", "group_exists", group_exists)
 
     # Configure ntpd
     if options.conf_ntp:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d2c8d057..345a8c2d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -274,12 +274,10 @@ class CADSInstance(service.Service):
                              GROUP=dsinstance.DS_GROUP)
 
     def __create_ds_user(self):
-        user_exists = True
         try:
             pwd.getpwnam(PKI_DS_USER)
             root_logger.debug("ds user %s exists" % PKI_DS_USER)
         except KeyError:
-            user_exists = False
             root_logger.debug("adding ds user %s" % PKI_DS_USER)
             args = ["/usr/sbin/useradd", "-g", dsinstance.DS_GROUP,
                                          "-c", "PKI DS System User",
@@ -292,8 +290,6 @@ class CADSInstance(service.Service):
             except ipautil.CalledProcessError, e:
                 root_logger.critical("failed to add user %s" % e)
 
-        self.backup_state("user_exists", user_exists)
-
     def __create_instance(self):
         self.backup_state("running", dsinstance.is_ds_running())
         self.backup_state("serverid", self.serverid)
@@ -406,11 +402,9 @@ class CADSInstance(service.Service):
 
         user_exists = self.restore_state("user_exists")
 
-        if user_exists == False:
-            try:
-                ipautil.run(["/usr/sbin/userdel", PKI_DS_USER])
-            except ipautil.CalledProcessError, e:
-                root_logger.critical("failed to delete user %s" % e)
+        # At one time we removed this user on uninstall. That can potentially
+        # orphan files, or worse, if another useradd runs in the intermim,
+        # cause files to have a new owner.
 
 class CAInstance(service.Service):
     """
@@ -566,12 +560,10 @@ class CAInstance(service.Service):
         # so actual enablement is delayed.
 
     def __create_ca_user(self):
-        user_exists = True
         try:
             pwd.getpwnam(PKI_USER)
             root_logger.debug("ca user %s exists" % PKI_USER)
         except KeyError:
-            user_exists = False
             root_logger.debug("adding ca user %s" % PKI_USER)
             args = ["/usr/sbin/useradd", "-c", "CA System User",
                                          "-d", "/var/lib",
@@ -583,8 +575,6 @@ class CAInstance(service.Service):
             except ipautil.CalledProcessError, e:
                 root_logger.critical("failed to add user %s" % e)
 
-        self.backup_state("user_exists", user_exists)
-
     def __configure_instance(self):
         preop_pin = get_preop_pin(self.server_root, PKI_INSTANCE_NAME)
 
@@ -1064,12 +1054,10 @@ class CAInstance(service.Service):
         except ipautil.CalledProcessError, e:
             root_logger.critical("failed to uninstall CA instance %s" % e)
 
+        # At one time we removed this user on uninstall. That can potentially
+        # orphan files, or worse, if another useradd runs in the intermim,
+        # cause files to have a new owner.
         user_exists = self.restore_state("user_exists")
-        if user_exists == False:
-            try:
-                ipautil.run(["/usr/sbin/userdel", PKI_USER])
-            except ipautil.CalledProcessError, e:
-                root_logger.critical("failed to delete user %s" % e)
 
     def publish_ca_cert(self, location):
         args = ["-L", "-n", self.canickname, "-a"]
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index c66f2a7f..5b5b24ca 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -288,12 +288,10 @@ class DsInstance(service.Service):
                          )
 
     def __create_ds_user(self):
-        user_exists = True
         try:
             pwd.getpwnam(DS_USER)
             root_logger.debug("ds user %s exists" % DS_USER)
         except KeyError:
-            user_exists = False
             root_logger.debug("adding ds user %s" % DS_USER)
             args = ["/usr/sbin/useradd", "-g", DS_GROUP,
                                          "-c", "DS System User",
@@ -306,8 +304,6 @@ class DsInstance(service.Service):
             except ipautil.CalledProcessError, e:
                 root_logger.critical("failed to add user %s" % e)
 
-        self.backup_state("user_exists", user_exists)
-
     def __create_instance(self):
         self.backup_state("running", is_ds_running())
         self.backup_state("serverid", self.serverid)
@@ -624,16 +620,11 @@ class DsInstance(service.Service):
             dsdb.untrack_server_cert("Server-Cert")
             erase_ds_instance_data(serverid)
 
+        # At one time we removed this user on uninstall. That can potentially
+        # orphan files, or worse, if another useradd runs in the intermim,
+        # cause files to have a new owner.
         user_exists = self.restore_state("user_exists")
 
-        if user_exists == False:
-            pent = pwd.getpwnam(DS_USER)
-            installutils.remove_file("/var/tmp/ldap_%d" % pent.pw_uid)
-            try:
-                ipautil.run(["/usr/sbin/userdel", DS_USER])
-            except ipautil.CalledProcessError, e:
-                root_logger.critical("failed to delete user %s" % e)
-
         # Make sure some upgrade-related state is removed. This could cause
         # re-installation problems.
         self.restore_state('nsslapd-port')
author	Rob Crittenden <rcritten@redhat.com>	2012-02-28 23:05:06 -0500
committer	Martin Kosek <mkosek@redhat.com>	2012-02-29 22:36:41 +0100
commit	ee337ec46eea9bc185bfe9996721e7807f07da61 (patch)
tree	032f804fc528b2478488167a8472dff64834517b
parent	d5fbb878eee78eeccae0baca12f38a29ed07085d (diff)
download	freeipa.git-ee337ec46eea9bc185bfe9996721e7807f07da61.tar.gz freeipa.git-ee337ec46eea9bc185bfe9996721e7807f07da61.tar.xz freeipa.git-ee337ec46eea9bc185bfe9996721e7807f07da61.zip