Respect UID and GID soft static allocation.

https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation https://fedorahosted.org/freeipa/ticket/4585 Reviewed-By: Martin Basti <mbasti@redhat.com>
author: David Kupka <dkupka@redhat.com> 2014-10-22 09:07:44 -0400
committer: Martin Kosek <mkosek@redhat.com> 2014-11-05 15:22:51 +0100
commit: 364d466fd7def3589ddb9e4a9f8d73fc2df80439 (patch)
tree: 6a453eae45f12c1aa496ae20ade51eb7f35c5e1a
parent: 0b08043c37210d0f86cb0c66d659acafda0fb529 (diff)
download: freeipa-364d466fd7def3589ddb9e4a9f8d73fc2df80439.tar.gz
freeipa-364d466fd7def3589ddb9e4a9f8d73fc2df80439.tar.xz
freeipa-364d466fd7def3589ddb9e4a9f8d73fc2df80439.zip
5 files changed, 73 insertions, 44 deletions
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 408447e43..f2ba81f44 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -22,7 +22,13 @@
 This module contains default platform-specific implementations of system tasks.
 '''
 
+import pwd
+import grp
 from ipaplatform.paths import paths
+from ipapython.ipa_log_manager import log_mgr
+from ipapython import ipautil
+
+log = log_mgr.get_logger(__name__)
 
 
 class BaseTaskNamespace(object):
@@ -150,5 +156,47 @@ class BaseTaskNamespace(object):
 
         return
 
+    def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+        """Create a system user with a corresponding group"""
+        try:
+            grp.getgrnam(group)
+        except KeyError:
+            log.debug('Adding group %s', group)
+            args = [paths.GROUPADD, '-r', group]
+            if gid:
+                args += ['-g', str(gid)]
+            try:
+                ipautil.run(args)
+                log.debug('Done adding group')
+            except ipautil.CalledProcessError as e:
+                log.critical('Failed to add group: %s', e)
+                raise
+        else:
+            log.debug('group %s exists', group)
+
+        try:
+            pwd.getpwnam(name)
+        except KeyError:
+            log.debug('Adding user %s', name)
+            args = [
+                paths.USERADD,
+                '-g', group,
+                '-d', homedir,
+                '-s', shell,
+                '-M', '-r', name,
+            ]
+            if uid:
+                args += ['-u', str(uid)]
+            if comment:
+                args += ['-c', comment]
+            try:
+                ipautil.run(args)
+                log.debug('Done adding user')
+            except ipautil.CalledProcessError as e:
+                log.critical('Failed to add user: %s', e)
+                raise
+        else:
+            log.debug('user %s exists', name)
+
 
 task_namespace = BaseTaskNamespace()
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 30033b274..0386f7f9c 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -390,5 +390,28 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 
         return True
 
+    def create_system_user(self, name, group, homedir, shell, uid = None, gid = None, comment = None):
+        """
+        Create a system user with a corresponding group
+
+        According to https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation
+        some system users should have fixed UID, GID and other parameters set.
+        This values should be constant and may be hardcoded.
+        Add other values for other users when needed.
+        """
+        if name == 'pkiuser':
+            if uid is None:
+                uid = 17
+            if gid is None:
+                gid = 17
+            if comment is None:
+                comment = 'CA System User'
+        if name == 'dirsrv':
+            if comment is None:
+                comment = 'DS System User'
+
+        super(RedHatTaskNamespace, self).create_system_user(name, group,
+            homedir, shell, uid, gid, comment)
+
 
 tasks = RedHatTaskNamespace()
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index fe9520151..96a3e8409 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -259,7 +259,7 @@ def is_ca_installed_locally():
 
 def create_ca_user():
     """Create PKI user/group if it doesn't exist yet."""
-    installutils.create_system_user(
+    tasks.create_system_user(
         name=PKI_USER,
         group=PKI_USER,
         homedir=paths.VAR_LIB,
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 6fcf916ca..06c13c21d 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -151,7 +151,7 @@ def is_ds_running(server_id=''):
 
 def create_ds_user():
     """Create DS user/group if it doesn't exist yet."""
-    installutils.create_system_user(
+    tasks.create_system_user(
         name=DS_USER,
         group=DS_USER,
         homedir=paths.VAR_LIB_DIRSRV,
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 757bc5b1b..d3f09eccb 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -29,8 +29,6 @@ from ConfigParser import SafeConfigParser, NoOptionError
 import traceback
 import textwrap
 from contextlib import contextmanager
-import pwd
-import grp
 
 from dns import resolver, rdatatype
 from dns.exception import DNSException
@@ -84,8 +82,6 @@ class ReplicaConfig:
 
     subject_base = ipautil.dn_attribute_property('_subject_base')
 
-log = log_mgr.get_logger(__name__)
-
 def get_fqdn():
     fqdn = ""
     try:
@@ -1039,41 +1035,3 @@ def load_external_cert(files, subject_base):
     ca_file.flush()
 
     return cert_file, ca_file
-
-
-def create_system_user(name, group, homedir, shell):
-    """Create a system user with a corresponding group"""
-    try:
-        grp.getgrnam(group)
-    except KeyError:
-        log.debug('Adding group %s', group)
-        args = [paths.GROUPADD, '-r', group]
-        try:
-            ipautil.run(args)
-            log.debug('Done adding group')
-        except ipautil.CalledProcessError as e:
-            log.critical('Failed to add group: %s', e)
-            raise
-    else:
-        log.debug('group %s exists', group)
-
-    try:
-        pwd.getpwnam(name)
-    except KeyError:
-        log.debug('Adding user %s', name)
-        args = [
-            paths.USERADD,
-            '-g', group,
-            '-c', 'DS System User',
-            '-d', homedir,
-            '-s', shell,
-            '-M', '-r', name,
-        ]
-        try:
-            ipautil.run(args)
-            log.debug('Done adding user')
-        except ipautil.CalledProcessError as e:
-            log.critical('Failed to add user: %s', e)
-            raise
-    else:
-        log.debug('user %s exists', name)
author	David Kupka <dkupka@redhat.com>	2014-10-22 09:07:44 -0400
committer	Martin Kosek <mkosek@redhat.com>	2014-11-05 15:22:51 +0100
commit	364d466fd7def3589ddb9e4a9f8d73fc2df80439 (patch)
tree	6a453eae45f12c1aa496ae20ade51eb7f35c5e1a
parent	0b08043c37210d0f86cb0c66d659acafda0fb529 (diff)
download	freeipa-364d466fd7def3589ddb9e4a9f8d73fc2df80439.tar.gz freeipa-364d466fd7def3589ddb9e4a9f8d73fc2df80439.tar.xz freeipa-364d466fd7def3589ddb9e4a9f8d73fc2df80439.zip