From e1937e38e601307527022266189a4661b34f5b31 Mon Sep 17 00:00:00 2001 From: Florian Festi Date: Mon, 18 Nov 2024 14:16:29 +0100 Subject: [PATCH] Support new u! command in sysusers files systemd 257 defines a new modifier ! for u entries that locks the account by setting it as expired. See https://github.com/systemd/systemd/commit/2ec7977e1b100c1717d95417e6d825fbf939f7b3 Resolves: #3450 --- macros.in | 2 +- scripts/sysusers.sh | 21 ++++++++++++++++----- tests/data/SPECS/klang.spec | 2 +- tests/rpmi.at | 8 ++++++-- 4 files changed, 24 insertions(+), 9 deletions(-) diff --git a/macros.in b/macros.in index cb07970e13..00c9d07715 100644 --- a/macros.in +++ b/macros.in @@ -1367,7 +1367,7 @@ end name = arg[2] if arg[1] == 'g' then type = 'group' - elseif arg[1] == 'u' then + elseif arg[1] == 'u' or arg[1] == 'u!' then type = 'user' elseif arg[1] == 'm' and #arg >=3 then type = 'groupmember' diff --git a/scripts/sysusers.sh b/scripts/sysusers.sh index 22ae5f23e6..d945b281bd 100755 --- a/scripts/sysusers.sh +++ b/scripts/sysusers.sh @@ -72,6 +72,7 @@ user() { local group="$4" local home="$5" local shell="$6" + local expire="$7" [ "$desc" = '-' ] && desc= { [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/ @@ -90,6 +91,10 @@ user() { fi fi fi + + if [[ $expire ]]; then + usermod -e 1 "${user}" + fi } group() { @@ -109,13 +114,13 @@ addtogroup() { local group="$2" group "${group}" "-" - user "${user}" "-" "" "${group}" "" "" + user "${user}" "-" "" "${group}" "" "" "" usermod -R "$ROOT" -a -G "${group}" "$user" || : } parse() { - local line arr + local line arr expire while read -r line || [ -n "$line" ] ; do { [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue @@ -123,13 +128,19 @@ parse() { [ -z "$line" ] && continue mapfile -t arr < <(xargs -n1 <<<"$line") + expire="" + case "${arr[0]}" in - ('u') + ('u' | 'u!') + if [[ "${arr[0]}" == 'u!' ]]; then + expire="1"; + fi + if [[ "${arr[2]}" == *":"* ]]; then - user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}" + user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}" $expire else group "${arr[1]}" "${arr[2]}" - user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}" + user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}" $expire fi ;; ('g') diff --git a/tests/data/SPECS/klang.spec b/tests/data/SPECS/klang.spec index cc35b87bd4..6d71de6ea0 100644 --- a/tests/data/SPECS/klang.spec +++ b/tests/data/SPECS/klang.spec @@ -47,7 +47,7 @@ EOF cat << EOF > ${RPM_BUILD_ROOT}/%{_sysusersdir}/plong.conf # Real life files have all sorts of anomalies -u plong - "Plong fu" /var/lib/plong /sbin/nologin +u! plong - "Plong fu" /var/lib/plong /sbin/nologin #...such as empty lines # and comments comments diff --git a/tests/rpmi.at b/tests/rpmi.at index 7ea6a75207..6c7b84cdfe 100644 --- a/tests/rpmi.at +++ b/tests/rpmi.at @@ -1589,7 +1589,7 @@ group(klong) = ZyBrbG9uZyAt group(plong) groupmember(klangd/klong) = bSBrbGFuZ2Qga2xvbmcA user(klangd) = dSBrbGFuZ2QgLSAiS2xhbmcgc2VydmVyIiAvdmFyL2xpYi9rbGFuZ2QgL3NiaW4vbm9sb2dpbgAA -user(plong) = dSBwbG9uZyAtICJQbG9uZyBmdSIgL3Zhci9saWIvcGxvbmcgL3NiaW4vbm9sb2dpbgAA +user(plong) = dSEgcGxvbmcgLSAiUGxvbmcgZnUiIC92YXIvbGliL3Bsb25nIC9zYmluL25vbG9naW4A ], [warning: ignoring unsupported sysuser type: r ]) @@ -1618,7 +1618,7 @@ group(klong) = ZyBrbG9uZyAt group(plong) groupmember(klangd/klong) = bSBrbGFuZ2Qga2xvbmcA user(klangd) = dSBrbGFuZ2QgLSAiS2xhbmcgc2VydmVyIiAvdmFyL2xpYi9rbGFuZ2QgL3NiaW4vbm9sb2dpbgAA -user(plong) = dSBwbG9uZyAtICJQbG9uZyBmdSIgL3Zhci9saWIvcGxvbmcgL3NiaW4vbm9sb2dpbgAA +user(plong) = dSEgcGxvbmcgLSAiUGxvbmcgZnUiIC92YXIvbGliL3Bsb25nIC9zYmluL25vbG9naW4A ], [warning: ignoring unsupported sysuser type: r ]) @@ -1660,15 +1660,19 @@ runroot rpm -V ${VERIFYOPTS} klang-client klang-common RPMTEST_CHECK([ runroot rpm -U /build/RPMS/noarch/klang-server-1.0-1.noarch.rpm runroot_other grep ^klangd /etc/passwd | cut -f1 -d: +runroot_other chage -l klangd | grep "Account expires" | cut -f2 -d: runroot_other grep ^klangd /etc/group | cut -f1 -d: runroot_other grep ^plong /etc/passwd | cut -f1 -d: +runroot_other chage -l plong | grep "Account expires" | cut -f2 -d: runroot_other grep ^klong /etc/group | cut -f4 -d: runroot rpm -V ${VERIFYOPTS} klang-server ], [0], [klangd + never klangd plong + Jan 02, 1970 klangd ], [ignore])