Google Git
Sign in
cos / mirrors / cros / chromiumos / overlays / eclass-overlay / 93296b04632a3ae9535ef15f6ed4cdd565479064 / . / profiles / base / accounts / README
blob: 5782fb844f84a0d8dbb142f77d08e57eadfae733 [file] [log] [blame]
In accordance with http://www.gentoo.org/proj/en/glep/glep-0027.html,
Chromium OS has implemented a mechanism that allows users and groups
to be managed stably and centrally for a given build profile. Each
user and group is defined in a file underneath the appropriate
profiles/base/accounts/ subdirectory.
For example, the 'chronos' user is defined as follows in a file at
profiles/base/accounts/user/chronos:
user:chronos
password:*
uid:1000
gid:1000
gecos:system_user
home:/home/chronos/user
shell:/bin/bash
The 'cras' group is defined in a similarly constructed file at
profiles/base/accounts/group/cras:
group:cras
password:!
gid:220
users:chronos,power
Notice how the membership of the group is provided in the group
definition, even though traditionally this is done at user-creation
time.
The password field can be set to one of the following:
! - The account is locked and may not be logged into (This is the default).
* - No password yet, but the account has the ability to have one added,
so this should be used for accounts that people expect to have a password
set for, or want to otherwise login as remotely.
x - The password is shadowed but the account is for an internal feature;
people should not set a password themselves.
An encrypted password as per crypt(3).
---------
Choosing UIDs and GIDs
Every UID on CrOS has an associated GID with the same value. The
opposite does not hold true, however.
CrOS system daemon UIDs (and associated GIDs) range from 200-299. If
you're creating a new user, pick the first UID in this range that is
not currently used, and create both a user and a group with this ID.
FUSE-based filesystem daemons have UID/GIDs that range from 300-399.
If you're adding a daemon that will be talking to cros_disks and
managing some kind of volumes (archives mounted as volumes, external
disks, network-mounted storage, etc.) then you should create a user
and group with IDs in this range
Groups that have no associated user should be given GIDs in the 400 range.
The 'chronos' user, which all user-facing processes in CrOS run as, is
UID/GID 1000. There is also a special user/group that has access to
many resources owned by chronos, called 'chronos-access', which has
the UID/GID 1001.
---------
Creating users and groups in ebuilds.
The API implemented by the CrOS-specific user.eclass is compatible with that
provided by the upstream user.eclass.
enewuser cras # Creates a user called 'cras' with the pre-specified UID.
enewgroup cras # Ditto for the group.
You can choose to specify other fields when calling the functions to create
new users and groups, but the eclass will bail if the values you choose conflict
with those in the DB.
Calls to enewuser and enewgroup are allowed ONLY in three ebuild stanzas:
pkg_setup() - Make the calls here if you need to chown/chgrp files using the
accounts you're creating.
pkg_preinst() - Make the calls here if you just need the accounts to exist
at runtime.
pkg_postinst() - Try to avoid making the calls here. If you need a failed
account creation to be non-fatal, then you can add them here.