Add a poison-pill field to deprecated accounts
CrOS has some users and groups that are dead, and the UID/GIDs should not be re-used.
Enshrine this knowledge by adding a 'defunct' field to the
user and group specifications that should no longer be used.
The build will die if someone attempts to install such a user.
BUG=chromium:376518
TEST=create an ebuild that tries to 'enewuser tor' and emerge it
Change-Id: I9651824fa7489a3eeae0d8495acdee9a5caf5f15
Reviewed-on: https://chromium-review.googlesource.com/202180
Tested-by: Chris Masone <cmasone@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Chris Masone <cmasone@chromium.org>
diff --git a/eclass/user.eclass b/eclass/user.eclass
index 8f25c93..29a55e0 100644
--- a/eclass/user.eclass
+++ b/eclass/user.eclass
@@ -111,7 +111,7 @@
[[ ${#ACCOUNTS_DIRS[@]} -eq 0 ]] && die "Must populate ACCOUNTS_DIRS!"
case ${key} in
- user|password|uid|gid|gecos|home|shell) ;;
+ user|password|uid|gid|gecos|home|shell|defunct) ;;
*) die "sorry, '${key}' is not a field in the passwd db." ;;
esac
@@ -131,7 +131,7 @@
[[ ${#ACCOUNTS_DIRS[@]} -eq 0 ]] && die "Must populate ACCOUNTS_DIRS!"
case ${key} in
- group|password|gid|users) ;;
+ group|password|gid|users|defunct) ;;
*) die "sorry, '${key}' is not a field in the group db." ;;
esac
@@ -268,6 +268,8 @@
# Ensure username exists in profile.
if [[ -z $(_get_value_for_user "${euser}" user) ]] ; then
die "'${euser}' does not exist in profile!"
+ elif [[ -n $(_get_value_for_user "${euser}" defunct) ]] ; then
+ die "'${euser}' was used previously and is now disallowed."
fi
einfo "Adding user '${euser}' to your system ..."
@@ -408,6 +410,8 @@
# Ensure group exists in profile.
if [[ -z $(_get_value_for_group "${egroup}" group) ]] ; then
die "Config for ${egroup} not present in profile!"
+ elif [[ -n $(_get_value_for_group "${egroup}" defunct) ]] ; then
+ die "'${egroup}' was used previously and is now disallowed."
fi
einfo "Adding group '${egroup}' to your system ..."
diff --git a/profiles/base/accounts/display-accts.py b/profiles/base/accounts/display-accts.py
index 333fcf4..a28b0d8 100755
--- a/profiles/base/accounts/display-accts.py
+++ b/profiles/base/accounts/display-accts.py
@@ -15,9 +15,10 @@
# Objects to hold group/user accounts.
-Group = collections.namedtuple('Group', ['group', 'password', 'gid', 'users'])
+Group = collections.namedtuple('Group', ['group', 'password', 'gid', 'users',
+ 'defunct'])
User = collections.namedtuple('User', ['user', 'password', 'uid', 'gid',
- 'gecos', 'home', 'shell'])
+ 'gecos', 'home', 'shell', 'defunct'])
def _ParseAccount(content, obj, defaults):
@@ -45,6 +46,7 @@
defaults = {
'password': '!',
'users': '',
+ 'defunct': '',
}
return _ParseAccount(content, Group, defaults)
@@ -56,6 +58,7 @@
'home': '/dev/null',
'password': '!',
'shell': '/bin/false',
+ 'defunct': '',
}
return _ParseAccount(content, User, defaults)
@@ -127,6 +130,7 @@
('group', ''),
('password', 'pass'),
('users', ''),
+ ('defunct', ''),
)
DisplayAccounts(groups, order)
@@ -141,6 +145,7 @@
('home', ''),
('password', 'pass'),
('gecos', ''),
+ ('defunct', ''),
)
DisplayAccounts(users, order)
diff --git a/profiles/base/accounts/group/cashew b/profiles/base/accounts/group/cashew
new file mode 100644
index 0000000..e26fb81
--- /dev/null
+++ b/profiles/base/accounts/group/cashew
@@ -0,0 +1,4 @@
+group:cashew
+gid:211
+users:
+defunct:true
diff --git a/profiles/base/accounts/group/gavd b/profiles/base/accounts/group/gavd
new file mode 100644
index 0000000..5373704
--- /dev/null
+++ b/profiles/base/accounts/group/gavd
@@ -0,0 +1,4 @@
+group:gavd
+gid:221
+users:
+defunct:true
diff --git a/profiles/base/accounts/group/ntp b/profiles/base/accounts/group/ntp
index 5a4019c..823c659 100644
--- a/profiles/base/accounts/group/ntp
+++ b/profiles/base/accounts/group/ntp
@@ -1,3 +1,4 @@
group:ntp
gid:203
users:
+defunct:true
diff --git a/profiles/base/accounts/group/polkituser b/profiles/base/accounts/group/polkituser
index 2f6ca59..9663c45 100644
--- a/profiles/base/accounts/group/polkituser
+++ b/profiles/base/accounts/group/polkituser
@@ -1,3 +1,4 @@
group:polkituser
gid:206
users:
+defunct:true
diff --git a/profiles/base/accounts/group/proxystate b/profiles/base/accounts/group/proxystate
index 6adf3a9..727383d 100644
--- a/profiles/base/accounts/group/proxystate
+++ b/profiles/base/accounts/group/proxystate
@@ -1,3 +1,4 @@
group:proxystate
gid:227
users:
+defunct:true
diff --git a/profiles/base/accounts/group/tor b/profiles/base/accounts/group/tor
index dcbec00..d19f085 100644
--- a/profiles/base/accounts/group/tor
+++ b/profiles/base/accounts/group/tor
@@ -1,3 +1,4 @@
group:tor
gid:214
users:
+defunct:true
diff --git a/profiles/base/accounts/group/tpmd b/profiles/base/accounts/group/tpmd
index 764c64e..c20e4fd 100644
--- a/profiles/base/accounts/group/tpmd
+++ b/profiles/base/accounts/group/tpmd
@@ -1,3 +1,4 @@
group:tpmd
gid:225
users:
+defunct:true
diff --git a/profiles/base/accounts/user/cashew b/profiles/base/accounts/user/cashew
new file mode 100644
index 0000000..a9b77f1
--- /dev/null
+++ b/profiles/base/accounts/user/cashew
@@ -0,0 +1,7 @@
+user:cashew
+uid:211
+gid:211
+gecos:Deprecated
+home:/dev/null
+shell:/bin/false
+defunct:true
diff --git a/profiles/base/accounts/user/gavd b/profiles/base/accounts/user/gavd
new file mode 100644
index 0000000..1c4c7b6
--- /dev/null
+++ b/profiles/base/accounts/user/gavd
@@ -0,0 +1,7 @@
+user:gavd
+uid:221
+gid:221
+gecos:Deprecated audio daemon user
+home:/dev/null
+shell:/bin/false
+defunct:true
diff --git a/profiles/base/accounts/user/ntp b/profiles/base/accounts/user/ntp
index e753c92..7fa6453 100644
--- a/profiles/base/accounts/user/ntp
+++ b/profiles/base/accounts/user/ntp
@@ -1,6 +1,7 @@
user:ntp
uid:203
gid:203
-gecos:ntp, perhaps unused
+gecos:network time protocol daemon
home:/dev/null
shell:/bin/false
+defunct:true
diff --git a/profiles/base/accounts/user/polkituser b/profiles/base/accounts/user/polkituser
index 672ae18..de647fb 100644
--- a/profiles/base/accounts/user/polkituser
+++ b/profiles/base/accounts/user/polkituser
@@ -4,3 +4,4 @@
gecos:policykit, perhaps unused
home:/dev/null
shell:/bin/false
+defunct:true
diff --git a/profiles/base/accounts/user/proxystate b/profiles/base/accounts/user/proxystate
index 4b826c4..28a9385 100644
--- a/profiles/base/accounts/user/proxystate
+++ b/profiles/base/accounts/user/proxystate
@@ -4,3 +4,4 @@
gecos:proxy monitoring
home:/dev/null
shell:/bin/false
+defunct:true
diff --git a/profiles/base/accounts/user/tor b/profiles/base/accounts/user/tor
index 7cd6575..ea279e6 100644
--- a/profiles/base/accounts/user/tor
+++ b/profiles/base/accounts/user/tor
@@ -4,3 +4,4 @@
gecos:tor, perhaps unused
home:/dev/null
shell:/bin/false
+defunct:true
diff --git a/profiles/base/accounts/user/tpmd b/profiles/base/accounts/user/tpmd
index a8816a3..edbeaf2 100644
--- a/profiles/base/accounts/user/tpmd
+++ b/profiles/base/accounts/user/tpmd
@@ -4,3 +4,4 @@
gecos:TPM daemon
home:/dev/null
shell:/bin/false
+defunct:true
