summaryrefslogtreecommitdiff
path: root/src/Propellor/Property/User.hs
diff options
context:
space:
mode:
Diffstat (limited to 'src/Propellor/Property/User.hs')
-rw-r--r--src/Propellor/Property/User.hs35
1 files changed, 25 insertions, 10 deletions
diff --git a/src/Propellor/Property/User.hs b/src/Propellor/Property/User.hs
index 76eae647..0b5bdddc 100644
--- a/src/Propellor/Property/User.hs
+++ b/src/Propellor/Property/User.hs
@@ -22,17 +22,18 @@ systemAccountFor :: User -> Property DebianLike
systemAccountFor user@(User u) = systemAccountFor' user Nothing (Just (Group u))
systemAccountFor' :: User -> Maybe FilePath -> Maybe Group -> Property DebianLike
-systemAccountFor' (User u) mhome mgroup = tightenTargets $ check nouser go
+systemAccountFor' (User u) mhome mgroup = case mgroup of
+ Nothing -> prop
+ Just g -> prop
+ `requires` systemGroup g
`describe` ("system account for " ++ u)
where
+ prop = tightenTargets $ check nouser go
nouser = isNothing <$> catchMaybeIO (getUserEntryForName u)
go = cmdProperty "adduser" $
- [ "--system" ]
+ [ "--system", "--home" ]
++
- "--home" : maybe
- ["/nonexistent", "--no-create-home"]
- ( \h -> [ h ] )
- mhome
+ maybe ["/nonexistent", "--no-create-home"] ( \h -> [h] ) mhome
++
maybe [] ( \(Group g) -> ["--ingroup", g] ) mgroup
++
@@ -42,8 +43,18 @@ systemAccountFor' (User u) mhome mgroup = tightenTargets $ check nouser go
, u
]
+systemGroup :: Group -> Property UnixLike
+systemGroup (Group g) = check nogroup go
+ `describe` ("system account for " ++ g)
+ where
+ nogroup = isNothing <$> catchMaybeIO (getGroupEntryForName g)
+ go = cmdProperty "addgroup"
+ [ "--system"
+ , g
+ ]
+
-- | Removes user home directory!! Use with caution.
-nuked :: User -> Eep -> Property DebianLike
+nuked :: User -> Eep -> Property Linux
nuked user@(User u) _ = tightenTargets $ check hashomedir go
`describe` ("nuked user " ++ u)
where
@@ -97,8 +108,12 @@ setPassword getpassword = getpassword $ go
-- | Makes a user's password be the passed String. Highly insecure:
-- The password is right there in your config file for anyone to see!
hasInsecurePassword :: User -> String -> Property DebianLike
-hasInsecurePassword u@(User n) p = property (n ++ " has insecure password") $
- chpasswd u p []
+hasInsecurePassword u@(User n) p = go
+ `requires` shadowConfig True
+ where
+ go :: Property DebianLike
+ go = property (n ++ " has insecure password") $
+ chpasswd u p []
chpasswd :: User -> String -> [String] -> Propellor Result
chpasswd (User user) v ps = makeChange $ withHandle StdinHandle createProcessSuccess
@@ -107,7 +122,7 @@ chpasswd (User user) v ps = makeChange $ withHandle StdinHandle createProcessSuc
hClose h
lockedPassword :: User -> Property DebianLike
-lockedPassword user@(User u) = tightenTargets $
+lockedPassword user@(User u) = tightenTargets $
check (not <$> isLockedPassword user) go
`describe` ("locked " ++ u ++ " password")
where