From 7013d3b4cd2f572bed15532042c0ebb8d44d4da0 Mon Sep 17 00:00:00 2001 From: FĂ©lix Sipma Date: Mon, 10 Jul 2017 19:30:13 +0200 Subject: User: add systemGroup and use it for systemAccountFor' --- src/Propellor/Property/User.hs | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/Propellor/Property/User.hs b/src/Propellor/Property/User.hs index ce2611bc..0b5bdddc 100644 --- a/src/Propellor/Property/User.hs +++ b/src/Propellor/Property/User.hs @@ -22,17 +22,18 @@ systemAccountFor :: User -> Property DebianLike systemAccountFor user@(User u) = systemAccountFor' user Nothing (Just (Group u)) systemAccountFor' :: User -> Maybe FilePath -> Maybe Group -> Property DebianLike -systemAccountFor' (User u) mhome mgroup = tightenTargets $ check nouser go +systemAccountFor' (User u) mhome mgroup = case mgroup of + Nothing -> prop + Just g -> prop + `requires` systemGroup g `describe` ("system account for " ++ u) where + prop = tightenTargets $ check nouser go nouser = isNothing <$> catchMaybeIO (getUserEntryForName u) go = cmdProperty "adduser" $ - [ "--system" ] + [ "--system", "--home" ] ++ - "--home" : maybe - ["/nonexistent", "--no-create-home"] - ( \h -> [ h ] ) - mhome + maybe ["/nonexistent", "--no-create-home"] ( \h -> [h] ) mhome ++ maybe [] ( \(Group g) -> ["--ingroup", g] ) mgroup ++ @@ -42,6 +43,16 @@ systemAccountFor' (User u) mhome mgroup = tightenTargets $ check nouser go , u ] +systemGroup :: Group -> Property UnixLike +systemGroup (Group g) = check nogroup go + `describe` ("system account for " ++ g) + where + nogroup = isNothing <$> catchMaybeIO (getGroupEntryForName g) + go = cmdProperty "addgroup" + [ "--system" + , g + ] + -- | Removes user home directory!! Use with caution. nuked :: User -> Eep -> Property Linux nuked user@(User u) _ = tightenTargets $ check hashomedir go @@ -111,7 +122,7 @@ chpasswd (User user) v ps = makeChange $ withHandle StdinHandle createProcessSuc hClose h lockedPassword :: User -> Property DebianLike -lockedPassword user@(User u) = tightenTargets $ +lockedPassword user@(User u) = tightenTargets $ check (not <$> isLockedPassword user) go `describe` ("locked " ++ u ++ " password") where -- cgit v1.2.3