From a92f24cea03a985f324668bf6a55c763786d5aa7 Mon Sep 17 00:00:00 2001 From: Martin Horak Date: Fri, 3 Aug 2018 14:24:05 +0200 Subject: [PATCH] Changes in user management: - Allow to specify primary gid for user - Use user.name field for setting linux username - Allow non-unique uids - Workaround file.directory bug for non-unique uids - Allow system users (Choose UID in the range of FIRST_SYSTEM_UID and LAST_SYSTEM_UID) --- README.rst | 10 ++++++++++ linux/system/user.sls | 41 ++++++++++++++++++++++++++--------------- 2 files changed, 36 insertions(+), 15 deletions(-) diff --git a/README.rst b/README.rst index 50e1b133..9c0202f1 100644 --- a/README.rst +++ b/README.rst @@ -69,6 +69,16 @@ Linux with system users, some with password set: full_name: 'With hased password' home: '/home/elizabeth' password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10" + someserv: + name: 'someservice' + enabled: true + full_name: 'Some super service owner' + home: '/usr/lib/someservice' + home_dir_mode: 700 + system:true + unique: false + uid: 0 + gid: 0 Configure sudo for users and groups under ``/etc/sudoers.d/``. This ways ``linux.system.sudo`` pillar map to actual sudo attributes: diff --git a/linux/system/user.sls b/linux/system/user.sls index 7a0c98b1..b72bfbe6 100644 --- a/linux/system/user.sls +++ b/linux/system/user.sls @@ -16,16 +16,16 @@ include: {%- endfor %} {%- if user.gid is not defined %} -system_group_{{ name }}: +system_group_{{ user.name }}: group.present: - - name: {{ name }} + - name: {{ user.name }} - require_in: - - user: system_user_{{ name }} + - user: system_user_{{ user.name }} {%- endif %} -system_user_{{ name }}: +system_user_{{ user.name }}: user.present: - - name: {{ name }} + - name: {{ user.name }} - home: {{ user.home }} {% if user.get('password') == False %} - enforce_password: false @@ -37,7 +37,11 @@ system_user_{{ name }}: - password: {{ user.password }} - hash_password: {{ user.get('hash_password', False) }} {% endif %} + {%- if user.gid is defined %} + - gid: {{ user.gid }} + {%- else %} - gid_from_name: true + {%- endif %} {%- if user.groups is defined %} - groups: {{ user.groups }} {%- endif %} @@ -47,23 +51,30 @@ system_user_{{ name }}: {%- else %} - shell: {{ user.get('shell', '/bin/bash') }} {%- endif %} - {%- if user.uid is defined and user.uid %} + {%- if user.uid is defined %} - uid: {{ user.uid }} {%- endif %} + {%- if user.unique is defined %} + - unique: {{ user.unique }} + {%- endif %} - require: {{ requires|yaml }} system_user_home_{{ user.home }}: file.directory: - name: {{ user.home }} - - user: {{ name }} + {%- if user.uid is defined and user.uid == 0 %} + - user: root + {%- else %} + - user: {{ user.name }} + {%- endif %} - mode: {{ user.get('home_dir_mode', 700) }} - makedirs: true - require: - - user: system_user_{{ name }} + - user: system_user_{{ user.name }} {%- if user.get('sudo', False) %} -/etc/sudoers.d/90-salt-user-{{ name|replace('.', '-') }}: +/etc/sudoers.d/90-salt-user-{{ user.name|replace('.', '-') }}: file.managed: - source: salt://linux/files/sudoer - template: jinja @@ -71,29 +82,29 @@ system_user_home_{{ user.home }}: - group: root - mode: 440 - defaults: - user_name: {{ name }} + user_name: {{ user.name }} - require: - - user: system_user_{{ name }} + - user: system_user_{{ user.name }} - check_cmd: /usr/sbin/visudo -c -f {%- else %} -/etc/sudoers.d/90-salt-user-{{ name|replace('.', '-') }}: +/etc/sudoers.d/90-salt-user-{{ user.name|replace('.', '-') }}: file.absent {%- endif %} {%- else %} -system_user_{{ name }}: +system_user_{{ user.name }}: user.absent: - - name: {{ name }} + - name: {{ user.name }} system_user_home_{{ user.home }}: file.absent: - name: {{ user.home }} -/etc/sudoers.d/90-salt-user-{{ name|replace('.', '-') }}: +/etc/sudoers.d/90-salt-user-{{ user.name|replace('.', '-') }}: file.absent {%- endif %}