Support new u! command in sysusers files

systemd 257 defines a new modifier ! for u entries that locks the account by setting it as expired. See systemd/systemd@2ec7977 Resolves: #3450
rpm-software-management · Dec 6, 2024 · 2347060 · 2347060
1 parent 581a961
commit 2347060
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 13 deletions.
diff --git a/docs/manual/users_and_groups.md b/docs/manual/users_and_groups.md
@@ -41,10 +41,10 @@ to weaken these into recommends-dependencies by setting
 
 ## Limitations
 
-At this time, rpm only supports the `u`, `g` and (since RPM 4.20) `m`
-directives of sysusers.d format and ignores others. If other
-directives are needed, the package will need to call systemd-sysusers
-with the correct arguments manually.
+At this time, rpm only supports the `u`, `g`, (since RPM 4.20) `m`
+and (since RPM 6.0) the `u!` directives of sysusers.d format and
+ignores others. If other directives are needed, the package will need
+to call systemd-sysusers with the correct arguments manually.
 
 ## Technical details
 

diff --git a/macros.in b/macros.in
@@ -1367,7 +1367,7 @@ end
     name = arg[2]
     if arg[1] == 'g' then
         type = 'group'
-    elseif arg[1] == 'u' then
+    elseif arg[1] == 'u' or arg[1] == 'u!' then
         type = 'user'
     elseif arg[1] == 'm' and #arg >=3 then
         type = 'groupmember'

diff --git a/scripts/sysusers.sh b/scripts/sysusers.sh
@@ -72,6 +72,7 @@ user() {
 	local group="$4"
 	local home="$5"
 	local shell="$6"
+	local expire="$7"
 
 	[ "$desc" = '-' ] && desc=
 	{ [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/
@@ -90,6 +91,10 @@ user() {
 			fi
 		fi
 	fi
+
+	if [[ $expire ]]; then
+	    usermod -e 1 "${user}"
+	fi
 }
 
 group() {
@@ -109,27 +114,33 @@ addtogroup() {
 	local group="$2"
 
 	group "${group}" "-"
-	user "${user}" "-" "" "${group}" "" ""
+	user "${user}" "-" "" "${group}" "" "" ""
 
 	usermod -R "$ROOT" -a -G "${group}" "$user" || :
 }
 
 parse() {
-	local line arr
+	local line arr expire
 
 	while read -r line || [ -n "$line" ] ; do
 		{ [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue
 		line="${line## *}"
 		[ -z "$line" ] && continue
 		mapfile -t arr < <(xargs -n1 <<<"$line")
 
+		expire=""
+
 		case "${arr[0]}" in
-			('u')
+			('u' | 'u!')
+				if [[ "${arr[0]}" == 'u!' ]]; then
+					expire="1";
+				fi
+
 				if [[ "${arr[2]}" == *":"* ]]; then
-					user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}"
+					user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}" $expire
 				else
 					group "${arr[1]}" "${arr[2]}"
-					user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
+					user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}" $expire
 				fi
 				;;
 			('g')

diff --git a/tests/data/SPECS/klang.spec b/tests/data/SPECS/klang.spec
@@ -47,7 +47,7 @@ EOF
 cat << EOF > ${RPM_BUILD_ROOT}/%{_sysusersdir}/plong.conf
 
 # Real life files have all sorts of anomalies
-u plong - "Plong fu" /var/lib/plong /sbin/nologin
+u! plong - "Plong fu" /var/lib/plong /sbin/nologin
 #...such as empty lines
 
 # and comments comments

diff --git a/tests/rpmi.at b/tests/rpmi.at
@@ -1589,7 +1589,7 @@ group(klong) = ZyBrbG9uZyAt
 group(plong)
 groupmember(klangd/klong) = bSBrbGFuZ2Qga2xvbmcA
 user(klangd) = dSBrbGFuZ2QgLSAiS2xhbmcgc2VydmVyIiAvdmFyL2xpYi9rbGFuZ2QgL3NiaW4vbm9sb2dpbgAA
-user(plong) = dSBwbG9uZyAtICJQbG9uZyBmdSIgL3Zhci9saWIvcGxvbmcgL3NiaW4vbm9sb2dpbgAA
+user(plong) = dSEgcGxvbmcgLSAiUGxvbmcgZnUiIC92YXIvbGliL3Bsb25nIC9zYmluL25vbG9naW4A
 ],
 [warning: ignoring unsupported sysuser type: r
 ])
@@ -1618,7 +1618,7 @@ group(klong) = ZyBrbG9uZyAt
 group(plong)
 groupmember(klangd/klong) = bSBrbGFuZ2Qga2xvbmcA
 user(klangd) = dSBrbGFuZ2QgLSAiS2xhbmcgc2VydmVyIiAvdmFyL2xpYi9rbGFuZ2QgL3NiaW4vbm9sb2dpbgAA
-user(plong) = dSBwbG9uZyAtICJQbG9uZyBmdSIgL3Zhci9saWIvcGxvbmcgL3NiaW4vbm9sb2dpbgAA
+user(plong) = dSEgcGxvbmcgLSAiUGxvbmcgZnUiIC92YXIvbGliL3Bsb25nIC9zYmluL25vbG9naW4A
 ],
 [warning: ignoring unsupported sysuser type: r
 ])
@@ -1660,15 +1660,19 @@ runroot rpm -V ${VERIFYOPTS} klang-client klang-common
 RPMTEST_CHECK([
 runroot rpm -U /build/RPMS/noarch/klang-server-1.0-1.noarch.rpm
 runroot_other grep ^klangd /etc/passwd | cut -f1 -d:
+runroot_other chage -l klangd | grep "Account expires" | cut -f2 -d:
 runroot_other grep ^klangd /etc/group | cut -f1 -d:
 runroot_other grep ^plong /etc/passwd | cut -f1 -d:
+runroot_other chage -l plong | grep "Account expires" | cut -f2 -d:
 runroot_other grep ^klong /etc/group | cut -f4 -d:
 runroot rpm -V ${VERIFYOPTS} klang-server
 ],
 [0],
 [klangd
+ never
 klangd
 plong
+ Jan 02, 1970
 klangd
 ],
 [ignore])