diff options
| author | Tim Smith <tsmith@chef.io> | 2021-08-17 08:59:16 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-08-17 08:59:16 -0700 |
| commit | f534ac51c8564651d52fe2bb144b2c0af1703768 (patch) | |
| tree | f4279dfbcb7bb925498613aed67f374973f48869 | |
| parent | 0856ded73448d706663743acd04487b3ca917867 (diff) | |
| parent | d1a2047d5dc179c55b6bb20afad3115b18a8cf29 (diff) | |
| download | chef-f534ac51c8564651d52fe2bb144b2c0af1703768.tar.gz | |
Merge pull request #11935 from chef/revert-11731
Revert 11731
| -rw-r--r-- | lib/chef/provider/user/mac.rb | 64 |
1 files changed, 32 insertions, 32 deletions
diff --git a/lib/chef/provider/user/mac.rb b/lib/chef/provider/user/mac.rb index 980aaa4bab..94b0ce0b21 100644 --- a/lib/chef/provider/user/mac.rb +++ b/lib/chef/provider/user/mac.rb @@ -143,29 +143,27 @@ class Chef # def create_user - uid = prop_is_set?(:uid) ? new_resource.uid : get_free_uid - # "sysadminctl" cannot create user with specified UID - # on Mac where Chef does not have full disk access - # But "dscl" can - run_dscl("create", "/Users/#{new_resource.username}", - "UniqueID", uid) - if prop_is_set?(:comment) - run_dscl("create", "/Users/#{new_resource.username}", - "RealName", new_resource.comment) - else - # "comment" field is optional for mac_user - # but "load_current_resource" above needs it - # otherwise it will fail - run_dscl("create", "/Users/#{new_resource.username}", - "RealName", new_resource.username) + cmd = [-"-addUser", new_resource.username] + cmd += ["-fullName", new_resource.comment] if prop_is_set?(:comment) + cmd += ["-UID", prop_is_set?(:uid) ? new_resource.uid : get_free_uid] + cmd += ["-shell", new_resource.shell] + cmd += ["-home", new_resource.home] + cmd += ["-admin"] if new_resource.admin + + # We can technically create a new user without the admin credentials + # but without them the user cannot enable SecureToken, thus they cannot + # create other secure users or enable FileVault full disk encryption. + if prop_is_set?(:admin_username) && prop_is_set?(:admin_password) + cmd += ["-adminUser", new_resource.admin_username] + cmd += ["-adminPassword", new_resource.admin_password] end - run_dscl("create", "/Users/#{new_resource.username}", - "UserShell", new_resource.shell) - run_dscl("create", "/Users/#{new_resource.username}", - "NFSHomeDirectory", new_resource.home) - if new_resource.admin - run_dscl("append", "/Groups/admin", "GroupMembership", - new_resource.username) + + # sysadminctl doesn't exit with a non-zero exit code if it encounters + # a problem. We'll check stderr and make sure we see that it finished + # correctly. + res = run_sysadminctl(cmd) + unless /creating user/.match?(res.downcase) + raise Chef::Exceptions::User, "error when creating user: #{res}" end # Wait for the user to show up in the ds cache @@ -183,6 +181,18 @@ class Chef converge_by("set password") { set_password } end + if new_resource.manage_home + # "sysadminctl -addUser" will create the home directory if it's + # the default /Users/<username>, otherwise it sets it in plist + # but does not create it. Here we'll ensure that it gets created + # if we've been given a directory that is not the default. + unless ::File.directory?(new_resource.home) && ::File.exist?(new_resource.home) + converge_by("create home directory") do + shell_out!("createhomedir -c -u #{new_resource.username}") + end + end + end + if prop_is_set?(:gid) # NOTE: Here we're managing the primary group of the user which is # a departure from previous behavior. We could just set the @@ -202,16 +212,6 @@ class Chef end end - # createhomedir needs user GID set first - # otherwise createhomedir will do nothing - # Always create homedir for all users - # because "sysadminctl" does but "dscl" does not - unless ::File.directory?(new_resource.home) && ::File.exist?(new_resource.home) - converge_by("create home directory") do - shell_out!("createhomedir -c -u #{new_resource.username}") - end - end - if diverged?(:secure_token) converge_by("alter SecureToken") { toggle_secure_token } end |