1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
#
# Author:: Stephen Nelson-Smith (<sns@chef.io>)
# Author:: Jon Ramsey (<jonathon.ramsey@gmail.com>)
# Author:: Dave Eddy (<dave@daveeddy.com>)
# Copyright:: Copyright (c) Chef Software Inc.
# Copyright:: Copyright 2015-2016, Dave Eddy
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require_relative "../user"
class Chef
class Provider
class User
class Solaris < Chef::Provider::User
provides :solaris_user
provides :user, os: %w{openindiana opensolaris illumos omnios solaris2 smartos}
PASSWORD_FILE = "/etc/shadow".freeze
def create_user
shell_out!("useradd", universal_options, useradd_options, new_resource.username)
manage_password
end
def manage_user
manage_password
return if universal_options.empty? && usermod_options.empty?
shell_out!("usermod", universal_options, usermod_options, new_resource.username)
end
def remove_user
shell_out!("userdel", userdel_options, new_resource.username)
end
def check_lock
user = IO.read(PASSWORD_FILE).match(/^#{Regexp.escape(new_resource.username)}:([^:]*):/)
# If we're in whyrun mode, and the user is not created, we assume it will be
return false if whyrun_mode? && user.nil?
raise Chef::Exceptions::User, "Cannot determine if #{new_resource} is locked!" if user.nil?
@locked = user[1].start_with?("*LK*")
end
def lock_user
shell_out!("passwd", "-l", new_resource.username)
end
def unlock_user
shell_out!("passwd", "-u", new_resource.username)
end
private
def universal_options
opts = []
opts << "-c" << new_resource.comment if should_set?(:comment)
opts << "-g" << new_resource.gid if should_set?(:gid)
opts << "-s" << new_resource.shell if should_set?(:shell)
opts << "-u" << new_resource.uid if should_set?(:uid)
opts << "-d" << new_resource.home if updating_home?
opts << "-o" if new_resource.non_unique
if updating_home?
if new_resource.manage_home
logger.trace("#{new_resource} managing the users home directory")
opts << "-m"
else
logger.trace("#{new_resource} setting home to #{new_resource.home}")
end
end
opts
end
def usermod_options
opts = []
opts += [ "-u", new_resource.uid ] if new_resource.non_unique
if updating_home?
if new_resource.manage_home
opts << "-m"
end
end
opts
end
def userdel_options
opts = []
opts << "-r" if new_resource.manage_home
opts << "-f" if new_resource.force
opts
end
# Solaris does not support system users and has no '-r' option, solaris also
# lacks '-M' and defaults to no-manage-home.
def useradd_options
opts = []
opts << "-m" if new_resource.manage_home
opts
end
def manage_password
return unless current_resource.password != new_resource.password && new_resource.password
logger.trace("#{new_resource} setting password to #{new_resource.password}")
write_shadow_file
end
# XXX: this was straight copypasta'd back in 2013 and I don't think we've ever evaluated using
# a pipe to passwd(1) or evaluating modern ruby-shadow. See https://github.com/chef/chef/pull/721
def write_shadow_file
buffer = Tempfile.new("shadow", "/etc")
::File.open(PASSWORD_FILE) do |shadow_file|
shadow_file.each do |entry|
user = entry.split(":").first
if user == new_resource.username
buffer.write(updated_password(entry))
else
buffer.write(entry)
end
end
end
buffer.close
# FIXME: mostly duplicates code with file provider deploying a file
s = ::File.stat(PASSWORD_FILE)
mode = s.mode & 0o7777
uid = s.uid
gid = s.gid
FileUtils.chown uid, gid, buffer.path
FileUtils.chmod mode, buffer.path
FileUtils.mv buffer.path, PASSWORD_FILE
end
def updated_password(entry)
fields = entry.split(":")
fields[1] = new_resource.password
fields[2] = days_since_epoch
fields.join(":")
end
def days_since_epoch
(Time.now.to_i / 86400).floor
end
end
end
end
end
|