Use CMS user's actual primary group for permissions setup

andreyv · andreyv · commit 80091ce054f6 · 2021-05-04T16:55:47.000+03:00
It can happen that the CMS user's primary group name doesn't match the
user name (in case of a pre-existing user), so we should use the actual
group name for setting file permissions.

We don't try to always create and use a "cmsuser" group instead, because
this wouldn't work within a single CI session.
diff --git a/cms/util.py b/cms/util.py
@@ -22,11 +22,11 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import argparse
-import grp
 import itertools
 import logging
 import netifaces
 import os
+import pwd
 import stat
 import sys
 
@@ -56,7 +56,7 @@ def mkdir(path):
     else:
         try:
             os.chmod(path, 0o770)
-            cmsuser_gid = grp.getgrnam(config.cmsuser).gr_gid
+            cmsuser_gid = pwd.getpwnam(config.cmsuser).pw_gid
             os.chown(path, -1, cmsuser_gid)
         except OSError:
             os.rmdir(path)
diff --git a/prerequisites.py b/prerequisites.py
@@ -207,7 +207,7 @@ def install_isolate():
     assert_root()
     root = pwd.getpwnam("root")
     try:
-        cmsuser_grp = grp.getgrnam(CMSUSER)
+        cmsuser_grp = grp.getgrgid(pwd.getpwnam(CMSUSER).pw_gid)
     except:
         print("[Error] The user %s doesn't exist yet" % CMSUSER)
         print("[Error] You need to run the install command at least once")
@@ -279,22 +279,15 @@ def install():
     # Get real user to run non-sudo commands
     real_user = get_real_user()
 
-    try:
-        cmsuser_gr = grp.getgrnam(CMSUSER)
-    except KeyError:
-        print("===== Creating group %s" % CMSUSER)
-        subprocess.check_call(["groupadd", CMSUSER, "--system"])
-        cmsuser_gr = grp.getgrnam(CMSUSER)
-
     try:
         cmsuser_pw = pwd.getpwnam(CMSUSER)
     except KeyError:
         print("===== Creating user %s" % CMSUSER)
         subprocess.check_call(["useradd", CMSUSER, "--system",
                                "--comment", "CMS default user",
-                               "--shell", "/bin/false", "--no-create-home",
-                               "--no-user-group", "--gid", CMSUSER])
+                               "--shell", "/bin/false", "-U"])
         cmsuser_pw = pwd.getpwnam(CMSUSER)
+    cmsuser_gr = grp.getgrgid(cmsuser_pw.pw_gid)
 
     root_pw = pwd.getpwnam("root")
 
@@ -338,18 +331,19 @@ def install():
     os.umask(old_umask)
 
     if real_user != "root":
-        print("===== Adding yourself to the %s group" % CMSUSER)
+        gr_name = cmsuser_gr.gr_name
+        print("===== Adding yourself to the %s group" % gr_name)
         if ask("Type Y if you want me to automatically add "
-               "\"%s\" to the %s group: " % (real_user, CMSUSER)):
-            subprocess.check_call(["usermod", "-a", "-G", CMSUSER, real_user])
+               "\"%s\" to the %s group: " % (real_user, gr_name)):
+            subprocess.check_call(["usermod", "-a", "-G", gr_name, real_user])
             print("""
 ###########################################################################
 ###                                                                     ###
 ###    Remember that you must now logout in order to make the change    ###
 ###    effective ("the change" is: being in the %s group).         ###
 ###                                                                     ###
 ###########################################################################
-            """ % CMSUSER)
+            """ % gr_name)
         else:
             print("""
 ###########################################################################
@@ -361,7 +355,7 @@ def install():
 ###    You must also logout to make the change effective.               ###
 ###                                                                     ###
 ###########################################################################
-            """ % (CMSUSER, CMSUSER))
+            """ % (gr_name, gr_name))
 
 
 def uninstall():
@@ -407,7 +401,8 @@ def uninstall():
         if ask("Do you want to delete user %s? [y/N] " % CMSUSER):
             subprocess.check_call(["userdel", CMSUSER])
     try:
-        # Just to check whether it exists.
+        # Just to check whether it exists. If CMSUSER had a different primary
+        # group, we'll do nothing here.
         grp.getgrnam(CMSUSER)
     except KeyError:
         pass
