Managing service accounts in an RPM spec

I've been given a partially-complete RPM spec for a service we're writing. It gets as far as making the required directories, copying files, setting permissions, etc., but it doesn't make the required system account that the service will run under. I was told that it's best for the RPM to take care of this, so I've added

Requires(pre): /usr/sbin/useradd

%pre
useradd -r -d /path/to/program -s /bin/false myservice

This succeeds in making the user account (and associated group), so later on when it tries to set ownership / permissions on the service's files, that succeeds as well.

My current problem is, a) if the user account already exists, the RPM install fails because useradd fails (because the user already exists); and b) I don't know how to have rpm -e myservice also remove the associated user and group.

Coderer

Posted 2010-07-27T19:38:22.403

Reputation: 1 316

// , Would you consider using FPM? – Nathan Basanese – 2015-09-03T23:57:32.187

Answers

I actually solved this independently, by looking at other RPM specs that did similar things. If you just want to add a user (conditionally), use Ignacio's link. I did this:

Requires(pre): /usr/sbin/useradd, /usr/bin/getent
Requires(postun): /usr/sbin/userdel

%pre
/usr/bin/getent group myservice || /usr/sbin/groupadd -r myservice
/usr/bin/getent passwd myservice || /usr/sbin/useradd -r -d /path/to/program -s /sbin/nologin myservice

%postun
/usr/sbin/userdel myservice

This makes sure that the RPM "cleans up after itself" but still provides the ability to install even if the account already exists.

Coderer

Posted 2010-07-27T19:38:22.403

Reputation: 1 316

1There is an UID and GID reuse issue (when the deleted user has the highest UID/GID), that makes any automated use of userdel a bad idea. – Bruno9779 – 2015-11-16T15:03:35.927

1On my CentOS 6.7 I removed the /usr/sbin/groupadd command since the useradd command will create the group itself. Also the useradd will exit with an error when a group of the same name already exists. – Raffael – 2016-06-01T15:31:58.210

rpmlint report "W: dangerous-command-in-%postun userdel" if you use it – Rfraile – 2018-06-22T15:53:28.163

Although this answers the question, it is worth reading the note in the Fedora link link posted by Ignacio about why removing the user/group is not desirable.

– CoverosGene – 2012-02-28T16:18:33.590

Either of the two previous answers are production ready as those methods will delete the user if the package is upgrade. Yum installs the new package then removes the old package. This will leave you without an user. Not cool!

Use this method instead:

%postun
case "$1" in
   0) # This is a yum remove.
      /usr/sbin/userdel myservice
   ;;
   1) # This is a yum upgrade.
      # do nothing
   ;;
 esac

Steven

Posted 2010-07-27T19:38:22.403

Reputation: 51

The response from Coderer is good but the second pre command give me an error on Centos 7. The group must be specified.

Requires(pre): /usr/sbin/useradd, /usr/bin/getent
Requires(postun): /usr/sbin/userdel

%pre
/usr/bin/getent group myservice > /dev/null || /usr/sbin/groupadd -r myservice
/usr/bin/getent passwd myservice > /dev/null || /usr/sbin/useradd -r -d /path/to/program -s /sbin/nologin -g myservice myservice

%postun
/usr/sbin/userdel myservice

I added also redirect to /dev/null to ignore unwanted echos.

Tabinol

Posted 2010-07-27T19:38:22.403

Reputation: 41