From 5dafc85052dfd98ea5b1a4c41bc543b1d165ee1e Mon Sep 17 00:00:00 2001 From: Cosimo Cecchi Date: Sun, 30 Jul 2017 14:41:42 +0100 Subject: [PATCH] Add support for a list of extra groups for admin users It's common for distributions to want to add administrator users to additional groups (e.g. lpadmin or systemd-journal); Debian and Ubuntu have patches that add this kind of functionality already. This commit adds a configure option to specify a comma-separated list of extra groups for admin users and adds support for it when both adding a new admin user and promoting an user to admin. https://bugs.freedesktop.org/show_bug.cgi?id=101972 --- configure.ac | 6 ++++++ src/daemon.c | 11 ++++++++++- src/user.c | 14 ++++++++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 4b21477..384f81b 100644 --- a/configure.ac +++ b/configure.ac @@ -54,6 +54,11 @@ AS_IF([test x$enable_admin_group = xauto], [ ]) AC_DEFINE_UNQUOTED([ADMIN_GROUP], ["$enable_admin_group"], [Define to the group for administrator users]) +AC_ARG_WITH(extra-admin-groups, + [AS_HELP_STRING([--with-extra-admin-groups],[Comma-separated list of extra groups that administrator users are part of])], + ,with_extra_admin_groups="") +AC_DEFINE_UNQUOTED([EXTRA_ADMIN_GROUPS], ["$with_extra_admin_groups"], [Define to the list of extra groups administrator users are part of]) + AC_ARG_ENABLE(user-heuristics, [AS_HELP_STRING([--enable-user-heuristics],[Enable heuristics for guessing system vs. human users in the range 500-minimum-uid])], [if test "$enableval" = yes; then @@ -376,6 +381,7 @@ else AC_MSG_NOTICE([** DocBook documentation build disabled]) fi AC_MSG_NOTICE([** Administrator group: $enable_admin_group]) + AC_MSG_NOTICE([** Extra administrator groups: $with_extra_admin_groups]) echo diff --git a/src/daemon.c b/src/daemon.c index 6e3e4b3..ca4fa1c 100644 --- a/src/daemon.c +++ b/src/daemon.c @@ -1058,11 +1058,20 @@ daemon_create_user_authorized_cb (Daemon *daemon, argv[2] = "-c"; argv[3] = cd->real_name; if (cd->account_type == ACCOUNT_TYPE_ADMINISTRATOR) { + char *admin_groups; + + admin_groups = g_strdup (ADMIN_GROUP); + if (EXTRA_ADMIN_GROUPS != NULL && EXTRA_ADMIN_GROUPS[0] != '\0') + admin_groups = g_strconcat (admin_groups, ",", + EXTRA_ADMIN_GROUPS, NULL); + argv[4] = "-G"; - argv[5] = ADMIN_GROUP; + argv[5] = admin_groups; argv[6] = "--"; argv[7] = cd->user_name; argv[8] = NULL; + + g_free (admin_groups); } else if (cd->account_type == ACCOUNT_TYPE_STANDARD) { argv[4] = "--"; diff --git a/src/user.c b/src/user.c index a83cfe4..638d62c 100644 --- a/src/user.c +++ b/src/user.c @@ -1690,6 +1690,7 @@ user_change_account_type_authorized_cb (Daemon *daemon, gint ngroups; GString *str; gid_t wheel; + char **extra_admin_groups; struct group *grp; gint i; const gchar *argv[6]; @@ -1716,7 +1717,20 @@ user_change_account_type_authorized_cb (Daemon *daemon, } switch (account_type) { case ACCOUNT_TYPE_ADMINISTRATOR: + extra_admin_groups = g_strsplit (EXTRA_ADMIN_GROUPS, ",", 0); + + for (i = 0; extra_admin_groups[i] != NULL; i++) { + struct group *extra_group; + extra_group = getgrnam (extra_admin_groups[i]); + if (extra_group == NULL || extra_group->gr_gid == wheel) + continue; + + g_string_append_printf (str, "%d,", extra_group->gr_gid); + } + g_string_append_printf (str, "%d", wheel); + g_strfreev (extra_admin_groups); + break; case ACCOUNT_TYPE_STANDARD: default: -- 2.13.3