sysuser

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 14, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package sysuser provisions the kukeon system user/group and applies kukeon-managed file ownership during `kuke init`. The package is invoked from the init command so that a non-root user added to the kukeon group can dial the kukeond socket without sudo while writes under /opt/kukeon still require root (they go through the daemon).

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ChownAndChmod 

func ChownAndChmod(path string, uid, gid int, mode os.FileMode) error

ChownAndChmod sets ownership and mode on a single path. Use this for the kukeond socket and for the /run/kukeon top-level directory.

func ChownTreeAndChmod 

func ChownTreeAndChmod(root string, uid, gid int, dirMode, fileMode os.FileMode) error

ChownTreeAndChmod walks a directory tree and applies the requested owner to every entry, dirMode to directories, and fileMode to regular files. Splitting the modes keeps the recursive descent from making JSON metadata files executable when the caller wants 0o750-style group-traverse on dirs.

Symlinks are lchowned but not chmoded — Linux stores no mode bits on symlinks, and os.Chmod follows the link, which would mutate the wrong file.

Types

type CommandRunner 

type CommandRunner interface {
	Run(ctx context.Context, name string, args ...string) error
}

CommandRunner runs system commands. The default implementation shells out via os/exec; tests can substitute a fake to avoid mutating the host.

type EnsureOptions 

type EnsureOptions struct {
	Runner      CommandRunner
	LookupGroup LookupGroupFunc
	LookupUser  LookupUserFunc
	// NoLoginShell overrides the picked nologin shell. If empty, the helper
	// chooses /usr/sbin/nologin or /sbin/nologin based on what exists.
	NoLoginShell string
}

EnsureOptions configures EnsureUserGroup. Zero-valued fields fall back to the production lookups and the default runner.

type EnsureResult 

type EnsureResult struct {
	UID          int
	GID          int
	UserCreated  bool
	GroupCreated bool
}

EnsureResult reports the outcome of EnsureUserGroup.

func EnsureUserGroup 

func EnsureUserGroup(ctx context.Context, username, groupname string, opts EnsureOptions) (EnsureResult, error)

EnsureUserGroup creates the named system group and user if they don't already exist, then returns the resolved UID/GID. Idempotent — re-running after a prior init is a no-op aside from the lookups.

Requires CAP_SYS_ADMIN (effectively, root) when creation is needed because it shells out to groupadd/useradd. The caller (kuke init) is already root, so this is fine in the production path.

type ExecRunner 

type ExecRunner struct{}

ExecRunner shells out via os/exec. It is the production CommandRunner.

func (ExecRunner) Run 

func (ExecRunner) Run(ctx context.Context, name string, args ...string) error

Run wraps exec.CommandContext + Run, surfacing combined output on failure so the caller's error message names what went wrong with groupadd/useradd.

type LookupGroupFunc 

type LookupGroupFunc func(name string) (*user.Group, error)

LookupGroupFunc lets tests stub user.LookupGroup without populating /etc/group. Production callers should leave it nil to fall back to the stdlib lookup.

type LookupUserFunc 

type LookupUserFunc func(name string) (*user.User, error)

LookupUserFunc lets tests stub user.Lookup without populating /etc/passwd. Production callers should leave it nil to fall back to the stdlib lookup.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.