From 7473462125615ecd1a2d683ef0ba07e712f5922b Mon Sep 17 00:00:00 2001
From: Adriaan de Groot <groot@kde.org>
Date: Mon, 9 May 2022 14:25:56 +0200
Subject: [PATCH] [users] Introduce forbidden_names settings

---
 src/modules/users/users.conf        | 9 +++++++++
 src/modules/users/users.schema.yaml | 2 ++
 2 files changed, 11 insertions(+)

diff --git a/src/modules/users/users.conf b/src/modules/users/users.conf
index 66ab4422a..779d1afdf 100644
--- a/src/modules/users/users.conf
+++ b/src/modules/users/users.conf
@@ -154,8 +154,13 @@ allowWeakPasswordsDefault: false
 #      and rely on a correct configuration file in /etc/default/useradd
 #    - set, non-empty, use that path as shell. No validation is done
 #      that the shell actually exists or is executable.
+# - *forbidden_names* Login names that may not be used. This list always
+#   contains "root" and "nobody", but may be extended to list other special
+#   names for a given distro (eg. "video", or "mysql" might not be a valid
+#   end-user login name).
 user:
   shell: /bin/bash
+  forbidden_names: [ root ]
 # TODO:3.3: Remove this setting
 #
 # This is the legacy setting for user.shell
@@ -198,10 +203,14 @@ userShell: /bin/bash
 #   `${key}` values to something that will fit in a hostname, but does not
 #   apply the same to literal text in the template. Do not use invalid
 #   characters in the literal text, or no suggeston will be done.
+# - *forbidden_names* lists hostnames that may not be used. This list
+#   always contains "localhost", but may list others that are unsuitable
+#   or broken in special ways.
 hostname:
   location: EtcFile
   writeHostsFile: true
   template: "derp-${cpu}"
+  forbidden_names: [ localhost ]
 
 # TODO:3.3: Remove this setting
 #
diff --git a/src/modules/users/users.schema.yaml b/src/modules/users/users.schema.yaml
index 552ed50ed..025f8a3d2 100644
--- a/src/modules/users/users.schema.yaml
+++ b/src/modules/users/users.schema.yaml
@@ -13,6 +13,7 @@ properties:
         type: object
         properties:
             shell: { type: string }  # Overrides userShell
+            forbidden_names: { type: array, items: { type: string } }
     # Group settings
     defaultGroups:
         type: array
@@ -52,6 +53,7 @@ properties:
             location: { type: string, enum: [ None, EtcFile, Hostnamed, Transient ] }
             writeHostsFile: { type: boolean, default: true }
             template: { type: string, default: "${first}-${product}" }
+            forbidden_names: { type: array, items: { type: string } }
     # Legacy Hostname setting
     setHostname: { type: string, enum: [ None, EtcFile, Hostnamed ] }
     writeHostsFile: { type: boolean, default: true }