homedir: reduce filesystem checks and secure skel copy logic
This patch changes two things, but I want both to change in one go, for easier revert in case of problems.
-
reduce filesystem checks in the needs_create() routine. This is because high NFS latency, which contributes to high loop times. To achieve this, we will store a small "state" string in the account configmap. This is done via the update routine, to don't trigger the do_create() routine, as it was discovered that the logic in there can have some overwrite dangers to admin account homedir files. This is related to the next point.
-
secure the skel copy logic. Only copy the skel if the homedir is being created now. Copying the skel if the homedir was not created now means we could overwrite stuff. Moreover, don't do the skel copy at all for admins, who can have their homedir created via PAM upon first bastion log in.
While at it, we can similary protect the disabled_flag filesystem removal if the homedir is being created at the moment, which should count for one less filesystem interaction.
Bug: T366564 Signed-off-by: Arturo Borrero Gonzalez aborrero@wikimedia.org