diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-07-23 19:31:30 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-07-23 19:31:30 +0200 |
| commit | 7292631373ea50f9908796ef2eda32e672d1df2e (patch) | |
| tree | 41ce8f67b1795f89bb3cd1f5aa30530489d249c3 | |
| parent | ed63951fc63fe58cd1ec1f4b26f3fe955315e0cb (diff) | |
| download | vyos-1x-7292631373ea50f9908796ef2eda32e672d1df2e.tar.gz vyos-1x-7292631373ea50f9908796ef2eda32e672d1df2e.zip | |
login: T3699: verify system username does not conflict with Linux base users
| -rwxr-xr-x | smoketest/scripts/cli/test_system_login.py | 11 | ||||
| -rwxr-xr-x | src/conf_mode/system-login.py | 16 |
2 files changed, 22 insertions, 5 deletions
diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py index bb6f57fc2..dfa56e971 100755 --- a/smoketest/scripts/cli/test_system_login.py +++ b/smoketest/scripts/cli/test_system_login.py @@ -44,6 +44,17 @@ class TestSystemLogin(unittest.TestCase): self.session.commit() del self.session + def test_add_linux_system_user(self): + system_user = 'backup' + self.session.set(base_path + ['user', system_user, 'authentication', 'plaintext-password', system_user]) + + # check validate() - can not add username which exists on the Debian + # base system (UID < 1000) + with self.assertRaises(ConfigSessionError): + self.session.commit() + + self.session.delete(base_path + ['user', system_user]) + def test_system_login_user(self): # Check if user can be created and we can SSH to localhost self.session.set(['service', 'ssh', 'port', '22']) diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index c8b81d80a..59ea1d34b 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -43,12 +43,11 @@ radius_config_file = "/etc/pam_radius_auth.conf" def get_local_users(): """Return list of dynamically allocated users (see Debian Policy Manual)""" local_users = [] - for p in getpwall(): - username = p[0] - uid = getpwnam(username).pw_uid + for s_user in getpwall(): + uid = getpwnam(s_user.pw_name).pw_uid if uid in range(1000, 29999): - if username not in ['radius_user', 'radius_priv_user']: - local_users.append(username) + if s_user.pw_name not in ['radius_user', 'radius_priv_user']: + local_users.append(s_user.pw_name) return local_users @@ -104,7 +103,14 @@ def verify(login): raise ConfigError(f'Attempting to delete current user: {cur_user}') if 'user' in login: + system_users = getpwall() for user, user_config in login['user'].items(): + # Linux system users range up until UID 1000, we can not create a + # VyOS CLI user which already exists as system user + for s_user in system_users: + if s_user.pw_name == user and s_user.pw_uid < 1000: + raise ConfigError(f'User "{user}" can not be created, conflict with local system account!') + for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items(): if 'type' not in pubkey_options: raise ConfigError(f'Missing type for public-key "{pubkey}"!') |