summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-23 19:31:30 +0200
committerChristian Poessinger <christian@poessinger.com>2021-07-23 19:31:30 +0200
commit7292631373ea50f9908796ef2eda32e672d1df2e (patch)
tree41ce8f67b1795f89bb3cd1f5aa30530489d249c3 /src/conf_mode
parented63951fc63fe58cd1ec1f4b26f3fe955315e0cb (diff)
downloadvyos-1x-7292631373ea50f9908796ef2eda32e672d1df2e.tar.gz
vyos-1x-7292631373ea50f9908796ef2eda32e672d1df2e.zip
login: T3699: verify system username does not conflict with Linux base users
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/system-login.py16
1 files changed, 11 insertions, 5 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index c8b81d80a..59ea1d34b 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -43,12 +43,11 @@ radius_config_file = "/etc/pam_radius_auth.conf"
def get_local_users():
"""Return list of dynamically allocated users (see Debian Policy Manual)"""
local_users = []
- for p in getpwall():
- username = p[0]
- uid = getpwnam(username).pw_uid
+ for s_user in getpwall():
+ uid = getpwnam(s_user.pw_name).pw_uid
if uid in range(1000, 29999):
- if username not in ['radius_user', 'radius_priv_user']:
- local_users.append(username)
+ if s_user.pw_name not in ['radius_user', 'radius_priv_user']:
+ local_users.append(s_user.pw_name)
return local_users
@@ -104,7 +103,14 @@ def verify(login):
raise ConfigError(f'Attempting to delete current user: {cur_user}')
if 'user' in login:
+ system_users = getpwall()
for user, user_config in login['user'].items():
+ # Linux system users range up until UID 1000, we can not create a
+ # VyOS CLI user which already exists as system user
+ for s_user in system_users:
+ if s_user.pw_name == user and s_user.pw_uid < 1000:
+ raise ConfigError(f'User "{user}" can not be created, conflict with local system account!')
+
for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items():
if 'type' not in pubkey_options:
raise ConfigError(f'Missing type for public-key "{pubkey}"!')