summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xsmoketest/scripts/cli/test_system_login.py11
-rwxr-xr-xsrc/conf_mode/system-login.py16
2 files changed, 22 insertions, 5 deletions
diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py
index bb6f57fc2..dfa56e971 100755
--- a/smoketest/scripts/cli/test_system_login.py
+++ b/smoketest/scripts/cli/test_system_login.py
@@ -44,6 +44,17 @@ class TestSystemLogin(unittest.TestCase):
self.session.commit()
del self.session
+ def test_add_linux_system_user(self):
+ system_user = 'backup'
+ self.session.set(base_path + ['user', system_user, 'authentication', 'plaintext-password', system_user])
+
+ # check validate() - can not add username which exists on the Debian
+ # base system (UID < 1000)
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+
+ self.session.delete(base_path + ['user', system_user])
+
def test_system_login_user(self):
# Check if user can be created and we can SSH to localhost
self.session.set(['service', 'ssh', 'port', '22'])
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index c8b81d80a..59ea1d34b 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -43,12 +43,11 @@ radius_config_file = "/etc/pam_radius_auth.conf"
def get_local_users():
"""Return list of dynamically allocated users (see Debian Policy Manual)"""
local_users = []
- for p in getpwall():
- username = p[0]
- uid = getpwnam(username).pw_uid
+ for s_user in getpwall():
+ uid = getpwnam(s_user.pw_name).pw_uid
if uid in range(1000, 29999):
- if username not in ['radius_user', 'radius_priv_user']:
- local_users.append(username)
+ if s_user.pw_name not in ['radius_user', 'radius_priv_user']:
+ local_users.append(s_user.pw_name)
return local_users
@@ -104,7 +103,14 @@ def verify(login):
raise ConfigError(f'Attempting to delete current user: {cur_user}')
if 'user' in login:
+ system_users = getpwall()
for user, user_config in login['user'].items():
+ # Linux system users range up until UID 1000, we can not create a
+ # VyOS CLI user which already exists as system user
+ for s_user in system_users:
+ if s_user.pw_name == user and s_user.pw_uid < 1000:
+ raise ConfigError(f'User "{user}" can not be created, conflict with local system account!')
+
for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items():
if 'type' not in pubkey_options:
raise ConfigError(f'Missing type for public-key "{pubkey}"!')