From a4236f70d16654bedab6b5d02fc6b5d343196593 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 6 Apr 2024 21:09:42 +0200 Subject: login: T5875: fix corner case for KeyError: 'getpwuid(): uid not found: XXXX' Commit 1b364428f ("login: T5875: restore home directory permissions only when needed") added logic to chown the users home directory if it's UID changes. This might happen when a user account is deleted and re-added to the system. Under rar e circumstances it was possible that the implementation triggered Traceback (most recent call last): File "", line 1, in KeyError: 'getpwuid(): uid not found: XXXX' This has been fixed by re-arranging the code path with an additional try/except if the PW database information could not be retrieved leading to an implicit chown() of the home directory to the user beeing added. (cherry picked from commit 1165bb497ec2d6d1b3b12d6c03435b0210efe9e5) --- src/conf_mode/system_login.py | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index cff0c5039..de02a64c6 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -336,27 +336,31 @@ def apply(login): command += f' --groups frr,frrvty,vyattacfg,sudo,adm,dip,disk {user}' try: cmd(command) - # we should not rely on the value stored in - # user_config['home_directory'], as a crazy user will choose - # username root or any other system user which will fail. + # we should not rely on the value stored in user_config['home_directory'], as a + # crazy user will choose username root or any other system user which will fail. # # XXX: Should we deny using root at all? home_dir = getpwnam(user).pw_dir - # T5875: ensure UID is properly set on home directory if user is re-added - # the home directory will always exist, as it's created above by --create-home, - # retrieve current owner of home directory and adjust it on demand - dir_owner = getpwuid(os.stat(home_dir).st_uid).pw_name - if dir_owner != user: - chown(home_dir, user=user, recursive=True) - + # always re-render SSH keys with appropriate permissions render(f'{home_dir}/.ssh/authorized_keys', 'login/authorized_keys.j2', user_config, permission=0o600, formater=lambda _: _.replace(""", '"'), user=user, group='users') - except Exception as e: raise ConfigError(f'Adding user "{user}" raised exception: "{e}"') + # T5875: ensure UID is properly set on home directory if user is re-added + # the home directory will always exist, as it's created above by --create-home, + # retrieve current owner of home directory and adjust on demand + dir_owner = None + try: + dir_owner = getpwuid(os.stat(home_dir).st_uid).pw_name + except: + pass + + if dir_owner != user: + chown(home_dir, user=user, recursive=True) + # Generate 2FA/MFA One-Time-Pad configuration if dict_search('authentication.otp.key', user_config): enable_otp = True -- cgit v1.2.3