From d6b02f6e3619de39a77403e4bb1bb684ee5ce3c3 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 16 Feb 2024 12:52:36 +0100 Subject: login: T5972: add possibility to disable individual local user accounts * set system login user disable (cherry picked from commit 6e0b146ed3b90da577c3ecba38836883fd435e7a) --- interface-definitions/system_login.xml.in | 1 + smoketest/scripts/cli/test_system_login.py | 27 +++++++++++++++++++++------ src/conf_mode/system_login.py | 6 ++++++ 3 files changed, 28 insertions(+), 6 deletions(-) diff --git a/interface-definitions/system_login.xml.in b/interface-definitions/system_login.xml.in index 672c4afc8..a59f54005 100644 --- a/interface-definitions/system_login.xml.in +++ b/interface-definitions/system_login.xml.in @@ -172,6 +172,7 @@ + #include Full name of the user (use quotes for names with spaces) diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py index 195b127a4..d93ad952f 100755 --- a/smoketest/scripts/cli/test_system_login.py +++ b/smoketest/scripts/cli/test_system_login.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2023 VyOS maintainers and contributors +# Copyright (C) 2019-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -15,12 +15,12 @@ # along with this program. If not, see . import re -import platform import unittest import paramiko from base_vyostest_shim import VyOSUnitTestSHIM +from gzip import GzipFile from subprocess import Popen, PIPE from pwd import getpwall from time import sleep @@ -98,8 +98,8 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase): self.cli_commit() for user in users: - cmd = ['su','-', user] - proc = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE) + tmp = ['su','-', user] + proc = Popen(tmp, stdin=PIPE, stdout=PIPE, stderr=PIPE) tmp = "{}\nuname -a".format(user) proc.stdin.write(tmp.encode()) proc.stdin.flush() @@ -109,6 +109,22 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase): # b'Linux LR1.wue3 5.10.61-amd64-vyos #1 SMP Fri Aug 27 08:55:46 UTC 2021 x86_64 GNU/Linux\n' self.assertTrue(len(stdout) > 40) + locked_user = users[0] + # disable the first user in list + self.cli_set(base_path + ['user', locked_user, 'disable']) + self.cli_commit() + # check if account is locked + tmp = cmd(f'sudo passwd -S {locked_user}') + self.assertIn(f'{locked_user} L ', tmp) + + # unlock account + self.cli_delete(base_path + ['user', locked_user, 'disable']) + self.cli_commit() + # check if account is unlocked + tmp = cmd(f'sudo passwd -S {locked_user}') + self.assertIn(f'{locked_user} P ', tmp) + + def test_system_login_otp(self): otp_user = 'otp-test_user' otp_password = 'SuperTestPassword' @@ -148,8 +164,7 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase): def test_radius_kernel_features(self): # T2886: RADIUS requires some Kernel options to be present - kernel = platform.release() - kernel_config = read_file(f'/boot/config-{kernel}') + kernel_config = GzipFile('/proc/config.gz').read().decode('UTF-8') # T2886 - RADIUS authentication - check for statically compiled options options = ['CONFIG_AUDIT', 'CONFIG_AUDITSYSCALL', 'CONFIG_AUDIT_ARCH'] diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index 30e823bd4..cff0c5039 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -367,6 +367,12 @@ def apply(login): if os.path.exists(f'{home_dir}/.google_authenticator'): os.remove(f'{home_dir}/.google_authenticator') + # Lock/Unlock local user account + lock_unlock = '--unlock' + if 'disable' in user_config: + lock_unlock = '--lock' + cmd(f'usermod {lock_unlock} {user}') + if 'rm_users' in login: for user in login['rm_users']: try: -- cgit v1.2.3