diff options
author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-01-26 17:50:33 -0800 |
---|---|---|
committer | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-01-26 17:50:33 -0800 |
commit | b5bb8c35539d1b108e988d39153abc813c326b0f (patch) | |
tree | 75ad17b85eb82a2715ae3006916ee66477747c25 | |
parent | 2bc8990bc093cce92bcaddd82ee80b1c18223e5d (diff) | |
download | vyatta-cfg-quagga-b5bb8c35539d1b108e988d39153abc813c326b0f.tar.gz vyatta-cfg-quagga-b5bb8c35539d1b108e988d39153abc813c326b0f.zip |
Add additional check that new user doesn't exist in NSS
If user exists in NSS (LDAP, TACACS+) but not on local machine,
then it can not be changed with CLI. useradd will fail (user exists),
and usermod will fail (can't find user in passwd file).
Bug 5249
-rw-r--r-- | Makefile.am | 1 | ||||
-rw-r--r-- | scripts/system/vyatta_check_username.pl | 66 | ||||
-rw-r--r-- | templates/system/login/user/node.def | 6 |
3 files changed, 68 insertions, 5 deletions
diff --git a/Makefile.am b/Makefile.am index d284bfd4..8d738067 100644 --- a/Makefile.am +++ b/Makefile.am @@ -23,6 +23,7 @@ sbin_SCRIPTS += scripts/install-system sbin_SCRIPTS += scripts/vyatta-grub-setup sbin_SCRIPTS += scripts/standalone_root_pw_reset sbin_SCRIPTS += scripts/vyatta-passwd-sync +sbin_SCRIPTS += scripts/system/vyatta_check_username.pl sbin_SCRIPTS += scripts/system/vyatta_update_login.pl sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl diff --git a/scripts/system/vyatta_check_username.pl b/scripts/system/vyatta_check_username.pl new file mode 100644 index 00000000..254b3417 --- /dev/null +++ b/scripts/system/vyatta_check_username.pl @@ -0,0 +1,66 @@ +#!/usr/bin/perl + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +use strict; +use warnings; + +my $passwdFile = '/etc/passwd'; + +# Lookup user in password file which may not give same +# result as getpw* which uses NSS +sub finduser { + my $user = shift; + my $uid; + + open( my $f, '<', $passwdFile ) + or die "Can't open $passwdFile: $!"; + + while (<$f>) { + chomp; + my ( $name, undef, $id ) = split /:/; + + next unless ( $name eq $user ); + $uid = $id; + last; + } + close $f; + + return $uid; +} + +foreach my $user (@ARGV) { + my $uid = getpwnam($user); + + # User does not exist in system, its okay + next unless defined($uid); + + # System accounts should not be listed in vyatta configuration + # 1000 is SYS_UID_MIN + die "$user : account is already reserved for system use\n" + if ($uid > 0 && $uid < 1000); + + my $pwuid = finduser($user); + + die "$user : account exists but is not local (change on server)\n" + unless defined ($pwuid); + + die "$user : exists but has different uid on local versus remote\n" + unless ($pwuid eq $uid); +} + +exit 0; diff --git a/templates/system/login/user/node.def b/templates/system/login/user/node.def index 89e10a9c..751767d6 100644 --- a/templates/system/login/user/node.def +++ b/templates/system/login/user/node.def @@ -5,11 +5,7 @@ help: Set user account information syntax:expression: pattern $VAR(@) "^[a-zA-Z_][a-zA-Z0-9_-]*\\$?$" ; "invalid user name $VAR(@)" -# System accounts should not be listed in vyatta configuration -syntax:expression: exec "\ - uid=$(getent passwd $VAR(@) | awk -F: '{print $3}'); \ - [ -z \"$uid\" ] || [ $uid -eq 0 -o $uid -ge 1000 ]" \ - ; "user name \"$VAR(@)\" is reserved for internal usage" +syntax:expression: exec "/opt/vyatta/sbin/vyatta_check_username.pl $VAR(@)" commit:expression: $VAR(authentication/encrypted-password) != "" || ($VAR(authentication/plaintext-password) != "" |