summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2010-01-26 17:50:33 -0800
committerStephen Hemminger <stephen.hemminger@vyatta.com>2010-01-26 17:50:33 -0800
commitb5bb8c35539d1b108e988d39153abc813c326b0f (patch)
tree75ad17b85eb82a2715ae3006916ee66477747c25
parent2bc8990bc093cce92bcaddd82ee80b1c18223e5d (diff)
downloadvyatta-cfg-quagga-b5bb8c35539d1b108e988d39153abc813c326b0f.tar.gz
vyatta-cfg-quagga-b5bb8c35539d1b108e988d39153abc813c326b0f.zip
Add additional check that new user doesn't exist in NSS
If user exists in NSS (LDAP, TACACS+) but not on local machine, then it can not be changed with CLI. useradd will fail (user exists), and usermod will fail (can't find user in passwd file). Bug 5249
-rw-r--r--Makefile.am1
-rw-r--r--scripts/system/vyatta_check_username.pl66
-rw-r--r--templates/system/login/user/node.def6
3 files changed, 68 insertions, 5 deletions
diff --git a/Makefile.am b/Makefile.am
index d284bfd4..8d738067 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -23,6 +23,7 @@ sbin_SCRIPTS += scripts/install-system
sbin_SCRIPTS += scripts/vyatta-grub-setup
sbin_SCRIPTS += scripts/standalone_root_pw_reset
sbin_SCRIPTS += scripts/vyatta-passwd-sync
+sbin_SCRIPTS += scripts/system/vyatta_check_username.pl
sbin_SCRIPTS += scripts/system/vyatta_update_login.pl
sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl
sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl
diff --git a/scripts/system/vyatta_check_username.pl b/scripts/system/vyatta_check_username.pl
new file mode 100644
index 00000000..254b3417
--- /dev/null
+++ b/scripts/system/vyatta_check_username.pl
@@ -0,0 +1,66 @@
+#!/usr/bin/perl
+
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc.
+# All Rights Reserved.
+#
+# **** End License ****
+
+use strict;
+use warnings;
+
+my $passwdFile = '/etc/passwd';
+
+# Lookup user in password file which may not give same
+# result as getpw* which uses NSS
+sub finduser {
+ my $user = shift;
+ my $uid;
+
+ open( my $f, '<', $passwdFile )
+ or die "Can't open $passwdFile: $!";
+
+ while (<$f>) {
+ chomp;
+ my ( $name, undef, $id ) = split /:/;
+
+ next unless ( $name eq $user );
+ $uid = $id;
+ last;
+ }
+ close $f;
+
+ return $uid;
+}
+
+foreach my $user (@ARGV) {
+ my $uid = getpwnam($user);
+
+ # User does not exist in system, its okay
+ next unless defined($uid);
+
+ # System accounts should not be listed in vyatta configuration
+ # 1000 is SYS_UID_MIN
+ die "$user : account is already reserved for system use\n"
+ if ($uid > 0 && $uid < 1000);
+
+ my $pwuid = finduser($user);
+
+ die "$user : account exists but is not local (change on server)\n"
+ unless defined ($pwuid);
+
+ die "$user : exists but has different uid on local versus remote\n"
+ unless ($pwuid eq $uid);
+}
+
+exit 0;
diff --git a/templates/system/login/user/node.def b/templates/system/login/user/node.def
index 89e10a9c..751767d6 100644
--- a/templates/system/login/user/node.def
+++ b/templates/system/login/user/node.def
@@ -5,11 +5,7 @@ help: Set user account information
syntax:expression: pattern $VAR(@) "^[a-zA-Z_][a-zA-Z0-9_-]*\\$?$"
; "invalid user name $VAR(@)"
-# System accounts should not be listed in vyatta configuration
-syntax:expression: exec "\
- uid=$(getent passwd $VAR(@) | awk -F: '{print $3}'); \
- [ -z \"$uid\" ] || [ $uid -eq 0 -o $uid -ge 1000 ]" \
- ; "user name \"$VAR(@)\" is reserved for internal usage"
+syntax:expression: exec "/opt/vyatta/sbin/vyatta_check_username.pl $VAR(@)"
commit:expression: $VAR(authentication/encrypted-password) != ""
|| ($VAR(authentication/plaintext-password) != ""