add override mechanism for protected users

2 files changed, 21 insertions, 0 deletions

diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index a44fe657..1a9f0bd5 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -166,6 +166,13 @@ cp -f /opt/vyatta/etc/syslog.conf /etc/syslog.conf
 # this logs unnecessary messages trying to start ddclient
 rm -f /etc/ppp/ip-up.d/ddclient
 
+# set up protected users override file (if necessary)
+PU_FILE=/opt/vyatta/etc/protected-users
+if [ ! -r "$PU_FILE" ]; then
+  touch $PU_FILE
+  chmod 644 $PU_FILE
+fi
+
 # Local Variables:
 # mode: shell-script
 # sh-indentation: 4
diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm
index a94b8d08..f5e8337f 100755
--- a/lib/Vyatta/Login/User.pm
+++ b/lib/Vyatta/Login/User.pm
@@ -60,14 +60,28 @@ sub get_groups {
     return \%group_map;
 }
 
+# protected users override file
+my $protected_override = '/opt/vyatta/etc/protected-users';
+
 # make list of vyatta users (ie. users of vbash)
 sub _vyatta_users {
     my @vusers;
+    my %protected_override = ();
+    my $pfd;
+    if (open($pfd, '<', "$protected_override")) {
+	while (<$pfd>) {
+	    next if (!defined($_));
+	    chomp;
+	    $protected_override{$_} = 1; 
+	}
+	close($pfd);
+    }
     setpwent();
     # ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire)
     #   = getpw*
     while ( my ($name, undef, undef, undef, undef, undef,
 		undef, undef, $shell) = getpwent() ) {
+	next if (defined($protected_override{$name}));
 	push @vusers, $name if ($shell eq '/bin/vbash');
     }
     endpwent();