summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am1
-rwxr-xr-xscripts/vyatta-passwd-sync280
2 files changed, 281 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index 3ad950a8..c50c8560 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -16,6 +16,7 @@ sbin_SCRIPTS += scripts/rl-system.init
sbin_SCRIPTS += scripts/install-system
sbin_SCRIPTS += scripts/quick-install
sbin_SCRIPTS += scripts/standalone_root_pw_reset
+sbin_SCRIPTS += scripts/vyatta-passwd-sync
sbin_SCRIPTS += scripts/system/vyatta_update_login.pl
sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl
sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl
diff --git a/scripts/vyatta-passwd-sync b/scripts/vyatta-passwd-sync
new file mode 100755
index 00000000..29748b67
--- /dev/null
+++ b/scripts/vyatta-passwd-sync
@@ -0,0 +1,280 @@
+#! /usr/bin/perl
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2008 Vyatta, Inc.
+# All Rights Reserved.
+# **** End License ****
+
+use lib "/opt/vyatta/share/perl5/";
+use VyattaConfig;
+use strict;
+use Getopt::Long;
+
+my ( $resync, $verbose, $force, $check );
+
+GetOptions(
+ "verbose" => \$verbose,
+ "resync" => \$resync,
+ "force" => \$force,
+ "check" => \$check,
+);
+
+#
+# These should move to VyattaConfig.pm??
+#
+
+sub add_node {
+ my ( $config, $level ) = @_;
+ $level =~ s/\//%2F/g;
+ $level =~ s/\s+/\//g;
+
+ my $path =
+ $config->{_new_config_dir_base}
+ . $config->{_current_dir_level} . '/'
+ . $level;
+ if ( !-d $path ) {
+ mkdir $path or die "Can't make directory $path : $!\n";
+ }
+}
+
+sub set_node {
+ my ( $config, $level, $val ) = @_;
+ $level =~ s/\//%2F/g;
+ $level =~ s/\s+/\//g;
+ my $path =
+ $config->{_new_config_dir_base}
+ . $config->{_current_dir_level} . '/'
+ . $level;
+
+ if ( !-d $path ) {
+ system("mkdir -p $path");
+ }
+
+ my $fname = $path . '/node.val';
+
+ open my $output, '>', $fname
+ or die "Can't open $fname: $!\n";
+ print $output "$val\n";
+ close $output;
+}
+
+sub delete_node {
+ my ( $config, $level ) = @_;
+ $level =~ s/\//%2F/g;
+ $level =~ s/\s+/\//g;
+ my $path =
+ $config->{_new_config_dir_base}
+ . $config->{_current_dir_level} . '/'
+ . $level;
+ if ( -d $path ) {
+ system("rm -fr $path");
+ }
+}
+
+my $members;
+( undef, undef, undef, $members ) = getgrnam('operator');
+my @operators = split( / /, $members );
+
+( undef, undef, undef, $members ) = getgrnam('vyattacfg');
+my @admins = split( / /, $members );
+
+sub get_user_level {
+ my $name = shift;
+
+ return 'admin' if ( $name eq 'root' );
+
+ foreach my $id (@admins) {
+ return 'admin' if ( $id eq $name );
+ }
+
+ foreach my $id (@operators) {
+ return 'operator' if ( $id eq $name );
+ }
+
+ # If level indetermined returns undef
+}
+
+my @field_names =
+ ( 'encrypted password', 'full name', 'home directory', 'level' );
+
+sub system_vyatta_users {
+ my %users = ();
+ setpwent();
+ while (
+ my ( $name, $passwd, $uid, $gid, undef, $comment, undef, $home, $shell )
+ = getpwent() )
+ {
+ if ( $name eq 'root' || $shell eq '/bin/vbash' ) {
+ $users{$name} = [ $passwd, $comment, $home, get_user_level($name) ];
+ }
+ }
+ endpwent();
+
+ return %users;
+}
+
+sub listOrigUsers {
+ my $config = new VyattaConfig;
+ my %users = ();
+
+ foreach my $name ( $config->listOrigNodes('system login user') ) {
+ $config->setLevel("system login user $name");
+
+ my $passwd =
+ $config->returnOrigValue('authentication encrypted-password');
+ my $comment = $config->returnOrigValue('full-name');
+ my $home = $config->returnOrigValue('home-directory');
+ my $level = $config->returnOrigValue('level');
+ $level = 'admin' if ( !defined $level );
+
+ $users{$name} = [ $passwd, $comment, $home, $level ];
+ }
+
+ return %users;
+}
+
+sub check_config {
+ my %pwdusers = system_vyatta_users();
+ my %vtyusers = listOrigUsers();
+ my $exit_code = 0;
+
+ if ($verbose) {
+ printf "System users: %s\n", join( ', ', keys %pwdusers );
+ printf "Configured users: %s\n", join( ', ', keys %vtyusers );
+ }
+
+ while ( my ( $user, $fields ) = each(%vtyusers) ) {
+ my @pwd_fields = @{ $pwdusers{$user} };
+ my @cfg_fields = @$fields;
+
+ if (@pwd_fields) {
+ for ( my $i = 0 ; $i <= $#pwd_fields ; $i++ ) {
+ if ( $pwd_fields[$i] ne $cfg_fields[$i] ) {
+ printf "%s: %s mismatch: '%s' != '%s'\n", $user,
+ $field_names[$i], $pwd_fields[$i], $cfg_fields[$i];
+ $exit_code = 1;
+ }
+ }
+ delete $pwdusers{$user};
+ }
+ else {
+ print "$user: does not exist in system\n";
+ $exit_code = 1;
+ }
+ }
+
+ foreach my $user ( keys %pwdusers ) {
+ print "$user: does not exist in vyatta configuration\n";
+ $exit_code = 1;
+ }
+
+ exit $exit_code;
+}
+
+sub listUsers {
+ my $config = new VyattaConfig;
+ my %users = ();
+
+ foreach my $name ( $config->listOrigNodes('system login user') ) {
+ $config->setLevel("system login user $name");
+
+ my $passwd =
+ $config->returnOrigValue('authentication encrypted-password');
+ my $comment = $config->returnOrigValue('full-name');
+ my $home = $config->returnOrigValue('home-directory');
+ my $level = $config->returnOrigValue('level');
+ $level = 'admin' if ( !defined $level );
+
+ $users{$name} = [ $passwd, $comment, $home, $level ];
+ }
+
+ return %users;
+}
+
+sub resync_config {
+ my %system_users = system_vyatta_users();
+ my %vyatta_users = listUsers();
+ my $config = new VyattaConfig;
+
+ $config->setLevel('system login user');
+
+ foreach my $user ( keys %vyatta_users ) {
+ if ( !defined $system_users{$user} ) {
+ if ($force) {
+ print "Deleting user: $user\n" if ($verbose);
+ del_node( $config, $user );
+ }
+ else {
+ print "user: $user does not exist in passwd file\n";
+ }
+ }
+ }
+
+ foreach my $user ( keys %system_users ) {
+ my ( $passwd, $comment, $home, $level ) = @{ $system_users{$user} };
+
+ if ( !defined $level ) {
+ print "user $user: could not determine level (incorrect groups)\n";
+ next;
+ }
+
+ my $existing = $vyatta_users{$user};
+ if ( !defined $existing ) {
+ if ($force) {
+ print "Adding $user\n" if ($verbose);
+ add_node( $config, $user );
+ }
+ else {
+ print "user: $user does not exist in vyatta config\n";
+ next;
+ }
+ }
+ else {
+ my ( $opasswd, $ocomment, $ohome, $olevel ) = @{$existing};
+ if ( $opasswd eq $passwd
+ && $ocomment eq $comment
+ && $ohome eq $home
+ && $olevel eq $level ) {
+ print "$user: no change\n" if ($verbose);
+ next;
+ }
+ else {
+ print "$user: fields don't match\n" if ($verbose);
+ }
+ }
+
+ if ( $comment ne '' ) {
+ set_node( $config, "$user full-name", $comment );
+ }
+
+ set_node( $config, "$user authentication encrypted-password", $passwd );
+ set_node( $config, "$user level", $level );
+ set_node( $config, "$user home-directory", $home );
+ }
+}
+
+if ($check) {
+ check_config();
+ exit 0;
+}
+
+if ($resync) {
+ resync_config();
+ exit 0;
+}
+
+print <<EOF;
+usage: vyatta-passwd-sync.pl [--verbose ] [--force ] --resync
+ vyatta-passwd-sync.pl [--verbose ] --check
+EOF
+
+exit 1;