summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am6
-rw-r--r--lib/Vyatta/Login/Radius.pm (renamed from scripts/system/vyatta_update_radius.pl)67
-rwxr-xr-xlib/Vyatta/Login/User.pm156
-rw-r--r--[-rwxr-xr-x]scripts/system/vyatta_update_login.pl116
-rw-r--r--templates/system/login/node.def3
-rw-r--r--templates/system/login/radius-server/node.def1
-rw-r--r--templates/system/login/user/node.def1
7 files changed, 212 insertions, 138 deletions
diff --git a/Makefile.am b/Makefile.am
index 5152fb71..2168e11e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,5 +1,5 @@
cfgdir = $(datadir)/vyatta-cfg/templates
-share_perl5dir = $(datarootdir)/perl5/Vyatta
+share_perl5dir = $(datarootdir)/perl5/Vyatta/Login
libudevdir = /lib/udev
etcudevdir = /etc/udev
bin_sudo_usersdir = $(bindir)/sudo-users
@@ -24,7 +24,6 @@ sbin_SCRIPTS += scripts/vyatta-grub-setup
sbin_SCRIPTS += scripts/standalone_root_pw_reset
sbin_SCRIPTS += scripts/vyatta-passwd-sync
sbin_SCRIPTS += scripts/system/vyatta_update_login.pl
-sbin_SCRIPTS += scripts/system/vyatta_update_radius.pl
sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl
sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl
sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl
@@ -44,6 +43,9 @@ sbin_SCRIPTS += scripts/vyatta-update-arp-params
sbin_SCRIPTS += scripts/zone-mgmt/vyatta-zone.pl
sbin_SCRIPTS += scripts/vyatta-banner.pl
+share_perl5_DATA = lib/Vyatta/Login/User.pm
+share_perl5_DATA += lib/Vyatta/Login/Radius.pm
+
noinst_DATA = test_bootfile
bin_sudo_users_SCRIPTS = scripts/keepalived/vyatta-clear-vrrp.pl
diff --git a/scripts/system/vyatta_update_radius.pl b/lib/Vyatta/Login/Radius.pm
index 69e605da..6a949434 100644
--- a/scripts/system/vyatta_update_radius.pl
+++ b/lib/Vyatta/Login/Radius.pm
@@ -1,5 +1,3 @@
-#!/usr/bin/perl
-
# **** License ****
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
@@ -16,7 +14,9 @@
#
# **** End License ****
+package Vyatta::Login::Radius;
use strict;
+use warnings;
use lib "/opt/vyatta/share/perl5";
use Vyatta::Config;
@@ -83,37 +83,44 @@ sub add_radius_servers {
return 1;
}
-# handle "radius-server"
-my $rconfig = new Vyatta::Config;
-$rconfig->setLevel("system login radius-server");
-my %servers = $rconfig->listNodeStatus();
-my @server_keys = sort keys %servers;
-if ( scalar(@server_keys) <= 0 ) {
+sub new {
+ my $that = shift;
+ my $class = ref($that) || $that;
+ my $rconfig = new Vyatta::Config;
+ $rconfig->setLevel("system login radius-server");
+ my %servers = $rconfig->listNodeStatus();
+ my $self = \%servers;
+
+ bless $self, $class;
- # all radius servers deleted
- exit 1 if ( !remove_pam_radius() );
- exit 0;
+ return $self;
}
-# we have some servers
-my $all_deleted = 1;
-my $server_str = '';
-remove_radius_servers();
-
-for my $server (@server_keys) {
- if ( $servers{$server} ne 'deleted' ) {
- $all_deleted = 0;
- my $port = $rconfig->returnValue("$server port");
- my $secret = $rconfig->returnValue("$server secret");
- my $timeout = $rconfig->returnValue("$server timeout");
- $server_str .= "$server:$port\t$secret\t$timeout\n";
+sub update {
+ my $self = shift;
+ my %servers = %$self;
+ my $server_str = '';
+ my $rconfig = new Vyatta::Config;
+ $rconfig->setLevel('system login radius-server');
+
+ if (%servers) {
+ remove_radius_servers();
+
+ for my $server (sort keys %servers) {
+ next if ( $servers{$server} eq 'deleted' );
+ my $port = $rconfig->returnValue("$server port");
+ my $secret = $rconfig->returnValue("$server secret");
+ my $timeout = $rconfig->returnValue("$server timeout");
+ $server_str .= "$server:$port\t$secret\t$timeout\n";
+ }
+
+ exit 1 if ( !add_radius_servers($server_str) );
+ exit 1 if ( !add_pam_radius() );
+
+ } else {
+ # all radius servers deleted
+ exit 1 if ( !remove_pam_radius() );
}
}
-if ($all_deleted) {
- # all radius servers deleted
- exit 1 if ( !remove_pam_radius() );
-} else {
- exit 1 if ( !add_radius_servers($server_str) );
- exit 1 if ( !add_pam_radius() );
-}
+1;
diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm
new file mode 100755
index 00000000..42bcbd53
--- /dev/null
+++ b/lib/Vyatta/Login/User.pm
@@ -0,0 +1,156 @@
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc.
+# All Rights Reserved.
+#
+# **** End License ****
+
+package Vyatta::Login::User;
+use strict;
+use warnings;
+use lib "/opt/vyatta/share/perl5";
+use Vyatta::Config;
+
+sub new {
+ my ( $that ) = @_;
+ my $class = ref($that) || $that;
+ $config->setLevel("system login user");
+ my %users = $config->listNodeStatus();
+ my @user_keys = sort keys %users;
+
+ if ( ( scalar(@user_keys) <= 0 )
+ || !( grep /^root$/, @user_keys )
+ || ( $users{'root'} eq 'deleted' ) )
+ {
+
+ # root is deleted
+ die "User \"root\" cannot be deleted\n";
+ }
+
+ my $self = \%users;
+ bless $self, $class;
+
+ return $self;
+}
+
+# Exit codes form useradd.8 man page
+my %reasons = (
+ 0 => 'success',
+ 1 => 'can´t update password file',
+ 2 => 'invalid command syntax',
+ 3 => 'invalid argument to option',
+ 4 => 'UID already in use (and no -o)',
+ 6 => 'specified group doesn´t exist',
+ 9 => 'username already in use',
+ 10 => 'can´t update group file',
+ 12 => 'can´t create home directory',
+ 13 => 'can´t create mail spool',
+);
+
+# Map of level to additional groups
+my %level_map = (
+ 'admin' => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', 'disk' ],
+ 'operator' => [ 'quaggavty', 'operator', 'adm', 'dip', ],
+);
+
+# Construct a map from existing users to group membership
+sub get_groups {
+ my %group_map;
+
+ setgrent();
+ while ( my ( $name, undef, undef, $members ) = getgrent() ) {
+ foreach my $user ( split / /, $members ) {
+ $group_map{$user} = [] unless ( $group_map{$user} );
+ my $g = $group_map{$user};
+ push @$g, $name;
+ }
+ }
+ endgrent();
+
+ return \%group_map;
+}
+
+sub update {
+ my $self = shift;
+ my %users = %$self;
+ my $membership = get_groups();
+ my $uconfig = new Vyatta::Config;
+
+ foreach my $user ( keys %users ) {
+ if ( $users{$user} eq 'deleted' ) {
+ system("sudo userdel -r '$user'") == 0
+ or die "userdel failed: $?\n";
+ }
+ elsif ( $users{$user} eq 'added' || $users{$user} eq 'changed' ) {
+ $uconfig->setLevel("system login user $user");
+ my $pwd =
+ $uconfig->returnValue('authentication encrypted-password');
+ $pwd or die "Encrypted password not in configuration for $user";
+
+ my $level = $uconfig->returnValue('level');
+ $level or die "Level not defined for $user";
+
+ # map level to group membership
+ my @new_groups = @{ $level_map{$level} };
+
+ # add any additional groups from configuration
+ push( @new_groups, $uconfig->returnValues('group') );
+
+ my $fname = $uconfig->returnValue('full-name');
+ my $home = $uconfig->returnValue('home-directory');
+
+ # Read existing settings
+ my (
+ undef, $opwd, $uid, $gid, undef,
+ $comment, undef, $dir, $shell, undef
+ ) = getpwnam($user);
+
+ my $old_groups = $membership->{$user};
+
+ my $cmd;
+
+ # not found in existing passwd, must be new
+ if ( !defined $uid ) {
+
+ # make new user using vyatta shell
+ # and make home directory (-m)
+ # and with default group of 100 (users)
+ $cmd = 'useradd -s /bin/vbash -m -N';
+ }
+ elsif ($opwd eq $pwd
+ && ( !$fname || $fname eq $comment )
+ && ( !$home || $home eq $dir )
+ && join( ' ', sort @$old_groups ) eq
+ join( ' ', sort @new_groups ) )
+ {
+
+ # If no part of password or group file changed
+ # then there is nothing to do here.
+ next;
+ }
+ else {
+ $cmd = "usermod";
+ }
+
+ $cmd .= " -p '$pwd'";
+ $cmd .= " -c \"$fname\"" if ( defined $fname );
+ $cmd .= " -d \"$home\"" if ( defined $home );
+ $cmd .= ' -G ' . join( ',', @new_groups );
+ system("sudo $cmd $user");
+ next if ( $? == 0 );
+ my $reason = $reasons{ ( $? >> 8 ) };
+ die "Attempt to change user $user failed: $reason\n";
+ }
+ }
+}
+
+1;
diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl
index c8c064a7..b2125de1 100755..100644
--- a/scripts/system/vyatta_update_login.pl
+++ b/scripts/system/vyatta_update_login.pl
@@ -20,111 +20,21 @@ use strict;
use lib "/opt/vyatta/share/perl5";
use Vyatta::Config;
-# handle "user"
-my $uconfig = new Vyatta::Config;
-$uconfig->setLevel("system login user");
+# This is just a simple wrapper that allows for extensiblility
+# of login types.
-my %users = $uconfig->listNodeStatus();
-my @user_keys = sort keys %users;
+my $config = new Vyatta::Config;
+$config->setLevel("system login");
-if ( ( scalar(@user_keys) <= 0 )
- || !( grep /^root$/, @user_keys )
- || ( $users{'root'} eq 'deleted' ) )
-{
- # root is deleted
- die "User \"root\" cannot be deleted\n";
-}
-
-# Exit codes form useradd.8 man page
-my %reasons = (
- 0 => 'success',
- 1 => 'can´t update password file',
- 2 => 'invalid command syntax',
- 3 => 'invalid argument to option',
- 4 => 'UID already in use (and no -o)',
- 6 => 'specified group doesn´t exist',
- 9 => 'username already in use',
- 10 => 'can´t update group file',
- 12 => 'can´t create home directory',
- 13 => 'can´t create mail spool',
-);
+foreach my $type ($config->listNodes()) {
+ my $kind = ucfirst $type;
+ my $location = "Vyatta/Login/$kind.pm";
+ my $class = "Vyatta::Login::$kind";
+
+ require $location;
-# Map of level to additional groups
-my %level_map = (
- 'admin' => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', 'disk'],
- 'operator' => [ 'quaggavty', 'operator', 'adm', 'dip', ],
-);
+ my $obj = $class->new();
+ die "Don't understand $type" unless $obj;
-# Construct a map from existing users to group membership
-# Use space seperated format
-my %group_map;
-while (my ($name, undef, undef, $members) = getgrent()) {
- foreach my $user (split / /,$members) {
- my $g = $group_map{$user};
- if ($g) {
- my @l = split / /, $g;
- push @l, $name;
- $group_map{$user} = join(' ', sort @l);
- } else {
- $group_map{$user} = $name;
- }
-
- }
+ $obj->update();
}
-
-# we have some users
-for my $user (@user_keys) {
- if ( $users{$user} eq 'deleted' ) {
- system("sudo userdel -r '$user'") == 0
- or die "userdel failed: $?\n"
- }
- elsif ( $users{$user} eq 'added' || $users{$user} eq 'changed' ) {
- $uconfig->setLevel("system login user $user");
- my $pwd = $uconfig->returnValue('authentication encrypted-password');
- $pwd or die "Encrypted password not in configuration for $user";
-
- my $level = $uconfig->returnValue('level');
- $level or die "Level not defined for $user";
-
- # map level to group membership
- my @groups = @{$level_map{$level}};
- # add any additional groups from configuration
- push( @groups, $uconfig->returnValues('group') );
-
- my $fname = $uconfig->returnValue('full-name');
- my $home = $uconfig->returnValue('home-directory');
-
- # Read existing settings
- my (undef, $opwd, $uid, $gid, undef, $comment,
- undef, $dir, $shell, undef) = getpwnam($user);
-
- my $cmd;
- # not found in existing passwd, must be new
- if ( !defined $uid ) {
- # make new user using vyatta shell
- # and make home directory (-m)
- # and with default group of 100 (users)
- $cmd = 'useradd -s /bin/vbash -m -N';
- } else {
- # If no part of password or group file changed
- # then there is nothing to do here.
- next if ( $opwd eq $pwd &&
- (!$fname || $fname eq $comment) &&
- (!$home || $home eq $dir) &&
- join(' ', sort @groups) eq $group_map{$user} );
-
- $cmd = "usermod";
- }
-
- $cmd .= " -p '$pwd'";
- $cmd .= " -c \"$fname\"" if ( defined $fname );
- $cmd .= " -d \"$home\"" if ( defined $home );
- $cmd .= ' -G ' . join( ',', @groups );
- system("sudo $cmd $user");
- next if ($? == 0);
- my $reason = $reasons{($? >> 8)};
- die "Attempt to change user $user failed: $reason\n";
- }
-}
-
-exit 0;
diff --git a/templates/system/login/node.def b/templates/system/login/node.def
index 66ac660c..9b24a71f 100644
--- a/templates/system/login/node.def
+++ b/templates/system/login/node.def
@@ -1,2 +1,3 @@
help: Set user access
-delete: echo 'User root cannot be deleted' 1>&2; exit 1
+delete: echo 'All login methods can not be deleted' 1>&2; exit 1
+end: /opt/vyatta/sbin/vyatta_update_login.pl
diff --git a/templates/system/login/radius-server/node.def b/templates/system/login/radius-server/node.def
index f74cc568..137a92a0 100644
--- a/templates/system/login/radius-server/node.def
+++ b/templates/system/login/radius-server/node.def
@@ -4,4 +4,3 @@ help: Set radius server authentication
commit:expression: $VAR(port) != "" && $VAR(secret) != ""
&& $VAR(timeout) != ""
; "Port, secret, and timeout must be specified for Radius"
-end: /opt/vyatta/sbin/vyatta_update_radius.pl
diff --git a/templates/system/login/user/node.def b/templates/system/login/user/node.def
index 26625b7f..d23a397f 100644
--- a/templates/system/login/user/node.def
+++ b/templates/system/login/user/node.def
@@ -7,4 +7,3 @@ commit:expression: $VAR(authentication/encrypted-password) != ""
; "user password must be specified"
syntax:expression: pattern $VAR(@) "^[a-zA-Z_][a-zA-Z0-9_-]*\\$?$"
; "invalid user name $VAR(@)"
-end: /opt/vyatta/sbin/vyatta_update_login.pl