diff options
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 6 | ||||
-rwxr-xr-x | lib/Vyatta/Login/User.pm | 72 | ||||
-rw-r--r-- | sysconf/level | 3 | ||||
-rw-r--r-- | sysconf/protected-user | 2 |
5 files changed, 59 insertions, 26 deletions
diff --git a/Makefile.am b/Makefile.am index 99142777..df8c34b5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -70,6 +70,8 @@ sysconf_DATA += sysconf/securetty sysconf_DATA += sysconf/vyatta-sysctl.conf sysconf_DATA += sysconf/blacklist.DSA-1024 sysconf_DATA += sysconf/blacklist.RSA-2048 +sysconf_DATA += sysconf/protected-user +sysconf_DATA += sysconf/level sysconf_DATA += sysconf/pam_radius.cfg libudev_SCRIPTS = scripts/vyatta_net_name diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 3a914f7f..4809c4fe 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -118,6 +118,10 @@ EOF fi done + # Install pamradius config (should come with radius client eventually) + cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius + + cp $sysconfdir/level $sysconfdir/protected-user /opt/vyatta/etc fi # update crontab for logrotate @@ -148,8 +152,6 @@ update-rc.d -f ssh remove >/dev/null # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login -# Install pamradius config (should come with radius client eventually) -cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius [ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index f5e8337f..8c459850 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -19,6 +19,7 @@ use strict; use warnings; use lib "/opt/vyatta/share/perl5"; use Vyatta::Config; +use Vyatta::Login::Misc; # Exit codes form useradd.8 man page my %reasons = ( @@ -34,15 +35,6 @@ my %reasons = ( 13 => 'canĀ“t create mail spool', ); -# Map of level to additional groups -my %level_map = ( - 'admin' => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', 'disk' ], - 'operator' => [ 'quaggavty', 'vyattaop', 'operator', 'adm', 'dip', ], -); - -# Users who MUST not use vbash -my @protected = ( 'root', 'www-data' ); - # Construct a map from existing users to group membership sub get_groups { my %group_map; @@ -60,28 +52,60 @@ sub get_groups { return \%group_map; } +my $levelFile = "/opt/vyatta/etc/level"; + +# Convert level to additional groups +sub _level2groups { + my $level = shift; + my @groups; + + open (my $f, '<', $levelFile) + or return; + + while (<$f>) { + chomp; + next unless $_; + + my ($l, $g) = split /:/; + if ($l eq $level) { + @groups = split(/,/, $g); + last; + } + } + close $f; + return @groups; +} + # protected users override file -my $protected_override = '/opt/vyatta/etc/protected-users'; +my $protected_users = '/opt/vyatta/etc/protected-user'; + +# Users who MUST not use vbash +sub _protected_users { + my @protected; + + open my $pfd, '<', $protected_users + or return; + + while (<$pfd>) { + chomp; + next unless $_; + + push @protected, $_; + } + close($pfd); + return @protected; +} + # make list of vyatta users (ie. users of vbash) sub _vyatta_users { my @vusers; - my %protected_override = (); - my $pfd; - if (open($pfd, '<', "$protected_override")) { - while (<$pfd>) { - next if (!defined($_)); - chomp; - $protected_override{$_} = 1; - } - close($pfd); - } + setpwent(); # ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) # = getpw* while ( my ($name, undef, undef, undef, undef, undef, undef, undef, $shell) = getpwent() ) { - next if (defined($protected_override{$name})); push @vusers, $name if ($shell eq '/bin/vbash'); } endpwent(); @@ -120,7 +144,7 @@ sub update { } # map level to group membership - my @new_groups = @{ $level_map{$level} }; + my @new_groups = _level2groups($level); # add any additional groups from configuration push( @new_groups, $uconfig->returnValues('group') ); @@ -169,12 +193,12 @@ sub update { # Remove any vyatta users that do not exist in current configuration # This can happen if user added but configuration not saved - my %protected = map { $_ => 1 } @protected; + my %protected = map { $_ => 1 } _protected_users(); foreach my $user (_vyatta_users()) { if ($protected{$user}) { warn "User $user should not being using vbash - fixed\n"; system ("usermod -s /bin/bash $user") == 0 - or die "Attemp to modify user $user shell failed: $!"; + or die "Attempt to modify user $user shell failed: $!"; } elsif (! defined $users{$user}) { warn "User $user not listed in current configuration\n"; system ("userdel --remove $user") == 0 diff --git a/sysconf/level b/sysconf/level new file mode 100644 index 00000000..2acfa491 --- /dev/null +++ b/sysconf/level @@ -0,0 +1,3 @@ +admin:quaggavty,vyattacfg,sudo,adm,dip,disk +operator:quaggavty,vyattaop,operator,adm,dip + diff --git a/sysconf/protected-user b/sysconf/protected-user new file mode 100644 index 00000000..04a60974 --- /dev/null +++ b/sysconf/protected-user @@ -0,0 +1,2 @@ +root +www-data |