From 78aef156293581ce5028ff22d752241cc2e9525b Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Fri, 29 May 2009 18:31:08 -0700 Subject: 0.15.48+jenner1 --- debian/changelog | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/debian/changelog b/debian/changelog index cdb4d2bb..b7dc5875 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +vyatta-cfg-system (0.15.48+jenner1) unstable; urgency=low + + [ Stephen Hemminger ] + * Print error message on failure to create group/user + + [ Mohit Mehta ] + * move server,protocol to the same line in config file + + [ An-Cheng Huang ] + + -- An-Cheng Huang Fri, 29 May 2009 18:31:07 -0700 + vyatta-cfg-system (0.15.48) unstable; urgency=low * Restore default facility for 'syslog console' -- cgit v1.2.3 From ab857f46cb19f9acdc53afb496ce6a13f3636b2f Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Sat, 30 May 2009 12:54:32 -0700 Subject: Change tunnel multicast from on/off to enable/disable. --- templates/interfaces/tunnel/node.def | 7 +++++-- templates/interfaces/tunnel/node.tag/multicast/node.def | 13 +++++++------ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/templates/interfaces/tunnel/node.def b/templates/interfaces/tunnel/node.def index 68302461..77aaa5fa 100644 --- a/templates/interfaces/tunnel/node.def +++ b/templates/interfaces/tunnel/node.def @@ -16,11 +16,14 @@ create:expression: "\ if [ -n \"$VAR(./key/@)\" ]; then \ KEY=\"key $VAR(./key/@)\"; \ fi; \ - MC=\"multicast $VAR(./multicast/@) allmulticast $VAR(./multicast/@)\"; \ + if [ x$VAR(./multicast/@) == xenable ]; then \ + MC=\"multicast on allmulticast on\"; \ + fi; \ sudo ip tunnel add $VAR(@) \ local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) \ mode $VAR(./encapsulation/@) $KEY; \ - sudo ip link set $VAR(@) $MC up;" ; "Error creating $VAR(@)" + sudo ip link set $VAR(@) $MC up;" ; \ + "Error creating $VAR(@)" delete:expression: "sudo ip tunnel del $VAR(@)" ; "Error deleting $VAR(@)" diff --git a/templates/interfaces/tunnel/node.tag/multicast/node.def b/templates/interfaces/tunnel/node.tag/multicast/node.def index 2b9762e1..d7662306 100644 --- a/templates/interfaces/tunnel/node.tag/multicast/node.def +++ b/templates/interfaces/tunnel/node.tag/multicast/node.def @@ -1,13 +1,14 @@ type: txt -help: Define multicast operation over tunnel -default: "off" -syntax:expression: $VAR(@) in "on", "off"; "Must be (on, off)" +help: Set multicast operation over tunnel +default: "disable" + +syntax:expression: $VAR(@) in "enable", "disable"; \ + "Must be 'disable' or 'enable'" create:expression: "true" update:expression: "false" ; \ "Multicast should be set at tunnel creation for $VAR(../@)" comp_help: "possible completions: - on Enable Multicast - off Disable Multicast (default) - + enable Enable Multicast + disable Disable Multicast (default) -- cgit v1.2.3 From 2ab3e1427c62f86ee7e1b0f6c84ac1ecad23af4e Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Sat, 30 May 2009 12:55:40 -0700 Subject: 0.15.48+jenner2 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index b7dc5875..3ef321e5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.15.48+jenner2) unstable; urgency=low + + * Change tunnel multicast from on/off to enable/disable. + + -- Stig Thormodsrud Sat, 30 May 2009 12:55:39 -0700 + vyatta-cfg-system (0.15.48+jenner1) unstable; urgency=low [ Stephen Hemminger ] -- cgit v1.2.3 From ba165c0e0cf3929ab29b45468cf550eda771c37d Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Sun, 31 May 2009 11:20:26 -0700 Subject: Fix bug preventing 'vyatta' user login. --- scripts/system/vyatta_update_login.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl index c8d0a23a..c8c064a7 100755 --- a/scripts/system/vyatta_update_login.pl +++ b/scripts/system/vyatta_update_login.pl @@ -121,7 +121,7 @@ for my $user (@user_keys) { $cmd .= " -d \"$home\"" if ( defined $home ); $cmd .= ' -G ' . join( ',', @groups ); system("sudo $cmd $user"); - return if ($? == 0); + next if ($? == 0); my $reason = $reasons{($? >> 8)}; die "Attempt to change user $user failed: $reason\n"; } -- cgit v1.2.3 From 4fe8899237f366147e987a06fd1ca3abd458966b Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Sun, 31 May 2009 11:21:43 -0700 Subject: 0.15.48+jenner3 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 3ef321e5..3d4c5a5e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.15.48+jenner3) unstable; urgency=low + + * Fix bug preventing 'vyatta' user login. + + -- Stig Thormodsrud Sun, 31 May 2009 11:21:43 -0700 + vyatta-cfg-system (0.15.48+jenner2) unstable; urgency=low * Change tunnel multicast from on/off to enable/disable. -- cgit v1.2.3 From 673cd442f89a4df1e7d790276ea73c03ac5596b6 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 1 Jun 2009 09:03:47 -0700 Subject: Fix deletion of pseudo-ethernet Bug 4478 Incorrect syntax on ip link command. --- templates/interfaces/pseudo-ethernet/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/interfaces/pseudo-ethernet/node.def b/templates/interfaces/pseudo-ethernet/node.def index 1279b788..60343e7d 100644 --- a/templates/interfaces/pseudo-ethernet/node.def +++ b/templates/interfaces/pseudo-ethernet/node.def @@ -8,5 +8,5 @@ commit:expression: $VAR(link) != "" create: sudo ip link add $VAR(@) link $VAR(link/@) type macvlan || exit 1 sudo ip link set $VAR(@) up /opt/vyatta/sbin/vyatta-link-detect $VAR(@) on -delete: sudo ip link del link $VAR(@) link $VAR(link/@) +delete: sudo ip link delete dev $VAR(@) type macvlan comp_help: Enter virtual ethernet interface name (peth0 - peth999) -- cgit v1.2.3 From 11b14df671c37a69dd9aaab0d36703d11465df93 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 1 Jun 2009 15:17:50 -0700 Subject: Ignore patch and editor temporary files --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 30ff063d..496dcf53 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,6 @@ +*.orig +*.rej +*# *~ .*.swp /aclocal.m4 -- cgit v1.2.3 From bf4dd2a3dd0f36ebd5c1c7a6a3705d378d0453b2 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 1 Jun 2009 15:17:13 -0700 Subject: Change how system login update works Use a wrapper script in vyatta_update_login.pl and per login method objects for the update. --- Makefile.am | 6 +- lib/Vyatta/Login/Radius.pm | 126 +++++++++++++++++++++ lib/Vyatta/Login/User.pm | 156 ++++++++++++++++++++++++++ scripts/system/vyatta_update_login.pl | 116 +++---------------- scripts/system/vyatta_update_radius.pl | 119 -------------------- templates/system/login/node.def | 3 +- templates/system/login/radius-server/node.def | 1 - templates/system/login/user/node.def | 1 - 8 files changed, 301 insertions(+), 227 deletions(-) create mode 100644 lib/Vyatta/Login/Radius.pm create mode 100755 lib/Vyatta/Login/User.pm mode change 100755 => 100644 scripts/system/vyatta_update_login.pl delete mode 100644 scripts/system/vyatta_update_radius.pl diff --git a/Makefile.am b/Makefile.am index 5152fb71..2168e11e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,5 +1,5 @@ cfgdir = $(datadir)/vyatta-cfg/templates -share_perl5dir = $(datarootdir)/perl5/Vyatta +share_perl5dir = $(datarootdir)/perl5/Vyatta/Login libudevdir = /lib/udev etcudevdir = /etc/udev bin_sudo_usersdir = $(bindir)/sudo-users @@ -24,7 +24,6 @@ sbin_SCRIPTS += scripts/vyatta-grub-setup sbin_SCRIPTS += scripts/standalone_root_pw_reset sbin_SCRIPTS += scripts/vyatta-passwd-sync sbin_SCRIPTS += scripts/system/vyatta_update_login.pl -sbin_SCRIPTS += scripts/system/vyatta_update_radius.pl sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl @@ -44,6 +43,9 @@ sbin_SCRIPTS += scripts/vyatta-update-arp-params sbin_SCRIPTS += scripts/zone-mgmt/vyatta-zone.pl sbin_SCRIPTS += scripts/vyatta-banner.pl +share_perl5_DATA = lib/Vyatta/Login/User.pm +share_perl5_DATA += lib/Vyatta/Login/Radius.pm + noinst_DATA = test_bootfile bin_sudo_users_SCRIPTS = scripts/keepalived/vyatta-clear-vrrp.pl diff --git a/lib/Vyatta/Login/Radius.pm b/lib/Vyatta/Login/Radius.pm new file mode 100644 index 00000000..6a949434 --- /dev/null +++ b/lib/Vyatta/Login/Radius.pm @@ -0,0 +1,126 @@ +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +package Vyatta::Login::Radius; +use strict; +use warnings; +use lib "/opt/vyatta/share/perl5"; +use Vyatta::Config; + +my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; +my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; +my $PAM_RAD_END = '# END Vyatta Radius servers'; + +sub is_pam_radius_present { + open( my $auth , '<' , '/etc/pam.d/common-auth' ) + or die "Cannot open /etc/pam.d/common-auth\n"; + + my $present; + while (<$auth>) { + if (/\ssufficient\spam_radius_auth\.so$/) { + $present = 1; + last; + } + } + close $auth; + return $present; +} + +sub remove_pam_radius { + return 1 if ( !is_pam_radius_present() ); + my $cmd = + 'sudo sh -c "' + . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;' + . '/\tpam_unix\.so /{s/ use_first_pass$//}\' ' + . '/etc/pam.d/common-auth && ' + . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' ' + . '/etc/pam.d/common-account"'; + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +sub add_pam_radius { + return 1 if ( is_pam_radius_present() ); + my $cmd = + 'sudo sh -c "' + . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$' + . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' ' + . '/etc/pam.d/common-auth && ' + . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$' + . '/account\tsufficient\tpam_radius_auth.so\n\1/\' ' + . '/etc/pam.d/common-account"'; + system($cmd); + return 0 if ( $? >> 8 ); + return 1; +} + +sub remove_radius_servers { + system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' " + . "$PAM_RAD_CFG" ); + return 0 if ( $? >> 8 ); + return 1; +} + +sub add_radius_servers { + my $str = shift; + system( "sudo sh -c \"" + . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" ); + return 0 if ( $? >> 8 ); + return 1; +} + +sub new { + my $that = shift; + my $class = ref($that) || $that; + my $rconfig = new Vyatta::Config; + $rconfig->setLevel("system login radius-server"); + my %servers = $rconfig->listNodeStatus(); + my $self = \%servers; + + bless $self, $class; + + return $self; +} + +sub update { + my $self = shift; + my %servers = %$self; + my $server_str = ''; + my $rconfig = new Vyatta::Config; + $rconfig->setLevel('system login radius-server'); + + if (%servers) { + remove_radius_servers(); + + for my $server (sort keys %servers) { + next if ( $servers{$server} eq 'deleted' ); + my $port = $rconfig->returnValue("$server port"); + my $secret = $rconfig->returnValue("$server secret"); + my $timeout = $rconfig->returnValue("$server timeout"); + $server_str .= "$server:$port\t$secret\t$timeout\n"; + } + + exit 1 if ( !add_radius_servers($server_str) ); + exit 1 if ( !add_pam_radius() ); + + } else { + # all radius servers deleted + exit 1 if ( !remove_pam_radius() ); + } +} + +1; diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm new file mode 100755 index 00000000..42bcbd53 --- /dev/null +++ b/lib/Vyatta/Login/User.pm @@ -0,0 +1,156 @@ +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +package Vyatta::Login::User; +use strict; +use warnings; +use lib "/opt/vyatta/share/perl5"; +use Vyatta::Config; + +sub new { + my ( $that ) = @_; + my $class = ref($that) || $that; + $config->setLevel("system login user"); + my %users = $config->listNodeStatus(); + my @user_keys = sort keys %users; + + if ( ( scalar(@user_keys) <= 0 ) + || !( grep /^root$/, @user_keys ) + || ( $users{'root'} eq 'deleted' ) ) + { + + # root is deleted + die "User \"root\" cannot be deleted\n"; + } + + my $self = \%users; + bless $self, $class; + + return $self; +} + +# Exit codes form useradd.8 man page +my %reasons = ( + 0 => 'success', + 1 => 'can´t update password file', + 2 => 'invalid command syntax', + 3 => 'invalid argument to option', + 4 => 'UID already in use (and no -o)', + 6 => 'specified group doesn´t exist', + 9 => 'username already in use', + 10 => 'can´t update group file', + 12 => 'can´t create home directory', + 13 => 'can´t create mail spool', +); + +# Map of level to additional groups +my %level_map = ( + 'admin' => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', 'disk' ], + 'operator' => [ 'quaggavty', 'operator', 'adm', 'dip', ], +); + +# Construct a map from existing users to group membership +sub get_groups { + my %group_map; + + setgrent(); + while ( my ( $name, undef, undef, $members ) = getgrent() ) { + foreach my $user ( split / /, $members ) { + $group_map{$user} = [] unless ( $group_map{$user} ); + my $g = $group_map{$user}; + push @$g, $name; + } + } + endgrent(); + + return \%group_map; +} + +sub update { + my $self = shift; + my %users = %$self; + my $membership = get_groups(); + my $uconfig = new Vyatta::Config; + + foreach my $user ( keys %users ) { + if ( $users{$user} eq 'deleted' ) { + system("sudo userdel -r '$user'") == 0 + or die "userdel failed: $?\n"; + } + elsif ( $users{$user} eq 'added' || $users{$user} eq 'changed' ) { + $uconfig->setLevel("system login user $user"); + my $pwd = + $uconfig->returnValue('authentication encrypted-password'); + $pwd or die "Encrypted password not in configuration for $user"; + + my $level = $uconfig->returnValue('level'); + $level or die "Level not defined for $user"; + + # map level to group membership + my @new_groups = @{ $level_map{$level} }; + + # add any additional groups from configuration + push( @new_groups, $uconfig->returnValues('group') ); + + my $fname = $uconfig->returnValue('full-name'); + my $home = $uconfig->returnValue('home-directory'); + + # Read existing settings + my ( + undef, $opwd, $uid, $gid, undef, + $comment, undef, $dir, $shell, undef + ) = getpwnam($user); + + my $old_groups = $membership->{$user}; + + my $cmd; + + # not found in existing passwd, must be new + if ( !defined $uid ) { + + # make new user using vyatta shell + # and make home directory (-m) + # and with default group of 100 (users) + $cmd = 'useradd -s /bin/vbash -m -N'; + } + elsif ($opwd eq $pwd + && ( !$fname || $fname eq $comment ) + && ( !$home || $home eq $dir ) + && join( ' ', sort @$old_groups ) eq + join( ' ', sort @new_groups ) ) + { + + # If no part of password or group file changed + # then there is nothing to do here. + next; + } + else { + $cmd = "usermod"; + } + + $cmd .= " -p '$pwd'"; + $cmd .= " -c \"$fname\"" if ( defined $fname ); + $cmd .= " -d \"$home\"" if ( defined $home ); + $cmd .= ' -G ' . join( ',', @new_groups ); + system("sudo $cmd $user"); + next if ( $? == 0 ); + my $reason = $reasons{ ( $? >> 8 ) }; + die "Attempt to change user $user failed: $reason\n"; + } + } +} + +1; diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl old mode 100755 new mode 100644 index c8c064a7..b2125de1 --- a/scripts/system/vyatta_update_login.pl +++ b/scripts/system/vyatta_update_login.pl @@ -20,111 +20,21 @@ use strict; use lib "/opt/vyatta/share/perl5"; use Vyatta::Config; -# handle "user" -my $uconfig = new Vyatta::Config; -$uconfig->setLevel("system login user"); +# This is just a simple wrapper that allows for extensiblility +# of login types. -my %users = $uconfig->listNodeStatus(); -my @user_keys = sort keys %users; +my $config = new Vyatta::Config; +$config->setLevel("system login"); -if ( ( scalar(@user_keys) <= 0 ) - || !( grep /^root$/, @user_keys ) - || ( $users{'root'} eq 'deleted' ) ) -{ - # root is deleted - die "User \"root\" cannot be deleted\n"; -} - -# Exit codes form useradd.8 man page -my %reasons = ( - 0 => 'success', - 1 => 'can´t update password file', - 2 => 'invalid command syntax', - 3 => 'invalid argument to option', - 4 => 'UID already in use (and no -o)', - 6 => 'specified group doesn´t exist', - 9 => 'username already in use', - 10 => 'can´t update group file', - 12 => 'can´t create home directory', - 13 => 'can´t create mail spool', -); +foreach my $type ($config->listNodes()) { + my $kind = ucfirst $type; + my $location = "Vyatta/Login/$kind.pm"; + my $class = "Vyatta::Login::$kind"; + + require $location; -# Map of level to additional groups -my %level_map = ( - 'admin' => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', 'disk'], - 'operator' => [ 'quaggavty', 'operator', 'adm', 'dip', ], -); + my $obj = $class->new(); + die "Don't understand $type" unless $obj; -# Construct a map from existing users to group membership -# Use space seperated format -my %group_map; -while (my ($name, undef, undef, $members) = getgrent()) { - foreach my $user (split / /,$members) { - my $g = $group_map{$user}; - if ($g) { - my @l = split / /, $g; - push @l, $name; - $group_map{$user} = join(' ', sort @l); - } else { - $group_map{$user} = $name; - } - - } + $obj->update(); } - -# we have some users -for my $user (@user_keys) { - if ( $users{$user} eq 'deleted' ) { - system("sudo userdel -r '$user'") == 0 - or die "userdel failed: $?\n" - } - elsif ( $users{$user} eq 'added' || $users{$user} eq 'changed' ) { - $uconfig->setLevel("system login user $user"); - my $pwd = $uconfig->returnValue('authentication encrypted-password'); - $pwd or die "Encrypted password not in configuration for $user"; - - my $level = $uconfig->returnValue('level'); - $level or die "Level not defined for $user"; - - # map level to group membership - my @groups = @{$level_map{$level}}; - # add any additional groups from configuration - push( @groups, $uconfig->returnValues('group') ); - - my $fname = $uconfig->returnValue('full-name'); - my $home = $uconfig->returnValue('home-directory'); - - # Read existing settings - my (undef, $opwd, $uid, $gid, undef, $comment, - undef, $dir, $shell, undef) = getpwnam($user); - - my $cmd; - # not found in existing passwd, must be new - if ( !defined $uid ) { - # make new user using vyatta shell - # and make home directory (-m) - # and with default group of 100 (users) - $cmd = 'useradd -s /bin/vbash -m -N'; - } else { - # If no part of password or group file changed - # then there is nothing to do here. - next if ( $opwd eq $pwd && - (!$fname || $fname eq $comment) && - (!$home || $home eq $dir) && - join(' ', sort @groups) eq $group_map{$user} ); - - $cmd = "usermod"; - } - - $cmd .= " -p '$pwd'"; - $cmd .= " -c \"$fname\"" if ( defined $fname ); - $cmd .= " -d \"$home\"" if ( defined $home ); - $cmd .= ' -G ' . join( ',', @groups ); - system("sudo $cmd $user"); - next if ($? == 0); - my $reason = $reasons{($? >> 8)}; - die "Attempt to change user $user failed: $reason\n"; - } -} - -exit 0; diff --git a/scripts/system/vyatta_update_radius.pl b/scripts/system/vyatta_update_radius.pl deleted file mode 100644 index 69e605da..00000000 --- a/scripts/system/vyatta_update_radius.pl +++ /dev/null @@ -1,119 +0,0 @@ -#!/usr/bin/perl - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -use strict; -use lib "/opt/vyatta/share/perl5"; -use Vyatta::Config; - -my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; -my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; -my $PAM_RAD_END = '# END Vyatta Radius servers'; - -sub is_pam_radius_present { - open( my $auth , '<' , '/etc/pam.d/common-auth' ) - or die "Cannot open /etc/pam.d/common-auth\n"; - - my $present; - while (<$auth>) { - if (/\ssufficient\spam_radius_auth\.so$/) { - $present = 1; - last; - } - } - close $auth; - return $present; -} - -sub remove_pam_radius { - return 1 if ( !is_pam_radius_present() ); - my $cmd = - 'sudo sh -c "' - . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;' - . '/\tpam_unix\.so /{s/ use_first_pass$//}\' ' - . '/etc/pam.d/common-auth && ' - . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' ' - . '/etc/pam.d/common-account"'; - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -sub add_pam_radius { - return 1 if ( is_pam_radius_present() ); - my $cmd = - 'sudo sh -c "' - . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$' - . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' ' - . '/etc/pam.d/common-auth && ' - . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$' - . '/account\tsufficient\tpam_radius_auth.so\n\1/\' ' - . '/etc/pam.d/common-account"'; - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -sub remove_radius_servers { - system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' " - . "$PAM_RAD_CFG" ); - return 0 if ( $? >> 8 ); - return 1; -} - -sub add_radius_servers { - my $str = shift; - system( "sudo sh -c \"" - . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" ); - return 0 if ( $? >> 8 ); - return 1; -} - -# handle "radius-server" -my $rconfig = new Vyatta::Config; -$rconfig->setLevel("system login radius-server"); -my %servers = $rconfig->listNodeStatus(); -my @server_keys = sort keys %servers; -if ( scalar(@server_keys) <= 0 ) { - - # all radius servers deleted - exit 1 if ( !remove_pam_radius() ); - exit 0; -} - -# we have some servers -my $all_deleted = 1; -my $server_str = ''; -remove_radius_servers(); - -for my $server (@server_keys) { - if ( $servers{$server} ne 'deleted' ) { - $all_deleted = 0; - my $port = $rconfig->returnValue("$server port"); - my $secret = $rconfig->returnValue("$server secret"); - my $timeout = $rconfig->returnValue("$server timeout"); - $server_str .= "$server:$port\t$secret\t$timeout\n"; - } -} - -if ($all_deleted) { - # all radius servers deleted - exit 1 if ( !remove_pam_radius() ); -} else { - exit 1 if ( !add_radius_servers($server_str) ); - exit 1 if ( !add_pam_radius() ); -} diff --git a/templates/system/login/node.def b/templates/system/login/node.def index 66ac660c..9b24a71f 100644 --- a/templates/system/login/node.def +++ b/templates/system/login/node.def @@ -1,2 +1,3 @@ help: Set user access -delete: echo 'User root cannot be deleted' 1>&2; exit 1 +delete: echo 'All login methods can not be deleted' 1>&2; exit 1 +end: /opt/vyatta/sbin/vyatta_update_login.pl diff --git a/templates/system/login/radius-server/node.def b/templates/system/login/radius-server/node.def index f74cc568..137a92a0 100644 --- a/templates/system/login/radius-server/node.def +++ b/templates/system/login/radius-server/node.def @@ -4,4 +4,3 @@ help: Set radius server authentication commit:expression: $VAR(port) != "" && $VAR(secret) != "" && $VAR(timeout) != "" ; "Port, secret, and timeout must be specified for Radius" -end: /opt/vyatta/sbin/vyatta_update_radius.pl diff --git a/templates/system/login/user/node.def b/templates/system/login/user/node.def index 26625b7f..d23a397f 100644 --- a/templates/system/login/user/node.def +++ b/templates/system/login/user/node.def @@ -7,4 +7,3 @@ commit:expression: $VAR(authentication/encrypted-password) != "" ; "user password must be specified" syntax:expression: pattern $VAR(@) "^[a-zA-Z_][a-zA-Z0-9_-]*\\$?$" ; "invalid user name $VAR(@)" -end: /opt/vyatta/sbin/vyatta_update_login.pl -- cgit v1.2.3 From 19a38fe4d18f05d69b97c6785d5ef752479db7bb Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 1 Jun 2009 15:50:29 -0700 Subject: 0.15.48+jenner4 --- debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 3d4c5a5e..dac93447 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +vyatta-cfg-system (0.15.48+jenner4) unstable; urgency=low + + * Fix deletion of pseudo-ethernet + * Ignore patch and editor temporary files + * Change how system login update works + + -- Stephen Hemminger Mon, 01 Jun 2009 15:50:29 -0700 + vyatta-cfg-system (0.15.48+jenner3) unstable; urgency=low * Fix bug preventing 'vyatta' user login. -- cgit v1.2.3