From 471b7e4ada3ab3ce69da161b9546056332b60ce2 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 26 Jan 2010 18:09:55 -0800 Subject: Get rid of protected-users file Instead of white-listing special system users, just go with the Debian policy that all users with uid < 1000 are system accounts --- lib/Vyatta/Login/User.pm | 59 +++++++++++++++--------------------------------- 1 file changed, 18 insertions(+), 41 deletions(-) (limited to 'lib/Vyatta') diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index 383978e4..1aee01dd 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -59,43 +59,6 @@ sub _level_groups { return @groups; } -# protected users override file -my $protected_users = '/opt/vyatta/etc/protected-user'; - -# Users who MUST not use vbash -sub _protected_users { - my @protected; - - open my $pfd, '<', $protected_users - or return; - - while (<$pfd>) { - chomp; - next unless $_; - - push @protected, $_; - } - close($pfd); - return @protected; -} - -# make list of vyatta users (ie. users of vbash) -sub _vyatta_users { - my @vusers; - - setpwent(); - - # ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) - # = getpw* - while ( my ($name, undef, undef, undef, undef, undef, - undef, undef, $shell) = getpwent() ) { - push @vusers, $name if ( $shell eq '/bin/vbash' ); - } - endpwent(); - - return @vusers; -} - sub _authorized_keys { my $user = shift; my $config = new Vyatta::Config; @@ -208,6 +171,20 @@ sub _update_user { } } +sub _local_users { + my @users; + + setpwent(); + while ( my ($name, undef, $uid) = getpwent() ) { + # Skip system accounts (< SYS_UID_MAX) + next if $uid < 1000; + push @users, $name; + } + endpwent(); + + return @users; +} + sub update { my $uconfig = new Vyatta::Config; $uconfig->setLevel("system login user"); @@ -228,11 +205,11 @@ sub update { _authorized_keys($user); } - # Remove any vyatta users that do not exist in current configuration + # Remove any normal users that do not exist in current configuration # This can happen if user added but configuration not saved - my %protected = map { $_ => 1 } _protected_users(); - foreach my $user ( _vyatta_users() ) { - next if $protected{$user}; + # and system is rebooted + foreach my $user ( _local_users() ) { + # did we see this user in configuration? next if defined $users{$user}; warn "User $user not listed in current configuration\n"; -- cgit v1.2.3