diff options
| author | An-Cheng Huang <ancheng@vyatta.com> | 2007-12-04 14:06:49 -0800 |
|---|---|---|
| committer | An-Cheng Huang <ancheng@vyatta.com> | 2007-12-04 14:06:49 -0800 |
| commit | d85b9132e5817f7a10eb93b52c2696711bc5d18d (patch) | |
| tree | d7eacf2b33d43adf6fef541b35ad2f898a444775 | |
| parent | 30cc647675e017e7fd602bf841d1eee87346deee (diff) | |
| download | vyatta-cfg-system-d85b9132e5817f7a10eb93b52c2696711bc5d18d.tar.gz vyatta-cfg-system-d85b9132e5817f7a10eb93b52c2696711bc5d18d.zip | |
* change "user group" to "user level".
* "admin" => "users", "quaggavty", "vyattacfg", "sudo".
* "users" => "users", "quaggavty"
* use "sudo" group for sudo permissions.
* don't add "root" to /etc/group.
| -rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 5 | ||||
| -rwxr-xr-x | scripts/system/vyatta_update_login_user.pl | 30 | ||||
| -rw-r--r-- | templates/system/login/user/node.def | 2 | ||||
| -rw-r--r-- | templates/system/login/user/node.tag/level/node.def (renamed from templates/system/login/user/node.tag/group/node.def) | 4 |
4 files changed, 26 insertions, 15 deletions
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 2c9f0fbf..4420ce7c 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -39,8 +39,9 @@ if [ "$sysconfdir" != "/etc" ]; then # sudoers [ -f /etc/sudoers ] && cp -pf /etc/sudoers /etc/sudoers.vyatta-save - if ! grep -q '%quaggavty ALL=NOPASSWD: ALL' /etc/sudoers; then - echo -e "\n%quaggavty ALL=NOPASSWD: ALL" >> /etc/sudoers + sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers + if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then + echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers fi echo "Defaults env_keep+=VYATTA_*" >> /etc/sudoers diff --git a/scripts/system/vyatta_update_login_user.pl b/scripts/system/vyatta_update_login_user.pl index d84ee4b0..05ff0b16 100755 --- a/scripts/system/vyatta_update_login_user.pl +++ b/scripts/system/vyatta_update_login_user.pl @@ -103,7 +103,7 @@ sub add_user_to_group { my $user = shift; my $full = shift; my $encrypted = shift; -my $group = shift; +my $level = shift; # emulate lckpwdf(3). # difference: we only try to lock it once (non-blocking). lckpwdf will block @@ -136,14 +136,19 @@ if ($user eq "-d") { exit 0; } -my %group_map = ( - 'admin' => 'quaggavty', - 'users' => 'users', +my %level_map = ( + 'admin' => [ 'users', 'quaggavty', 'vyattacfg', 'sudo', ], + 'users' => [ 'users', 'quaggavty', ], ); exit 4 if (!defined($user) || !defined($full) || !defined($encrypted) - || !defined($group)); -exit 4 if (!defined($group_map{$group})); -$group = $group_map{$group}; + || !defined($level)); +exit 4 if (!defined($level_map{$level})); +my $gref = $level_map{$level}; +my @groups = @{$gref}; +my $def_grp = $groups[0]; +if ($user eq 'root') { + $def_grp = 'root'; +} # note that DEF_SHELL doesn't affect root since root is never "added" my $DEF_SHELL = "/bin/vbash"; @@ -152,7 +157,7 @@ open(GRP, "/etc/group") or exit 5; my $def_gid = undef; while (<GRP>) { my @group_fields = split /:/; - if ($group_fields[0] eq $group) { + if ($group_fields[0] eq $def_grp) { $def_gid = $group_fields[2]; last; } @@ -202,7 +207,12 @@ open(SHADOW, ">>/etc/shadow") or exit 12; print SHADOW "$shadow_line\n"; close SHADOW; -add_user_to_group($user, $group); +# root doesn't need to be added to group +if ($user ne 'root') { + foreach my $group (@groups) { + add_user_to_group($user, $group); + } +} if (($new_user) && !(-e "/home/$user")) { if (-d "/etc/skel") { @@ -210,7 +220,7 @@ if (($new_user) && !(-e "/home/$user")) { exit 13 if ($ret >> 8); $ret = system("chmod 755 /home/$user"); exit 14 if ($ret >> 8); - $ret = system("chown -R $user:$group /home/$user"); + $ret = system("chown -R $user:$def_grp /home/$user"); exit 15 if ($ret >> 8); } else { $ret = system("mkdir -p /home/$user"); diff --git a/templates/system/login/user/node.def b/templates/system/login/user/node.def index fbac0c54..d05ac373 100644 --- a/templates/system/login/user/node.def +++ b/templates/system/login/user/node.def @@ -9,7 +9,7 @@ then rm -rf /tmp/vyatta-delete-system-login-user-$(@).\\\$PPID && exit 0; \ fi && \ sudo /opt/vyatta/sbin/vyatta_update_login_user.pl \ '$(@)' '$(full-name/@)' '$(authentication/encrypted-password/@)' \ - '$(group/@)'" + '$(level/@)'" delete: "if [ x$(@) == x ]; then exit 1; fi && \ if [ x$(@) == xroot ]; then \ echo Cannot delete user \"root\" 1>&2 && exit 2; \ diff --git a/templates/system/login/user/node.tag/group/node.def b/templates/system/login/user/node.tag/level/node.def index 17739351..30ac731c 100644 --- a/templates/system/login/user/node.tag/group/node.def +++ b/templates/system/login/user/node.tag/level/node.def @@ -1,7 +1,7 @@ type: txt -help: "User group" +help: "User privilege level" default: "admin" -syntax: $(@) in "admin", "users"; "Users can only be in group \"admin\" or \"users\"" +syntax: $(@) in "admin", "users"; "Allowed levels are \"admin\" and \"users\"" #comp_help:Possible completions: # admin\t\tAdministrators # users\t\tNormal users |