Don't allow vyatta configured accounts to overlap internal accounts

Bug 5269
This prevents user from doing something harmful like making a user
named quagga or cron and putting vbash on that account.

1 files changed, 10 insertions, 2 deletions

diff --git a/templates/system/login/user/node.def b/templates/system/login/user/node.def
index d23a397f..89e10a9c 100644
--- a/templates/system/login/user/node.def
+++ b/templates/system/login/user/node.def
@@ -1,9 +1,17 @@
 tag:
 type: txt
 help: Set user account information
+
+syntax:expression: pattern $VAR(@) "^[a-zA-Z_][a-zA-Z0-9_-]*\\$?$"
+                     ; "invalid user name $VAR(@)"
+
+# System accounts should not be listed in vyatta configuration
+syntax:expression: exec "\
+    uid=$(getent passwd $VAR(@) | awk -F: '{print $3}'); \
+    [ -z \"$uid\" ] || [ $uid -eq 0 -o $uid -ge 1000 ]" \
+    ; "user name \"$VAR(@)\" is reserved for internal usage"
+
 commit:expression: $VAR(authentication/encrypted-password) != ""
                    || ($VAR(authentication/plaintext-password) != ""
                        && $VAR(authentication/plaintext-password/@) != "")
                      ; "user password must be specified"
-syntax:expression: pattern $VAR(@) "^[a-zA-Z_][a-zA-Z0-9_-]*\\$?$"
-                     ; "invalid user name $VAR(@)"