summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2010-01-26 18:09:55 -0800
committerStephen Hemminger <stephen.hemminger@vyatta.com>2010-01-26 18:09:55 -0800
commit471b7e4ada3ab3ce69da161b9546056332b60ce2 (patch)
tree59eeea8e8c9d5141b38b37c9b889cfd3dda0b662
parentb5bb8c35539d1b108e988d39153abc813c326b0f (diff)
downloadvyatta-cfg-system-471b7e4ada3ab3ce69da161b9546056332b60ce2.tar.gz
vyatta-cfg-system-471b7e4ada3ab3ce69da161b9546056332b60ce2.zip
Get rid of protected-users file
Instead of white-listing special system users, just go with the Debian policy that all users with uid < 1000 are system accounts
-rw-r--r--Makefile.am1
-rw-r--r--debian/vyatta-cfg-system.postinst.in4
-rwxr-xr-xlib/Vyatta/Login/User.pm59
-rw-r--r--sysconf/protected-user2
4 files changed, 18 insertions, 48 deletions
diff --git a/Makefile.am b/Makefile.am
index 8d738067..4946ff83 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -73,7 +73,6 @@ sysconf_DATA += sysconf/securetty
sysconf_DATA += sysconf/vyatta-sysctl.conf
sysconf_DATA += sysconf/blacklist.DSA-1024
sysconf_DATA += sysconf/blacklist.RSA-2048
-sysconf_DATA += sysconf/protected-user
sysconf_DATA += sysconf/level
sysconf_DATA += sysconf/pam_radius.cfg
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 1f4de221..1f0b133e 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -135,10 +135,6 @@ EOF
cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf
fi
-if [ "$sysconfdir" != "/opt/vyatta/etc" ]; then
- cp $sysconfdir/level $sysconfdir/protected-user /opt/vyatta/etc
-fi
-
# create needed directories
mkdir -p /var/log/user
diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm
index 383978e4..1aee01dd 100755
--- a/lib/Vyatta/Login/User.pm
+++ b/lib/Vyatta/Login/User.pm
@@ -59,43 +59,6 @@ sub _level_groups {
return @groups;
}
-# protected users override file
-my $protected_users = '/opt/vyatta/etc/protected-user';
-
-# Users who MUST not use vbash
-sub _protected_users {
- my @protected;
-
- open my $pfd, '<', $protected_users
- or return;
-
- while (<$pfd>) {
- chomp;
- next unless $_;
-
- push @protected, $_;
- }
- close($pfd);
- return @protected;
-}
-
-# make list of vyatta users (ie. users of vbash)
-sub _vyatta_users {
- my @vusers;
-
- setpwent();
-
- # ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire)
- # = getpw*
- while ( my ($name, undef, undef, undef, undef, undef,
- undef, undef, $shell) = getpwent() ) {
- push @vusers, $name if ( $shell eq '/bin/vbash' );
- }
- endpwent();
-
- return @vusers;
-}
-
sub _authorized_keys {
my $user = shift;
my $config = new Vyatta::Config;
@@ -208,6 +171,20 @@ sub _update_user {
}
}
+sub _local_users {
+ my @users;
+
+ setpwent();
+ while ( my ($name, undef, $uid) = getpwent() ) {
+ # Skip system accounts (< SYS_UID_MAX)
+ next if $uid < 1000;
+ push @users, $name;
+ }
+ endpwent();
+
+ return @users;
+}
+
sub update {
my $uconfig = new Vyatta::Config;
$uconfig->setLevel("system login user");
@@ -228,11 +205,11 @@ sub update {
_authorized_keys($user);
}
- # Remove any vyatta users that do not exist in current configuration
+ # Remove any normal users that do not exist in current configuration
# This can happen if user added but configuration not saved
- my %protected = map { $_ => 1 } _protected_users();
- foreach my $user ( _vyatta_users() ) {
- next if $protected{$user};
+ # and system is rebooted
+ foreach my $user ( _local_users() ) {
+ # did we see this user in configuration?
next if defined $users{$user};
warn "User $user not listed in current configuration\n";
diff --git a/sysconf/protected-user b/sysconf/protected-user
deleted file mode 100644
index 04a60974..00000000
--- a/sysconf/protected-user
+++ /dev/null
@@ -1,2 +0,0 @@
-root
-www-data