diff options
author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-01-26 18:09:55 -0800 |
---|---|---|
committer | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-01-26 18:09:55 -0800 |
commit | 471b7e4ada3ab3ce69da161b9546056332b60ce2 (patch) | |
tree | 59eeea8e8c9d5141b38b37c9b889cfd3dda0b662 | |
parent | b5bb8c35539d1b108e988d39153abc813c326b0f (diff) | |
download | vyatta-cfg-system-471b7e4ada3ab3ce69da161b9546056332b60ce2.tar.gz vyatta-cfg-system-471b7e4ada3ab3ce69da161b9546056332b60ce2.zip |
Get rid of protected-users file
Instead of white-listing special system users, just go with the
Debian policy that all users with uid < 1000 are system accounts
-rw-r--r-- | Makefile.am | 1 | ||||
-rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 4 | ||||
-rwxr-xr-x | lib/Vyatta/Login/User.pm | 59 | ||||
-rw-r--r-- | sysconf/protected-user | 2 |
4 files changed, 18 insertions, 48 deletions
diff --git a/Makefile.am b/Makefile.am index 8d738067..4946ff83 100644 --- a/Makefile.am +++ b/Makefile.am @@ -73,7 +73,6 @@ sysconf_DATA += sysconf/securetty sysconf_DATA += sysconf/vyatta-sysctl.conf sysconf_DATA += sysconf/blacklist.DSA-1024 sysconf_DATA += sysconf/blacklist.RSA-2048 -sysconf_DATA += sysconf/protected-user sysconf_DATA += sysconf/level sysconf_DATA += sysconf/pam_radius.cfg diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 1f4de221..1f0b133e 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -135,10 +135,6 @@ EOF cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf fi -if [ "$sysconfdir" != "/opt/vyatta/etc" ]; then - cp $sysconfdir/level $sysconfdir/protected-user /opt/vyatta/etc -fi - # create needed directories mkdir -p /var/log/user diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index 383978e4..1aee01dd 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -59,43 +59,6 @@ sub _level_groups { return @groups; } -# protected users override file -my $protected_users = '/opt/vyatta/etc/protected-user'; - -# Users who MUST not use vbash -sub _protected_users { - my @protected; - - open my $pfd, '<', $protected_users - or return; - - while (<$pfd>) { - chomp; - next unless $_; - - push @protected, $_; - } - close($pfd); - return @protected; -} - -# make list of vyatta users (ie. users of vbash) -sub _vyatta_users { - my @vusers; - - setpwent(); - - # ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) - # = getpw* - while ( my ($name, undef, undef, undef, undef, undef, - undef, undef, $shell) = getpwent() ) { - push @vusers, $name if ( $shell eq '/bin/vbash' ); - } - endpwent(); - - return @vusers; -} - sub _authorized_keys { my $user = shift; my $config = new Vyatta::Config; @@ -208,6 +171,20 @@ sub _update_user { } } +sub _local_users { + my @users; + + setpwent(); + while ( my ($name, undef, $uid) = getpwent() ) { + # Skip system accounts (< SYS_UID_MAX) + next if $uid < 1000; + push @users, $name; + } + endpwent(); + + return @users; +} + sub update { my $uconfig = new Vyatta::Config; $uconfig->setLevel("system login user"); @@ -228,11 +205,11 @@ sub update { _authorized_keys($user); } - # Remove any vyatta users that do not exist in current configuration + # Remove any normal users that do not exist in current configuration # This can happen if user added but configuration not saved - my %protected = map { $_ => 1 } _protected_users(); - foreach my $user ( _vyatta_users() ) { - next if $protected{$user}; + # and system is rebooted + foreach my $user ( _local_users() ) { + # did we see this user in configuration? next if defined $users{$user}; warn "User $user not listed in current configuration\n"; diff --git a/sysconf/protected-user b/sysconf/protected-user deleted file mode 100644 index 04a60974..00000000 --- a/sysconf/protected-user +++ /dev/null @@ -1,2 +0,0 @@ -root -www-data |