Add additional check that new user doesn't exist in NSS

If user exists in NSS (LDAP, TACACS+) but not on local machine,
then it can not be changed with CLI. useradd will fail (user exists),
and usermod will fail (can't find user in passwd file).

Bug 5249

3 files changed, 68 insertions, 5 deletions

diff --git a/Makefile.am b/Makefile.am
index d284bfd4..8d738067 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -23,6 +23,7 @@ sbin_SCRIPTS += scripts/install-system
 sbin_SCRIPTS += scripts/vyatta-grub-setup
 sbin_SCRIPTS += scripts/standalone_root_pw_reset
 sbin_SCRIPTS += scripts/vyatta-passwd-sync
+sbin_SCRIPTS += scripts/system/vyatta_check_username.pl
 sbin_SCRIPTS += scripts/system/vyatta_update_login.pl
 sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl
 sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl
diff --git a/scripts/system/vyatta_check_username.pl b/scripts/system/vyatta_check_username.pl
new file mode 100644
index 00000000..254b3417
--- /dev/null
+++ b/scripts/system/vyatta_check_username.pl
@@ -0,0 +1,66 @@
+#!/usr/bin/perl
+
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc.
+# All Rights Reserved.
+#
+# **** End License ****
+
+use strict;
+use warnings;
+
+my $passwdFile = '/etc/passwd';
+
+# Lookup user in password file which may not give same
+# result as getpw* which uses NSS
+sub finduser {
+    my $user = shift;
+    my $uid;
+
+    open( my $f, '<', $passwdFile )
+      or die "Can't open $passwdFile: $!";
+
+    while (<$f>) {
+        chomp;
+        my ( $name, undef, $id ) = split /:/;
+
+        next unless ( $name eq $user );
+	$uid = $id;
+	last;
+    }
+    close $f;
+
+    return $uid;
+}
+
+foreach my $user (@ARGV) {
+    my $uid = getpwnam($user);
+
+    # User does not exist in system, its okay
+    next unless defined($uid);
+
+    # System accounts should not be listed in vyatta configuration
+    # 1000 is SYS_UID_MIN
+    die "$user : account is already reserved for system use\n"
+	if ($uid > 0 && $uid < 1000);
+
+    my $pwuid = finduser($user);
+    
+    die "$user : account exists but is not local (change on server)\n"
+	unless defined ($pwuid);
+
+    die "$user : exists but has different uid on local versus remote\n"
+	unless ($pwuid eq $uid);
+}
+
+exit 0;
diff --git a/templates/system/login/user/node.def b/templates/system/login/user/node.def
index 89e10a9c..751767d6 100644
--- a/templates/system/login/user/node.def
+++ b/templates/system/login/user/node.def
@@ -5,11 +5,7 @@ help: Set user account information
 syntax:expression: pattern $VAR(@) "^[a-zA-Z_][a-zA-Z0-9_-]*\\$?$"
                      ; "invalid user name $VAR(@)"
 
-# System accounts should not be listed in vyatta configuration
-syntax:expression: exec "\
-    uid=$(getent passwd $VAR(@) | awk -F: '{print $3}'); \
-    [ -z \"$uid\" ] || [ $uid -eq 0 -o $uid -ge 1000 ]" \
-    ; "user name \"$VAR(@)\" is reserved for internal usage"
+syntax:expression: exec "/opt/vyatta/sbin/vyatta_check_username.pl $VAR(@)"
 
 commit:expression: $VAR(authentication/encrypted-password) != ""
                    || ($VAR(authentication/plaintext-password) != ""