Get rid of protected-users file

Instead of white-listing special system users, just go with the
Debian policy that all users with uid < 1000 are system accounts

4 files changed, 18 insertions, 48 deletions

diff --git a/Makefile.am b/Makefile.am
index 8d738067..4946ff83 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -73,7 +73,6 @@ sysconf_DATA += sysconf/securetty
 sysconf_DATA += sysconf/vyatta-sysctl.conf
 sysconf_DATA += sysconf/blacklist.DSA-1024
 sysconf_DATA += sysconf/blacklist.RSA-2048
-sysconf_DATA += sysconf/protected-user
 sysconf_DATA += sysconf/level
 sysconf_DATA += sysconf/pam_radius.cfg
 
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 1f4de221..1f0b133e 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -135,10 +135,6 @@ EOF
     cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf
 fi
 
-if [ "$sysconfdir" != "/opt/vyatta/etc" ]; then
-    cp $sysconfdir/level $sysconfdir/protected-user /opt/vyatta/etc
-fi
-
 # create needed directories
 mkdir -p /var/log/user
 
diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm
index 383978e4..1aee01dd 100755
--- a/lib/Vyatta/Login/User.pm
+++ b/lib/Vyatta/Login/User.pm
@@ -59,43 +59,6 @@ sub _level_groups {
     return @groups;
 }
 
-# protected users override file
-my $protected_users = '/opt/vyatta/etc/protected-user';
-
-# Users who MUST not use vbash
-sub _protected_users {
-    my @protected;
-
-    open my $pfd, '<', $protected_users
-      or return;
-
-    while (<$pfd>) {
-        chomp;
-        next unless $_;
-
-        push @protected, $_;
-    }
-    close($pfd);
-    return @protected;
-}
-
-# make list of vyatta users (ie. users of vbash)
-sub _vyatta_users {
-    my @vusers;
-
-    setpwent();
-
-    # ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire)
-    #   = getpw*
-    while ( my ($name, undef, undef, undef, undef, undef,
-		undef, undef, $shell) = getpwent() ) {
-        push @vusers, $name if ( $shell eq '/bin/vbash' );
-    }
-    endpwent();
-
-    return @vusers;
-}
-
 sub _authorized_keys {
     my $user   = shift;
     my $config = new Vyatta::Config;
@@ -208,6 +171,20 @@ sub _update_user {
     }
 }
 
+sub _local_users {
+    my @users;
+
+    setpwent();
+    while ( my ($name, undef, $uid) = getpwent() ) {
+	# Skip system accounts (< SYS_UID_MAX)
+	next if $uid < 1000;
+        push @users, $name;
+    }
+    endpwent();
+
+    return @users;
+}
+
 sub update {
     my $uconfig    = new Vyatta::Config;
     $uconfig->setLevel("system login user");
@@ -228,11 +205,11 @@ sub update {
         _authorized_keys($user);
     }
 
-    # Remove any vyatta users that do not exist in current configuration
+    # Remove any normal users that do not exist in current configuration
     # This can happen if user added but configuration not saved
-    my %protected = map { $_ => 1 } _protected_users();
-    foreach my $user ( _vyatta_users() ) {
-        next if $protected{$user};
+    # and system is rebooted
+    foreach my $user ( _local_users() ) {
+	# did we see this user in configuration?
         next if defined $users{$user};
 
         warn "User $user not listed in current configuration\n";
diff --git a/sysconf/protected-user b/sysconf/protected-user
deleted file mode 100644
index 04a60974..00000000
--- a/sysconf/protected-user
+++ /dev/null
@@ -1,2 +0,0 @@
-root
-www-data