diff options
| author | Daniil Baturin <daniil@baturin.org> | 2015-02-25 17:17:09 +0100 |
|---|---|---|
| committer | Daniil Baturin <daniil@baturin.org> | 2015-02-25 17:17:09 +0100 |
| commit | c0b5836808739bcce1e5f854bd7edaa53a0d2afd (patch) | |
| tree | 33456d6a7f8d2ed29ec869c41dc36da186dec923 /lib/Vyatta/Login | |
| parent | ca069d41f32a7825682c3fd56f164e0a3ad64f43 (diff) | |
| download | vyatta-cfg-system-c0b5836808739bcce1e5f854bd7edaa53a0d2afd.tar.gz vyatta-cfg-system-c0b5836808739bcce1e5f854bd7edaa53a0d2afd.zip | |
Bug #498: dirty hack to disallow remote command execution for operator level users.
Diffstat (limited to 'lib/Vyatta/Login')
| -rwxr-xr-x | lib/Vyatta/Login/User.pm | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index 411aed6c..d3e9b8bd 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -152,19 +152,28 @@ sub _update_user { # Read existing settings my $uid = getpwnam($user); + my $shell; + if ($level eq "operator") { + $shell = "/opt/vyatta/bin/restricted-shell"; + } + else { + $shell = "/bin/vbash"; + } + # not found in existing passwd, must be new my $cmd; unless ( defined($uid) ) { # make new user using vyatta shell # and make home directory (-m) # and with default group of 100 (users) - $cmd = 'useradd -s /bin/vbash -m -N'; + $cmd = "useradd -s $shell -m -N"; } else { # update existing account $cmd = "usermod"; } $cmd .= " -p '$pwd'"; + $cmd .= " -s $shell"; $cmd .= " -c \"$fname\"" if ( defined $fname ); $cmd .= " -d \"$home\"" if ( defined $home ); $cmd .= ' -G ' . join( ',', @groups ); |