summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@baturin.org>2015-02-25 17:17:09 +0100
committerDaniil Baturin <daniil@baturin.org>2015-02-25 17:17:09 +0100
commitc0b5836808739bcce1e5f854bd7edaa53a0d2afd (patch)
tree33456d6a7f8d2ed29ec869c41dc36da186dec923 /lib
parentca069d41f32a7825682c3fd56f164e0a3ad64f43 (diff)
downloadvyatta-cfg-system-c0b5836808739bcce1e5f854bd7edaa53a0d2afd.tar.gz
vyatta-cfg-system-c0b5836808739bcce1e5f854bd7edaa53a0d2afd.zip
Bug #498: dirty hack to disallow remote command execution for operator level users.
Diffstat (limited to 'lib')
-rwxr-xr-xlib/Vyatta/Login/User.pm11
1 files changed, 10 insertions, 1 deletions
diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm
index 411aed6c..d3e9b8bd 100755
--- a/lib/Vyatta/Login/User.pm
+++ b/lib/Vyatta/Login/User.pm
@@ -152,19 +152,28 @@ sub _update_user {
# Read existing settings
my $uid = getpwnam($user);
+ my $shell;
+ if ($level eq "operator") {
+ $shell = "/opt/vyatta/bin/restricted-shell";
+ }
+ else {
+ $shell = "/bin/vbash";
+ }
+
# not found in existing passwd, must be new
my $cmd;
unless ( defined($uid) ) {
# make new user using vyatta shell
# and make home directory (-m)
# and with default group of 100 (users)
- $cmd = 'useradd -s /bin/vbash -m -N';
+ $cmd = "useradd -s $shell -m -N";
} else {
# update existing account
$cmd = "usermod";
}
$cmd .= " -p '$pwd'";
+ $cmd .= " -s $shell";
$cmd .= " -c \"$fname\"" if ( defined $fname );
$cmd .= " -d \"$home\"" if ( defined $home );
$cmd .= ' -G ' . join( ',', @groups );