summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2009-06-01 15:17:13 -0700
committerStephen Hemminger <stephen.hemminger@vyatta.com>2009-06-01 15:50:07 -0700
commitbf4dd2a3dd0f36ebd5c1c7a6a3705d378d0453b2 (patch)
tree8130cda7cbf98ac64ca6c0c408b0befe8873174a /lib
parent11b14df671c37a69dd9aaab0d36703d11465df93 (diff)
downloadvyatta-cfg-system-bf4dd2a3dd0f36ebd5c1c7a6a3705d378d0453b2.tar.gz
vyatta-cfg-system-bf4dd2a3dd0f36ebd5c1c7a6a3705d378d0453b2.zip
Change how system login update works
Use a wrapper script in vyatta_update_login.pl and per login method objects for the update.
Diffstat (limited to 'lib')
-rw-r--r--lib/Vyatta/Login/Radius.pm126
-rwxr-xr-xlib/Vyatta/Login/User.pm156
2 files changed, 282 insertions, 0 deletions
diff --git a/lib/Vyatta/Login/Radius.pm b/lib/Vyatta/Login/Radius.pm
new file mode 100644
index 00000000..6a949434
--- /dev/null
+++ b/lib/Vyatta/Login/Radius.pm
@@ -0,0 +1,126 @@
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc.
+# All Rights Reserved.
+#
+# **** End License ****
+
+package Vyatta::Login::Radius;
+use strict;
+use warnings;
+use lib "/opt/vyatta/share/perl5";
+use Vyatta::Config;
+
+my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf';
+my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers';
+my $PAM_RAD_END = '# END Vyatta Radius servers';
+
+sub is_pam_radius_present {
+ open( my $auth , '<' , '/etc/pam.d/common-auth' )
+ or die "Cannot open /etc/pam.d/common-auth\n";
+
+ my $present;
+ while (<$auth>) {
+ if (/\ssufficient\spam_radius_auth\.so$/) {
+ $present = 1;
+ last;
+ }
+ }
+ close $auth;
+ return $present;
+}
+
+sub remove_pam_radius {
+ return 1 if ( !is_pam_radius_present() );
+ my $cmd =
+ 'sudo sh -c "'
+ . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;'
+ . '/\tpam_unix\.so /{s/ use_first_pass$//}\' '
+ . '/etc/pam.d/common-auth && '
+ . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' '
+ . '/etc/pam.d/common-account"';
+ system($cmd);
+ return 0 if ( $? >> 8 );
+ return 1;
+}
+
+sub add_pam_radius {
+ return 1 if ( is_pam_radius_present() );
+ my $cmd =
+ 'sudo sh -c "'
+ . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$'
+ . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' '
+ . '/etc/pam.d/common-auth && '
+ . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$'
+ . '/account\tsufficient\tpam_radius_auth.so\n\1/\' '
+ . '/etc/pam.d/common-account"';
+ system($cmd);
+ return 0 if ( $? >> 8 );
+ return 1;
+}
+
+sub remove_radius_servers {
+ system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' "
+ . "$PAM_RAD_CFG" );
+ return 0 if ( $? >> 8 );
+ return 1;
+}
+
+sub add_radius_servers {
+ my $str = shift;
+ system( "sudo sh -c \""
+ . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" );
+ return 0 if ( $? >> 8 );
+ return 1;
+}
+
+sub new {
+ my $that = shift;
+ my $class = ref($that) || $that;
+ my $rconfig = new Vyatta::Config;
+ $rconfig->setLevel("system login radius-server");
+ my %servers = $rconfig->listNodeStatus();
+ my $self = \%servers;
+
+ bless $self, $class;
+
+ return $self;
+}
+
+sub update {
+ my $self = shift;
+ my %servers = %$self;
+ my $server_str = '';
+ my $rconfig = new Vyatta::Config;
+ $rconfig->setLevel('system login radius-server');
+
+ if (%servers) {
+ remove_radius_servers();
+
+ for my $server (sort keys %servers) {
+ next if ( $servers{$server} eq 'deleted' );
+ my $port = $rconfig->returnValue("$server port");
+ my $secret = $rconfig->returnValue("$server secret");
+ my $timeout = $rconfig->returnValue("$server timeout");
+ $server_str .= "$server:$port\t$secret\t$timeout\n";
+ }
+
+ exit 1 if ( !add_radius_servers($server_str) );
+ exit 1 if ( !add_pam_radius() );
+
+ } else {
+ # all radius servers deleted
+ exit 1 if ( !remove_pam_radius() );
+ }
+}
+
+1;
diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm
new file mode 100755
index 00000000..42bcbd53
--- /dev/null
+++ b/lib/Vyatta/Login/User.pm
@@ -0,0 +1,156 @@
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc.
+# All Rights Reserved.
+#
+# **** End License ****
+
+package Vyatta::Login::User;
+use strict;
+use warnings;
+use lib "/opt/vyatta/share/perl5";
+use Vyatta::Config;
+
+sub new {
+ my ( $that ) = @_;
+ my $class = ref($that) || $that;
+ $config->setLevel("system login user");
+ my %users = $config->listNodeStatus();
+ my @user_keys = sort keys %users;
+
+ if ( ( scalar(@user_keys) <= 0 )
+ || !( grep /^root$/, @user_keys )
+ || ( $users{'root'} eq 'deleted' ) )
+ {
+
+ # root is deleted
+ die "User \"root\" cannot be deleted\n";
+ }
+
+ my $self = \%users;
+ bless $self, $class;
+
+ return $self;
+}
+
+# Exit codes form useradd.8 man page
+my %reasons = (
+ 0 => 'success',
+ 1 => 'can´t update password file',
+ 2 => 'invalid command syntax',
+ 3 => 'invalid argument to option',
+ 4 => 'UID already in use (and no -o)',
+ 6 => 'specified group doesn´t exist',
+ 9 => 'username already in use',
+ 10 => 'can´t update group file',
+ 12 => 'can´t create home directory',
+ 13 => 'can´t create mail spool',
+);
+
+# Map of level to additional groups
+my %level_map = (
+ 'admin' => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', 'disk' ],
+ 'operator' => [ 'quaggavty', 'operator', 'adm', 'dip', ],
+);
+
+# Construct a map from existing users to group membership
+sub get_groups {
+ my %group_map;
+
+ setgrent();
+ while ( my ( $name, undef, undef, $members ) = getgrent() ) {
+ foreach my $user ( split / /, $members ) {
+ $group_map{$user} = [] unless ( $group_map{$user} );
+ my $g = $group_map{$user};
+ push @$g, $name;
+ }
+ }
+ endgrent();
+
+ return \%group_map;
+}
+
+sub update {
+ my $self = shift;
+ my %users = %$self;
+ my $membership = get_groups();
+ my $uconfig = new Vyatta::Config;
+
+ foreach my $user ( keys %users ) {
+ if ( $users{$user} eq 'deleted' ) {
+ system("sudo userdel -r '$user'") == 0
+ or die "userdel failed: $?\n";
+ }
+ elsif ( $users{$user} eq 'added' || $users{$user} eq 'changed' ) {
+ $uconfig->setLevel("system login user $user");
+ my $pwd =
+ $uconfig->returnValue('authentication encrypted-password');
+ $pwd or die "Encrypted password not in configuration for $user";
+
+ my $level = $uconfig->returnValue('level');
+ $level or die "Level not defined for $user";
+
+ # map level to group membership
+ my @new_groups = @{ $level_map{$level} };
+
+ # add any additional groups from configuration
+ push( @new_groups, $uconfig->returnValues('group') );
+
+ my $fname = $uconfig->returnValue('full-name');
+ my $home = $uconfig->returnValue('home-directory');
+
+ # Read existing settings
+ my (
+ undef, $opwd, $uid, $gid, undef,
+ $comment, undef, $dir, $shell, undef
+ ) = getpwnam($user);
+
+ my $old_groups = $membership->{$user};
+
+ my $cmd;
+
+ # not found in existing passwd, must be new
+ if ( !defined $uid ) {
+
+ # make new user using vyatta shell
+ # and make home directory (-m)
+ # and with default group of 100 (users)
+ $cmd = 'useradd -s /bin/vbash -m -N';
+ }
+ elsif ($opwd eq $pwd
+ && ( !$fname || $fname eq $comment )
+ && ( !$home || $home eq $dir )
+ && join( ' ', sort @$old_groups ) eq
+ join( ' ', sort @new_groups ) )
+ {
+
+ # If no part of password or group file changed
+ # then there is nothing to do here.
+ next;
+ }
+ else {
+ $cmd = "usermod";
+ }
+
+ $cmd .= " -p '$pwd'";
+ $cmd .= " -c \"$fname\"" if ( defined $fname );
+ $cmd .= " -d \"$home\"" if ( defined $home );
+ $cmd .= ' -G ' . join( ',', @new_groups );
+ system("sudo $cmd $user");
+ next if ( $? == 0 );
+ my $reason = $reasons{ ( $? >> 8 ) };
+ die "Attempt to change user $user failed: $reason\n";
+ }
+ }
+}
+
+1;