summaryrefslogtreecommitdiff
path: root/scripts/system
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2010-01-26 17:50:33 -0800
committerStephen Hemminger <stephen.hemminger@vyatta.com>2010-01-26 17:50:33 -0800
commitb5bb8c35539d1b108e988d39153abc813c326b0f (patch)
tree75ad17b85eb82a2715ae3006916ee66477747c25 /scripts/system
parent2bc8990bc093cce92bcaddd82ee80b1c18223e5d (diff)
downloadvyatta-cfg-system-b5bb8c35539d1b108e988d39153abc813c326b0f.tar.gz
vyatta-cfg-system-b5bb8c35539d1b108e988d39153abc813c326b0f.zip
Add additional check that new user doesn't exist in NSS
If user exists in NSS (LDAP, TACACS+) but not on local machine, then it can not be changed with CLI. useradd will fail (user exists), and usermod will fail (can't find user in passwd file). Bug 5249
Diffstat (limited to 'scripts/system')
-rw-r--r--scripts/system/vyatta_check_username.pl66
1 files changed, 66 insertions, 0 deletions
diff --git a/scripts/system/vyatta_check_username.pl b/scripts/system/vyatta_check_username.pl
new file mode 100644
index 00000000..254b3417
--- /dev/null
+++ b/scripts/system/vyatta_check_username.pl
@@ -0,0 +1,66 @@
+#!/usr/bin/perl
+
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc.
+# All Rights Reserved.
+#
+# **** End License ****
+
+use strict;
+use warnings;
+
+my $passwdFile = '/etc/passwd';
+
+# Lookup user in password file which may not give same
+# result as getpw* which uses NSS
+sub finduser {
+ my $user = shift;
+ my $uid;
+
+ open( my $f, '<', $passwdFile )
+ or die "Can't open $passwdFile: $!";
+
+ while (<$f>) {
+ chomp;
+ my ( $name, undef, $id ) = split /:/;
+
+ next unless ( $name eq $user );
+ $uid = $id;
+ last;
+ }
+ close $f;
+
+ return $uid;
+}
+
+foreach my $user (@ARGV) {
+ my $uid = getpwnam($user);
+
+ # User does not exist in system, its okay
+ next unless defined($uid);
+
+ # System accounts should not be listed in vyatta configuration
+ # 1000 is SYS_UID_MIN
+ die "$user : account is already reserved for system use\n"
+ if ($uid > 0 && $uid < 1000);
+
+ my $pwuid = finduser($user);
+
+ die "$user : account exists but is not local (change on server)\n"
+ unless defined ($pwuid);
+
+ die "$user : exists but has different uid on local versus remote\n"
+ unless ($pwuid eq $uid);
+}
+
+exit 0;