diff options
author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2009-06-01 15:17:13 -0700 |
---|---|---|
committer | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2009-06-01 15:50:07 -0700 |
commit | bf4dd2a3dd0f36ebd5c1c7a6a3705d378d0453b2 (patch) | |
tree | 8130cda7cbf98ac64ca6c0c408b0befe8873174a /scripts | |
parent | 11b14df671c37a69dd9aaab0d36703d11465df93 (diff) | |
download | vyatta-cfg-system-bf4dd2a3dd0f36ebd5c1c7a6a3705d378d0453b2.tar.gz vyatta-cfg-system-bf4dd2a3dd0f36ebd5c1c7a6a3705d378d0453b2.zip |
Change how system login update works
Use a wrapper script in vyatta_update_login.pl and per login method
objects for the update.
Diffstat (limited to 'scripts')
-rw-r--r--[-rwxr-xr-x] | scripts/system/vyatta_update_login.pl | 116 | ||||
-rw-r--r-- | scripts/system/vyatta_update_radius.pl | 119 |
2 files changed, 13 insertions, 222 deletions
diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl index c8c064a7..b2125de1 100755..100644 --- a/scripts/system/vyatta_update_login.pl +++ b/scripts/system/vyatta_update_login.pl @@ -20,111 +20,21 @@ use strict; use lib "/opt/vyatta/share/perl5"; use Vyatta::Config; -# handle "user" -my $uconfig = new Vyatta::Config; -$uconfig->setLevel("system login user"); +# This is just a simple wrapper that allows for extensiblility +# of login types. -my %users = $uconfig->listNodeStatus(); -my @user_keys = sort keys %users; +my $config = new Vyatta::Config; +$config->setLevel("system login"); -if ( ( scalar(@user_keys) <= 0 ) - || !( grep /^root$/, @user_keys ) - || ( $users{'root'} eq 'deleted' ) ) -{ - # root is deleted - die "User \"root\" cannot be deleted\n"; -} - -# Exit codes form useradd.8 man page -my %reasons = ( - 0 => 'success', - 1 => 'can´t update password file', - 2 => 'invalid command syntax', - 3 => 'invalid argument to option', - 4 => 'UID already in use (and no -o)', - 6 => 'specified group doesn´t exist', - 9 => 'username already in use', - 10 => 'can´t update group file', - 12 => 'can´t create home directory', - 13 => 'can´t create mail spool', -); +foreach my $type ($config->listNodes()) { + my $kind = ucfirst $type; + my $location = "Vyatta/Login/$kind.pm"; + my $class = "Vyatta::Login::$kind"; + + require $location; -# Map of level to additional groups -my %level_map = ( - 'admin' => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', 'disk'], - 'operator' => [ 'quaggavty', 'operator', 'adm', 'dip', ], -); + my $obj = $class->new(); + die "Don't understand $type" unless $obj; -# Construct a map from existing users to group membership -# Use space seperated format -my %group_map; -while (my ($name, undef, undef, $members) = getgrent()) { - foreach my $user (split / /,$members) { - my $g = $group_map{$user}; - if ($g) { - my @l = split / /, $g; - push @l, $name; - $group_map{$user} = join(' ', sort @l); - } else { - $group_map{$user} = $name; - } - - } + $obj->update(); } - -# we have some users -for my $user (@user_keys) { - if ( $users{$user} eq 'deleted' ) { - system("sudo userdel -r '$user'") == 0 - or die "userdel failed: $?\n" - } - elsif ( $users{$user} eq 'added' || $users{$user} eq 'changed' ) { - $uconfig->setLevel("system login user $user"); - my $pwd = $uconfig->returnValue('authentication encrypted-password'); - $pwd or die "Encrypted password not in configuration for $user"; - - my $level = $uconfig->returnValue('level'); - $level or die "Level not defined for $user"; - - # map level to group membership - my @groups = @{$level_map{$level}}; - # add any additional groups from configuration - push( @groups, $uconfig->returnValues('group') ); - - my $fname = $uconfig->returnValue('full-name'); - my $home = $uconfig->returnValue('home-directory'); - - # Read existing settings - my (undef, $opwd, $uid, $gid, undef, $comment, - undef, $dir, $shell, undef) = getpwnam($user); - - my $cmd; - # not found in existing passwd, must be new - if ( !defined $uid ) { - # make new user using vyatta shell - # and make home directory (-m) - # and with default group of 100 (users) - $cmd = 'useradd -s /bin/vbash -m -N'; - } else { - # If no part of password or group file changed - # then there is nothing to do here. - next if ( $opwd eq $pwd && - (!$fname || $fname eq $comment) && - (!$home || $home eq $dir) && - join(' ', sort @groups) eq $group_map{$user} ); - - $cmd = "usermod"; - } - - $cmd .= " -p '$pwd'"; - $cmd .= " -c \"$fname\"" if ( defined $fname ); - $cmd .= " -d \"$home\"" if ( defined $home ); - $cmd .= ' -G ' . join( ',', @groups ); - system("sudo $cmd $user"); - next if ($? == 0); - my $reason = $reasons{($? >> 8)}; - die "Attempt to change user $user failed: $reason\n"; - } -} - -exit 0; diff --git a/scripts/system/vyatta_update_radius.pl b/scripts/system/vyatta_update_radius.pl deleted file mode 100644 index 69e605da..00000000 --- a/scripts/system/vyatta_update_radius.pl +++ /dev/null @@ -1,119 +0,0 @@ -#!/usr/bin/perl - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. -# All Rights Reserved. -# -# **** End License **** - -use strict; -use lib "/opt/vyatta/share/perl5"; -use Vyatta::Config; - -my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; -my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers'; -my $PAM_RAD_END = '# END Vyatta Radius servers'; - -sub is_pam_radius_present { - open( my $auth , '<' , '/etc/pam.d/common-auth' ) - or die "Cannot open /etc/pam.d/common-auth\n"; - - my $present; - while (<$auth>) { - if (/\ssufficient\spam_radius_auth\.so$/) { - $present = 1; - last; - } - } - close $auth; - return $present; -} - -sub remove_pam_radius { - return 1 if ( !is_pam_radius_present() ); - my $cmd = - 'sudo sh -c "' - . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;' - . '/\tpam_unix\.so /{s/ use_first_pass$//}\' ' - . '/etc/pam.d/common-auth && ' - . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' ' - . '/etc/pam.d/common-account"'; - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -sub add_pam_radius { - return 1 if ( is_pam_radius_present() ); - my $cmd = - 'sudo sh -c "' - . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$' - . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' ' - . '/etc/pam.d/common-auth && ' - . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$' - . '/account\tsufficient\tpam_radius_auth.so\n\1/\' ' - . '/etc/pam.d/common-account"'; - system($cmd); - return 0 if ( $? >> 8 ); - return 1; -} - -sub remove_radius_servers { - system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' " - . "$PAM_RAD_CFG" ); - return 0 if ( $? >> 8 ); - return 1; -} - -sub add_radius_servers { - my $str = shift; - system( "sudo sh -c \"" - . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" ); - return 0 if ( $? >> 8 ); - return 1; -} - -# handle "radius-server" -my $rconfig = new Vyatta::Config; -$rconfig->setLevel("system login radius-server"); -my %servers = $rconfig->listNodeStatus(); -my @server_keys = sort keys %servers; -if ( scalar(@server_keys) <= 0 ) { - - # all radius servers deleted - exit 1 if ( !remove_pam_radius() ); - exit 0; -} - -# we have some servers -my $all_deleted = 1; -my $server_str = ''; -remove_radius_servers(); - -for my $server (@server_keys) { - if ( $servers{$server} ne 'deleted' ) { - $all_deleted = 0; - my $port = $rconfig->returnValue("$server port"); - my $secret = $rconfig->returnValue("$server secret"); - my $timeout = $rconfig->returnValue("$server timeout"); - $server_str .= "$server:$port\t$secret\t$timeout\n"; - } -} - -if ($all_deleted) { - # all radius servers deleted - exit 1 if ( !remove_pam_radius() ); -} else { - exit 1 if ( !add_radius_servers($server_str) ); - exit 1 if ( !add_pam_radius() ); -} |