summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2009-06-01 15:17:13 -0700
committerStephen Hemminger <stephen.hemminger@vyatta.com>2009-06-01 15:50:07 -0700
commitbf4dd2a3dd0f36ebd5c1c7a6a3705d378d0453b2 (patch)
tree8130cda7cbf98ac64ca6c0c408b0befe8873174a /scripts
parent11b14df671c37a69dd9aaab0d36703d11465df93 (diff)
downloadvyatta-cfg-system-bf4dd2a3dd0f36ebd5c1c7a6a3705d378d0453b2.tar.gz
vyatta-cfg-system-bf4dd2a3dd0f36ebd5c1c7a6a3705d378d0453b2.zip
Change how system login update works
Use a wrapper script in vyatta_update_login.pl and per login method objects for the update.
Diffstat (limited to 'scripts')
-rw-r--r--[-rwxr-xr-x]scripts/system/vyatta_update_login.pl116
-rw-r--r--scripts/system/vyatta_update_radius.pl119
2 files changed, 13 insertions, 222 deletions
diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl
index c8c064a7..b2125de1 100755..100644
--- a/scripts/system/vyatta_update_login.pl
+++ b/scripts/system/vyatta_update_login.pl
@@ -20,111 +20,21 @@ use strict;
use lib "/opt/vyatta/share/perl5";
use Vyatta::Config;
-# handle "user"
-my $uconfig = new Vyatta::Config;
-$uconfig->setLevel("system login user");
+# This is just a simple wrapper that allows for extensiblility
+# of login types.
-my %users = $uconfig->listNodeStatus();
-my @user_keys = sort keys %users;
+my $config = new Vyatta::Config;
+$config->setLevel("system login");
-if ( ( scalar(@user_keys) <= 0 )
- || !( grep /^root$/, @user_keys )
- || ( $users{'root'} eq 'deleted' ) )
-{
- # root is deleted
- die "User \"root\" cannot be deleted\n";
-}
-
-# Exit codes form useradd.8 man page
-my %reasons = (
- 0 => 'success',
- 1 => 'can´t update password file',
- 2 => 'invalid command syntax',
- 3 => 'invalid argument to option',
- 4 => 'UID already in use (and no -o)',
- 6 => 'specified group doesn´t exist',
- 9 => 'username already in use',
- 10 => 'can´t update group file',
- 12 => 'can´t create home directory',
- 13 => 'can´t create mail spool',
-);
+foreach my $type ($config->listNodes()) {
+ my $kind = ucfirst $type;
+ my $location = "Vyatta/Login/$kind.pm";
+ my $class = "Vyatta::Login::$kind";
+
+ require $location;
-# Map of level to additional groups
-my %level_map = (
- 'admin' => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', 'disk'],
- 'operator' => [ 'quaggavty', 'operator', 'adm', 'dip', ],
-);
+ my $obj = $class->new();
+ die "Don't understand $type" unless $obj;
-# Construct a map from existing users to group membership
-# Use space seperated format
-my %group_map;
-while (my ($name, undef, undef, $members) = getgrent()) {
- foreach my $user (split / /,$members) {
- my $g = $group_map{$user};
- if ($g) {
- my @l = split / /, $g;
- push @l, $name;
- $group_map{$user} = join(' ', sort @l);
- } else {
- $group_map{$user} = $name;
- }
-
- }
+ $obj->update();
}
-
-# we have some users
-for my $user (@user_keys) {
- if ( $users{$user} eq 'deleted' ) {
- system("sudo userdel -r '$user'") == 0
- or die "userdel failed: $?\n"
- }
- elsif ( $users{$user} eq 'added' || $users{$user} eq 'changed' ) {
- $uconfig->setLevel("system login user $user");
- my $pwd = $uconfig->returnValue('authentication encrypted-password');
- $pwd or die "Encrypted password not in configuration for $user";
-
- my $level = $uconfig->returnValue('level');
- $level or die "Level not defined for $user";
-
- # map level to group membership
- my @groups = @{$level_map{$level}};
- # add any additional groups from configuration
- push( @groups, $uconfig->returnValues('group') );
-
- my $fname = $uconfig->returnValue('full-name');
- my $home = $uconfig->returnValue('home-directory');
-
- # Read existing settings
- my (undef, $opwd, $uid, $gid, undef, $comment,
- undef, $dir, $shell, undef) = getpwnam($user);
-
- my $cmd;
- # not found in existing passwd, must be new
- if ( !defined $uid ) {
- # make new user using vyatta shell
- # and make home directory (-m)
- # and with default group of 100 (users)
- $cmd = 'useradd -s /bin/vbash -m -N';
- } else {
- # If no part of password or group file changed
- # then there is nothing to do here.
- next if ( $opwd eq $pwd &&
- (!$fname || $fname eq $comment) &&
- (!$home || $home eq $dir) &&
- join(' ', sort @groups) eq $group_map{$user} );
-
- $cmd = "usermod";
- }
-
- $cmd .= " -p '$pwd'";
- $cmd .= " -c \"$fname\"" if ( defined $fname );
- $cmd .= " -d \"$home\"" if ( defined $home );
- $cmd .= ' -G ' . join( ',', @groups );
- system("sudo $cmd $user");
- next if ($? == 0);
- my $reason = $reasons{($? >> 8)};
- die "Attempt to change user $user failed: $reason\n";
- }
-}
-
-exit 0;
diff --git a/scripts/system/vyatta_update_radius.pl b/scripts/system/vyatta_update_radius.pl
deleted file mode 100644
index 69e605da..00000000
--- a/scripts/system/vyatta_update_radius.pl
+++ /dev/null
@@ -1,119 +0,0 @@
-#!/usr/bin/perl
-
-# **** License ****
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-#
-# This code was originally developed by Vyatta, Inc.
-# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc.
-# All Rights Reserved.
-#
-# **** End License ****
-
-use strict;
-use lib "/opt/vyatta/share/perl5";
-use Vyatta::Config;
-
-my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf';
-my $PAM_RAD_BEGIN = '# BEGIN Vyatta Radius servers';
-my $PAM_RAD_END = '# END Vyatta Radius servers';
-
-sub is_pam_radius_present {
- open( my $auth , '<' , '/etc/pam.d/common-auth' )
- or die "Cannot open /etc/pam.d/common-auth\n";
-
- my $present;
- while (<$auth>) {
- if (/\ssufficient\spam_radius_auth\.so$/) {
- $present = 1;
- last;
- }
- }
- close $auth;
- return $present;
-}
-
-sub remove_pam_radius {
- return 1 if ( !is_pam_radius_present() );
- my $cmd =
- 'sudo sh -c "'
- . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d;'
- . '/\tpam_unix\.so /{s/ use_first_pass$//}\' '
- . '/etc/pam.d/common-auth && '
- . 'sed -i \'/\tsufficient\tpam_radius_auth\.so$/d\' '
- . '/etc/pam.d/common-account"';
- system($cmd);
- return 0 if ( $? >> 8 );
- return 1;
-}
-
-sub add_pam_radius {
- return 1 if ( is_pam_radius_present() );
- my $cmd =
- 'sudo sh -c "'
- . 'sed -i \'s/^\(auth\trequired\tpam_unix\.so.*\)$'
- . '/auth\tsufficient\tpam_radius_auth.so\n\1 use_first_pass/\' '
- . '/etc/pam.d/common-auth && '
- . 'sed -i \'s/^\(account\trequired\tpam_unix\.so.*\)$'
- . '/account\tsufficient\tpam_radius_auth.so\n\1/\' '
- . '/etc/pam.d/common-account"';
- system($cmd);
- return 0 if ( $? >> 8 );
- return 1;
-}
-
-sub remove_radius_servers {
- system( "sudo sed -i '/^$PAM_RAD_BEGIN\$/,/^$PAM_RAD_END\$/{d}' "
- . "$PAM_RAD_CFG" );
- return 0 if ( $? >> 8 );
- return 1;
-}
-
-sub add_radius_servers {
- my $str = shift;
- system( "sudo sh -c \""
- . "echo '$PAM_RAD_BEGIN\n$str$PAM_RAD_END\n' >> $PAM_RAD_CFG\"" );
- return 0 if ( $? >> 8 );
- return 1;
-}
-
-# handle "radius-server"
-my $rconfig = new Vyatta::Config;
-$rconfig->setLevel("system login radius-server");
-my %servers = $rconfig->listNodeStatus();
-my @server_keys = sort keys %servers;
-if ( scalar(@server_keys) <= 0 ) {
-
- # all radius servers deleted
- exit 1 if ( !remove_pam_radius() );
- exit 0;
-}
-
-# we have some servers
-my $all_deleted = 1;
-my $server_str = '';
-remove_radius_servers();
-
-for my $server (@server_keys) {
- if ( $servers{$server} ne 'deleted' ) {
- $all_deleted = 0;
- my $port = $rconfig->returnValue("$server port");
- my $secret = $rconfig->returnValue("$server secret");
- my $timeout = $rconfig->returnValue("$server timeout");
- $server_str .= "$server:$port\t$secret\t$timeout\n";
- }
-}
-
-if ($all_deleted) {
- # all radius servers deleted
- exit 1 if ( !remove_pam_radius() );
-} else {
- exit 1 if ( !add_radius_servers($server_str) );
- exit 1 if ( !add_pam_radius() );
-}