diff options
-rwxr-xr-x | lib/Vyatta/Login/User.pm | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index 7012403a..a94b8d08 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -40,6 +40,9 @@ my %level_map = ( 'operator' => [ 'quaggavty', 'vyattaop', 'operator', 'adm', 'dip', ], ); +# Users who MUST not use vbash +my @protected = ( 'root', 'www-data' ); + # Construct a map from existing users to group membership sub get_groups { my %group_map; @@ -57,6 +60,21 @@ sub get_groups { return \%group_map; } +# make list of vyatta users (ie. users of vbash) +sub _vyatta_users { + my @vusers; + setpwent(); + # ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) + # = getpw* + while ( my ($name, undef, undef, undef, undef, undef, + undef, undef, $shell) = getpwent() ) { + push @vusers, $name if ($shell eq '/bin/vbash'); + } + endpwent(); + + return @vusers; +} + sub update { my $membership = get_groups(); my $uconfig = new Vyatta::Config; @@ -137,15 +155,13 @@ sub update { # Remove any vyatta users that do not exist in current configuration # This can happen if user added but configuration not saved - foreach my $grp (qw(vyattacfg vyattaop)) { - my (undef, undef, undef, $members) = getgrnam($grp); - next unless $members; - - foreach my $user (split / /, $members) { - next if ($user eq 'root'); - next if ($user eq 'www-data'); # webgui - next if defined $users{$user}; - + my %protected = map { $_ => 1 } @protected; + foreach my $user (_vyatta_users()) { + if ($protected{$user}) { + warn "User $user should not being using vbash - fixed\n"; + system ("usermod -s /bin/bash $user") == 0 + or die "Attemp to modify user $user shell failed: $!"; + } elsif (! defined $users{$user}) { warn "User $user not listed in current configuration\n"; system ("userdel --remove $user") == 0 or die "Attempt to delete user $user failed: $!"; |