summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am2
-rw-r--r--debian/vyatta-cfg-system.postinst.in6
-rwxr-xr-xlib/Vyatta/Login/User.pm72
-rw-r--r--sysconf/level3
-rw-r--r--sysconf/protected-user2
5 files changed, 59 insertions, 26 deletions
diff --git a/Makefile.am b/Makefile.am
index 99142777..df8c34b5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -70,6 +70,8 @@ sysconf_DATA += sysconf/securetty
sysconf_DATA += sysconf/vyatta-sysctl.conf
sysconf_DATA += sysconf/blacklist.DSA-1024
sysconf_DATA += sysconf/blacklist.RSA-2048
+sysconf_DATA += sysconf/protected-user
+sysconf_DATA += sysconf/level
sysconf_DATA += sysconf/pam_radius.cfg
libudev_SCRIPTS = scripts/vyatta_net_name
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 3a914f7f..4809c4fe 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -118,6 +118,10 @@ EOF
fi
done
+ # Install pamradius config (should come with radius client eventually)
+ cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius
+
+ cp $sysconfdir/level $sysconfdir/protected-user /opt/vyatta/etc
fi
# update crontab for logrotate
@@ -148,8 +152,6 @@ update-rc.d -f ssh remove >/dev/null
# for password
sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
-# Install pamradius config (should come with radius client eventually)
-cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius
[ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist
diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm
index f5e8337f..8c459850 100755
--- a/lib/Vyatta/Login/User.pm
+++ b/lib/Vyatta/Login/User.pm
@@ -19,6 +19,7 @@ use strict;
use warnings;
use lib "/opt/vyatta/share/perl5";
use Vyatta::Config;
+use Vyatta::Login::Misc;
# Exit codes form useradd.8 man page
my %reasons = (
@@ -34,15 +35,6 @@ my %reasons = (
13 => 'can“t create mail spool',
);
-# Map of level to additional groups
-my %level_map = (
- 'admin' => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', 'disk' ],
- 'operator' => [ 'quaggavty', 'vyattaop', 'operator', 'adm', 'dip', ],
-);
-
-# Users who MUST not use vbash
-my @protected = ( 'root', 'www-data' );
-
# Construct a map from existing users to group membership
sub get_groups {
my %group_map;
@@ -60,28 +52,60 @@ sub get_groups {
return \%group_map;
}
+my $levelFile = "/opt/vyatta/etc/level";
+
+# Convert level to additional groups
+sub _level2groups {
+ my $level = shift;
+ my @groups;
+
+ open (my $f, '<', $levelFile)
+ or return;
+
+ while (<$f>) {
+ chomp;
+ next unless $_;
+
+ my ($l, $g) = split /:/;
+ if ($l eq $level) {
+ @groups = split(/,/, $g);
+ last;
+ }
+ }
+ close $f;
+ return @groups;
+}
+
# protected users override file
-my $protected_override = '/opt/vyatta/etc/protected-users';
+my $protected_users = '/opt/vyatta/etc/protected-user';
+
+# Users who MUST not use vbash
+sub _protected_users {
+ my @protected;
+
+ open my $pfd, '<', $protected_users
+ or return;
+
+ while (<$pfd>) {
+ chomp;
+ next unless $_;
+
+ push @protected, $_;
+ }
+ close($pfd);
+ return @protected;
+}
+
# make list of vyatta users (ie. users of vbash)
sub _vyatta_users {
my @vusers;
- my %protected_override = ();
- my $pfd;
- if (open($pfd, '<', "$protected_override")) {
- while (<$pfd>) {
- next if (!defined($_));
- chomp;
- $protected_override{$_} = 1;
- }
- close($pfd);
- }
+
setpwent();
# ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire)
# = getpw*
while ( my ($name, undef, undef, undef, undef, undef,
undef, undef, $shell) = getpwent() ) {
- next if (defined($protected_override{$name}));
push @vusers, $name if ($shell eq '/bin/vbash');
}
endpwent();
@@ -120,7 +144,7 @@ sub update {
}
# map level to group membership
- my @new_groups = @{ $level_map{$level} };
+ my @new_groups = _level2groups($level);
# add any additional groups from configuration
push( @new_groups, $uconfig->returnValues('group') );
@@ -169,12 +193,12 @@ sub update {
# Remove any vyatta users that do not exist in current configuration
# This can happen if user added but configuration not saved
- my %protected = map { $_ => 1 } @protected;
+ my %protected = map { $_ => 1 } _protected_users();
foreach my $user (_vyatta_users()) {
if ($protected{$user}) {
warn "User $user should not being using vbash - fixed\n";
system ("usermod -s /bin/bash $user") == 0
- or die "Attemp to modify user $user shell failed: $!";
+ or die "Attempt to modify user $user shell failed: $!";
} elsif (! defined $users{$user}) {
warn "User $user not listed in current configuration\n";
system ("userdel --remove $user") == 0
diff --git a/sysconf/level b/sysconf/level
new file mode 100644
index 00000000..2acfa491
--- /dev/null
+++ b/sysconf/level
@@ -0,0 +1,3 @@
+admin:quaggavty,vyattacfg,sudo,adm,dip,disk
+operator:quaggavty,vyattaop,operator,adm,dip
+
diff --git a/sysconf/protected-user b/sysconf/protected-user
new file mode 100644
index 00000000..04a60974
--- /dev/null
+++ b/sysconf/protected-user
@@ -0,0 +1,2 @@
+root
+www-data