From 063143ab7737442bbc460c5465923f5f7bcd41c3 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 23 Sep 2009 13:10:17 -0700 Subject: Cleanup all vbash users This is an alternative version of the rollback for unsaved vyatta user changes. Instead of identifying users by group, assume all users whose login shell is vbash must exist in configuration. --- lib/Vyatta/Login/User.pm | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index 7012403a..a94b8d08 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -40,6 +40,9 @@ my %level_map = ( 'operator' => [ 'quaggavty', 'vyattaop', 'operator', 'adm', 'dip', ], ); +# Users who MUST not use vbash +my @protected = ( 'root', 'www-data' ); + # Construct a map from existing users to group membership sub get_groups { my %group_map; @@ -57,6 +60,21 @@ sub get_groups { return \%group_map; } +# make list of vyatta users (ie. users of vbash) +sub _vyatta_users { + my @vusers; + setpwent(); + # ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) + # = getpw* + while ( my ($name, undef, undef, undef, undef, undef, + undef, undef, $shell) = getpwent() ) { + push @vusers, $name if ($shell eq '/bin/vbash'); + } + endpwent(); + + return @vusers; +} + sub update { my $membership = get_groups(); my $uconfig = new Vyatta::Config; @@ -137,15 +155,13 @@ sub update { # Remove any vyatta users that do not exist in current configuration # This can happen if user added but configuration not saved - foreach my $grp (qw(vyattacfg vyattaop)) { - my (undef, undef, undef, $members) = getgrnam($grp); - next unless $members; - - foreach my $user (split / /, $members) { - next if ($user eq 'root'); - next if ($user eq 'www-data'); # webgui - next if defined $users{$user}; - + my %protected = map { $_ => 1 } @protected; + foreach my $user (_vyatta_users()) { + if ($protected{$user}) { + warn "User $user should not being using vbash - fixed\n"; + system ("usermod -s /bin/bash $user") == 0 + or die "Attemp to modify user $user shell failed: $!"; + } elsif (! defined $users{$user}) { warn "User $user not listed in current configuration\n"; system ("userdel --remove $user") == 0 or die "Attempt to delete user $user failed: $!"; -- cgit v1.2.3