From d85b9132e5817f7a10eb93b52c2696711bc5d18d Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Tue, 4 Dec 2007 14:06:49 -0800 Subject: * change "user group" to "user level". * "admin" => "users", "quaggavty", "vyattacfg", "sudo". * "users" => "users", "quaggavty" * use "sudo" group for sudo permissions. * don't add "root" to /etc/group. --- debian/vyatta-cfg-system.postinst.in | 5 ++-- scripts/system/vyatta_update_login_user.pl | 30 ++++++++++++++-------- templates/system/login/user/node.def | 2 +- .../system/login/user/node.tag/group/node.def | 7 ----- .../system/login/user/node.tag/level/node.def | 7 +++++ 5 files changed, 31 insertions(+), 20 deletions(-) delete mode 100644 templates/system/login/user/node.tag/group/node.def create mode 100644 templates/system/login/user/node.tag/level/node.def diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 2c9f0fbf..4420ce7c 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -39,8 +39,9 @@ if [ "$sysconfdir" != "/etc" ]; then # sudoers [ -f /etc/sudoers ] && cp -pf /etc/sudoers /etc/sudoers.vyatta-save - if ! grep -q '%quaggavty ALL=NOPASSWD: ALL' /etc/sudoers; then - echo -e "\n%quaggavty ALL=NOPASSWD: ALL" >> /etc/sudoers + sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers + if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then + echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers fi echo "Defaults env_keep+=VYATTA_*" >> /etc/sudoers diff --git a/scripts/system/vyatta_update_login_user.pl b/scripts/system/vyatta_update_login_user.pl index d84ee4b0..05ff0b16 100755 --- a/scripts/system/vyatta_update_login_user.pl +++ b/scripts/system/vyatta_update_login_user.pl @@ -103,7 +103,7 @@ sub add_user_to_group { my $user = shift; my $full = shift; my $encrypted = shift; -my $group = shift; +my $level = shift; # emulate lckpwdf(3). # difference: we only try to lock it once (non-blocking). lckpwdf will block @@ -136,14 +136,19 @@ if ($user eq "-d") { exit 0; } -my %group_map = ( - 'admin' => 'quaggavty', - 'users' => 'users', +my %level_map = ( + 'admin' => [ 'users', 'quaggavty', 'vyattacfg', 'sudo', ], + 'users' => [ 'users', 'quaggavty', ], ); exit 4 if (!defined($user) || !defined($full) || !defined($encrypted) - || !defined($group)); -exit 4 if (!defined($group_map{$group})); -$group = $group_map{$group}; + || !defined($level)); +exit 4 if (!defined($level_map{$level})); +my $gref = $level_map{$level}; +my @groups = @{$gref}; +my $def_grp = $groups[0]; +if ($user eq 'root') { + $def_grp = 'root'; +} # note that DEF_SHELL doesn't affect root since root is never "added" my $DEF_SHELL = "/bin/vbash"; @@ -152,7 +157,7 @@ open(GRP, "/etc/group") or exit 5; my $def_gid = undef; while () { my @group_fields = split /:/; - if ($group_fields[0] eq $group) { + if ($group_fields[0] eq $def_grp) { $def_gid = $group_fields[2]; last; } @@ -202,7 +207,12 @@ open(SHADOW, ">>/etc/shadow") or exit 12; print SHADOW "$shadow_line\n"; close SHADOW; -add_user_to_group($user, $group); +# root doesn't need to be added to group +if ($user ne 'root') { + foreach my $group (@groups) { + add_user_to_group($user, $group); + } +} if (($new_user) && !(-e "/home/$user")) { if (-d "/etc/skel") { @@ -210,7 +220,7 @@ if (($new_user) && !(-e "/home/$user")) { exit 13 if ($ret >> 8); $ret = system("chmod 755 /home/$user"); exit 14 if ($ret >> 8); - $ret = system("chown -R $user:$group /home/$user"); + $ret = system("chown -R $user:$def_grp /home/$user"); exit 15 if ($ret >> 8); } else { $ret = system("mkdir -p /home/$user"); diff --git a/templates/system/login/user/node.def b/templates/system/login/user/node.def index fbac0c54..d05ac373 100644 --- a/templates/system/login/user/node.def +++ b/templates/system/login/user/node.def @@ -9,7 +9,7 @@ then rm -rf /tmp/vyatta-delete-system-login-user-$(@).\\\$PPID && exit 0; \ fi && \ sudo /opt/vyatta/sbin/vyatta_update_login_user.pl \ '$(@)' '$(full-name/@)' '$(authentication/encrypted-password/@)' \ - '$(group/@)'" + '$(level/@)'" delete: "if [ x$(@) == x ]; then exit 1; fi && \ if [ x$(@) == xroot ]; then \ echo Cannot delete user \"root\" 1>&2 && exit 2; \ diff --git a/templates/system/login/user/node.tag/group/node.def b/templates/system/login/user/node.tag/group/node.def deleted file mode 100644 index 17739351..00000000 --- a/templates/system/login/user/node.tag/group/node.def +++ /dev/null @@ -1,7 +0,0 @@ -type: txt -help: "User group" -default: "admin" -syntax: $(@) in "admin", "users"; "Users can only be in group \"admin\" or \"users\"" -#comp_help:Possible completions: -# admin\t\tAdministrators -# users\t\tNormal users diff --git a/templates/system/login/user/node.tag/level/node.def b/templates/system/login/user/node.tag/level/node.def new file mode 100644 index 00000000..30ac731c --- /dev/null +++ b/templates/system/login/user/node.tag/level/node.def @@ -0,0 +1,7 @@ +type: txt +help: "User privilege level" +default: "admin" +syntax: $(@) in "admin", "users"; "Allowed levels are \"admin\" and \"users\"" +#comp_help:Possible completions: +# admin\t\tAdministrators +# users\t\tNormal users -- cgit v1.2.3