From b5bb8c35539d1b108e988d39153abc813c326b0f Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 26 Jan 2010 17:50:33 -0800 Subject: Add additional check that new user doesn't exist in NSS If user exists in NSS (LDAP, TACACS+) but not on local machine, then it can not be changed with CLI. useradd will fail (user exists), and usermod will fail (can't find user in passwd file). Bug 5249 --- scripts/system/vyatta_check_username.pl | 66 +++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 scripts/system/vyatta_check_username.pl (limited to 'scripts') diff --git a/scripts/system/vyatta_check_username.pl b/scripts/system/vyatta_check_username.pl new file mode 100644 index 00000000..254b3417 --- /dev/null +++ b/scripts/system/vyatta_check_username.pl @@ -0,0 +1,66 @@ +#!/usr/bin/perl + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +use strict; +use warnings; + +my $passwdFile = '/etc/passwd'; + +# Lookup user in password file which may not give same +# result as getpw* which uses NSS +sub finduser { + my $user = shift; + my $uid; + + open( my $f, '<', $passwdFile ) + or die "Can't open $passwdFile: $!"; + + while (<$f>) { + chomp; + my ( $name, undef, $id ) = split /:/; + + next unless ( $name eq $user ); + $uid = $id; + last; + } + close $f; + + return $uid; +} + +foreach my $user (@ARGV) { + my $uid = getpwnam($user); + + # User does not exist in system, its okay + next unless defined($uid); + + # System accounts should not be listed in vyatta configuration + # 1000 is SYS_UID_MIN + die "$user : account is already reserved for system use\n" + if ($uid > 0 && $uid < 1000); + + my $pwuid = finduser($user); + + die "$user : account exists but is not local (change on server)\n" + unless defined ($pwuid); + + die "$user : exists but has different uid on local versus remote\n" + unless ($pwuid eq $uid); +} + +exit 0; -- cgit v1.2.3