diff options
| author | Christian Breunig <christian@breunig.cc> | 2023-10-04 16:45:13 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2023-10-04 16:45:13 +0200 |
| commit | 12069d5653034b46a47430353c3867b3678c196f (patch) | |
| tree | 8e8b9ee4c6eefcef866ab00c1a434a428df147ec | |
| parent | 53bc1627c09d7b6559aaafabfac69a7427e8e38c (diff) | |
| download | vyos-1x-12069d5653034b46a47430353c3867b3678c196f.tar.gz vyos-1x-12069d5653034b46a47430353c3867b3678c196f.zip | |
login: T5521: do not call system-login.py in vyos-router init
Calling system-login.py with no mounted VyOS config has the negative effect
that the script will not detect any local useraccounts and thus assumes they
all need to be removed from the password backend.
As soon as the VyOS configuration is mounted and the CLI content is processed,
system-login.py get's invoked and re-creates the before deleted user accounts.
As the account names are sorted in alphabetical order, the name <-> UID mapping
can get mixed up during system reboot.
The intention behind calling system-login.py from vyos-router init was to
reset system services (PAM, NSS) back to sane defaults with the defaults
provided via system-login.py. As PAM is already reset in vyos-router startup
script, /etc/nsswitch.conf was the only candidate left.
This is now accomplished by simply creating a standard NSS configuration file
tailored for local system accounts.
This is the second revision after the first change via commit 64d32329958
("login: T5521: home directory owner changed during reboot") got reverted.
| -rwxr-xr-x | src/init/vyos-router | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/src/init/vyos-router b/src/init/vyos-router index dd63921e0..35095afe4 100755 --- a/src/init/vyos-router +++ b/src/init/vyos-router @@ -234,6 +234,27 @@ cleanup_post_commit_hooks () { # system defaults. security_reset () { + + # restore NSS cofniguration back to sane system defaults + # will be overwritten later when configuration is loaded + cat <<EOF >/etc/nsswitch.conf +passwd: files +group: files +shadow: files +gshadow: files + +# Per T2678, commenting out myhostname +hosts: files dns #myhostname +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis +EOF + # restore PAM back to virgin state (no radius/tacacs services) pam-auth-update --disable radius-mandatory radius-optional rm -f /etc/pam_radius_auth.conf @@ -349,7 +370,6 @@ start () # As VyOS does not execute commands that are not present in the CLI we call # the script by hand to have a single source for the login banner and MOTD ${vyos_conf_scripts_dir}/system_console.py || log_failure_msg "could not reset serial console" - ${vyos_conf_scripts_dir}/system-login.py || log_failure_msg "could not reset system login" ${vyos_conf_scripts_dir}/system-login-banner.py || log_failure_msg "could not reset motd and issue files" ${vyos_conf_scripts_dir}/system-option.py || log_failure_msg "could not reset system option files" ${vyos_conf_scripts_dir}/system-ip.py || log_failure_msg "could not reset system IPv4 options" |