tacacs: T141: check upper bound on dynamically allocated user accounts

Check upper bound as defined in Debian Policy Manual. Without this check, user 'nobody' will not be available.
author: John Estabrook <jestabro@vyos.io> 2023-06-24 19:23:56 -0500
committer: John Estabrook <jestabro@vyos.io> 2023-06-24 20:53:17 -0500
commit: 800c3161bffc40cc46833925ec5aa50f30231476 (patch)
tree: ad2da9753800f590b959229e1ede34432f1070e8
parent: b5346bc6cedd54615490fc5ce2e77f6380f46c8c (diff)
download: vyos-1x-800c3161bffc40cc46833925ec5aa50f30231476.tar.gz
vyos-1x-800c3161bffc40cc46833925ec5aa50f30231476.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 5f8dd17cd..24766a5b5 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -49,6 +49,8 @@ nss_config_file = "/etc/nsswitch.conf"
 
 # Minimum UID used when adding system users
 MIN_USER_UID: int = 1000
+# Maximim UID used when adding system users
+MAX_USER_UID: int = 59999
 # LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec
 MAX_RADIUS_TIMEOUT: int = 50
 # MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout)
@@ -68,6 +70,8 @@ def get_local_users():
     for s_user in getpwall():
         if getpwnam(s_user.pw_name).pw_uid < MIN_USER_UID:
             continue
+        if getpwnam(s_user.pw_name).pw_uid > MAX_USER_UID:
+            continue
         if s_user.pw_name in SYSTEM_USER_SKIP_LIST:
             continue
         local_users.append(s_user.pw_name)
author	John Estabrook <jestabro@vyos.io>	2023-06-24 19:23:56 -0500
committer	John Estabrook <jestabro@vyos.io>	2023-06-24 20:53:17 -0500
commit	800c3161bffc40cc46833925ec5aa50f30231476 (patch)
tree	ad2da9753800f590b959229e1ede34432f1070e8
parent	b5346bc6cedd54615490fc5ce2e77f6380f46c8c (diff)
download	vyos-1x-800c3161bffc40cc46833925ec5aa50f30231476.tar.gz vyos-1x-800c3161bffc40cc46833925ec5aa50f30231476.zip