diff options
| author | Christian Poessinger <christian@poessinger.com> | 2020-02-27 17:59:38 +0100 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2020-02-27 17:59:38 +0100 |
| commit | e054dee8b8ab81f7f85bb93bd25110affa38fcd0 (patch) | |
| tree | 89238fe8bfb7b529b14bd907a5f30546f0b4add9 | |
| parent | 8e4ab2339268d966f34616d9ead6e04e665cd8e5 (diff) | |
| download | vyos-1x-e054dee8b8ab81f7f85bb93bd25110affa38fcd0.tar.gz vyos-1x-e054dee8b8ab81f7f85bb93bd25110affa38fcd0.zip | |
login: T2050: retrieve home directory for SSH keys from OS and not guess it
We should not rely on the home dir value stored in user['home_dir'] as if a
crazy user will choose username root or any other system user this will fail.
Should be deny using root at all?
| -rwxr-xr-x | src/conf_mode/system-login.py | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 23152fee0..a7fb8ee8f 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -265,15 +265,19 @@ def apply(login): uid = getpwnam(user['name']).pw_uid gid = getpwnam(user['name']).pw_gid + # we should not rely on the home dir value stored in user['home_dir'] + # as if a crazy user will choose username root or any other system + # user this will fail. should be deny using root at all? + home_dir = getpwnam(user['name']).pw_dir # install ssh keys - key_dir = '{}/.ssh'.format(user['home_dir']) - if not os.path.isdir(key_dir): - os.mkdir(key_dir) - os.chown(key_dir, uid, gid) - os.chmod(key_dir, S_IRWXU | S_IRGRP | S_IXGRP) - - key_file = key_dir + '/authorized_keys'; - with open(key_file, 'w') as f: + ssh_key_dir = home_dir + '/.ssh' + if not os.path.isdir(ssh_key_dir): + os.mkdir(ssh_key_dir) + os.chown(ssh_key_dir, uid, gid) + os.chmod(ssh_key_dir, S_IRWXU | S_IRGRP | S_IXGRP) + + ssh_key_file = ssh_key_dir + '/authorized_keys'; + with open(ssh_key_file, 'w') as f: f.write("# Automatically generated by VyOS\n") f.write("# Do not edit, all changes will be lost\n") @@ -285,8 +289,8 @@ def apply(login): line += '{} {} {}\n'.format(id['type'], id['key'], id['name']) f.write(line) - os.chown(key_file, uid, gid) - os.chmod(key_file, S_IRUSR | S_IWUSR) + os.chown(ssh_key_file, uid, gid) + os.chmod(ssh_key_file, S_IRUSR | S_IWUSR) except Exception as e: raise ConfigError('Adding user "{}" raised an exception: {}'.format(user['name'], e)) |