summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-04-06 21:09:42 +0200
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-04-07 14:36:30 +0000
commita4236f70d16654bedab6b5d02fc6b5d343196593 (patch)
tree51f97f117c2a2296713240efb13c5c23c0242b60
parent812bb6ac4cf8067ca45f1c2557d1a1b2a1b166fe (diff)
downloadvyos-1x-a4236f70d16654bedab6b5d02fc6b5d343196593.tar.gz
vyos-1x-a4236f70d16654bedab6b5d02fc6b5d343196593.zip
login: T5875: fix corner case for KeyError: 'getpwuid(): uid not found: XXXX'
Commit 1b364428f ("login: T5875: restore home directory permissions only when needed") added logic to chown the users home directory if it's UID changes. This might happen when a user account is deleted and re-added to the system. Under rar e circumstances it was possible that the implementation triggered Traceback (most recent call last): File "<stdin>", line 1, in <module> KeyError: 'getpwuid(): uid not found: XXXX' This has been fixed by re-arranging the code path with an additional try/except if the PW database information could not be retrieved leading to an implicit chown() of the home directory to the user beeing added. (cherry picked from commit 1165bb497ec2d6d1b3b12d6c03435b0210efe9e5)
-rwxr-xr-xsrc/conf_mode/system_login.py26
1 files changed, 15 insertions, 11 deletions
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index cff0c5039..de02a64c6 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -336,27 +336,31 @@ def apply(login):
command += f' --groups frr,frrvty,vyattacfg,sudo,adm,dip,disk {user}'
try:
cmd(command)
- # we should not rely on the value stored in
- # user_config['home_directory'], as a crazy user will choose
- # username root or any other system user which will fail.
+ # we should not rely on the value stored in user_config['home_directory'], as a
+ # crazy user will choose username root or any other system user which will fail.
#
# XXX: Should we deny using root at all?
home_dir = getpwnam(user).pw_dir
- # T5875: ensure UID is properly set on home directory if user is re-added
- # the home directory will always exist, as it's created above by --create-home,
- # retrieve current owner of home directory and adjust it on demand
- dir_owner = getpwuid(os.stat(home_dir).st_uid).pw_name
- if dir_owner != user:
- chown(home_dir, user=user, recursive=True)
-
+ # always re-render SSH keys with appropriate permissions
render(f'{home_dir}/.ssh/authorized_keys', 'login/authorized_keys.j2',
user_config, permission=0o600,
formater=lambda _: _.replace("&quot;", '"'),
user=user, group='users')
-
except Exception as e:
raise ConfigError(f'Adding user "{user}" raised exception: "{e}"')
+ # T5875: ensure UID is properly set on home directory if user is re-added
+ # the home directory will always exist, as it's created above by --create-home,
+ # retrieve current owner of home directory and adjust on demand
+ dir_owner = None
+ try:
+ dir_owner = getpwuid(os.stat(home_dir).st_uid).pw_name
+ except:
+ pass
+
+ if dir_owner != user:
+ chown(home_dir, user=user, recursive=True)
+
# Generate 2FA/MFA One-Time-Pad configuration
if dict_search('authentication.otp.key', user_config):
enable_otp = True