radius: T3510: authenticated users must use /sbin/radius_shell as shell

1 files changed, 8 insertions, 3 deletions

diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 5fadddc86..8acc87cc8 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -11,7 +11,8 @@ fi
 
 # Add minion user for salt-minion
 if ! grep -q '^minion' /etc/passwd; then
-    adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg --gecos "salt minion user" --shell /bin/vbash minion
+    adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \
+        --gecos "salt minion user" --shell /bin/vbash minion
     adduser --quiet minion frrvty
     adduser --quiet minion sudo
     adduser --quiet minion adm
@@ -27,7 +28,9 @@ fi
 
 # Add RADIUS operator user for RADIUS authenticated users to map to
 if ! grep -q '^radius_user' /etc/passwd; then
-    adduser --quiet --firstuid 1001 --disabled-login --ingroup users --gecos "radius user" --shell /bin/vbash radius_user
+    adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattaop \
+        --no-create-home --gecos "radius user" \
+        --shell /sbin/radius_shell radius_user
     adduser --quiet radius_user frrvty
     adduser --quiet radius_user vyattaop
     adduser --quiet radius_user operator
@@ -38,7 +41,9 @@ fi
 
 # Add RADIUS admin user for RADIUS authenticated users to map to
 if ! grep -q '^radius_priv_user' /etc/passwd; then
-    adduser --quiet --firstuid 1001 --disabled-login --ingroup vyattacfg --gecos "radius privileged user" --shell /bin/vbash radius_priv_user
+    adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattacfg \
+        --no-create-home --gecos "radius privileged user" \
+        --shell /sbin/radius_shell radius_priv_user
     adduser --quiet radius_priv_user frrvty
     adduser --quiet radius_priv_user vyattacfg
     adduser --quiet radius_priv_user sudo