summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-23 19:31:30 +0200
committerChristian Poessinger <christian@poessinger.com>2021-07-23 19:33:20 +0200
commit4791195ae206483f3de1e1b602feefe354834222 (patch)
treebe7546130d60d793b25d54878d4142128f262193 /src/conf_mode
parentd4b2777c1bffca47d9b3b21d8907818f06591c59 (diff)
downloadvyos-1x-4791195ae206483f3de1e1b602feefe354834222.tar.gz
vyos-1x-4791195ae206483f3de1e1b602feefe354834222.zip
login: T3699: verify system username does not conflict with Linux base users
(cherry picked from commit 7292631373ea50f9908796ef2eda32e672d1df2e)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/system-login.py16
1 files changed, 11 insertions, 5 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index da0fc2a25..f0b92aea8 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -43,12 +43,11 @@ radius_config_file = "/etc/pam_radius_auth.conf"
def get_local_users():
"""Return list of dynamically allocated users (see Debian Policy Manual)"""
local_users = []
- for p in getpwall():
- username = p[0]
- uid = getpwnam(username).pw_uid
+ for s_user in getpwall():
+ uid = getpwnam(s_user.pw_name).pw_uid
if uid in range(1000, 29999):
- if username not in ['radius_user', 'radius_priv_user']:
- local_users.append(username)
+ if s_user.pw_name not in ['radius_user', 'radius_priv_user']:
+ local_users.append(s_user.pw_name)
return local_users
@@ -104,7 +103,14 @@ def verify(login):
raise ConfigError(f'Attempting to delete current user: {cur_user}')
if 'user' in login:
+ system_users = getpwall()
for user, user_config in login['user'].items():
+ # Linux system users range up until UID 1000, we can not create a
+ # VyOS CLI user which already exists as system user
+ for s_user in system_users:
+ if s_user.pw_name == user and s_user.pw_uid < 1000:
+ raise ConfigError(f'User "{user}" can not be created, conflict with local system account!')
+
for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items():
if 'type' not in pubkey_options:
raise ConfigError(f'Missing type for public-key "{pubkey}"!')