diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-07-23 19:31:30 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-07-23 19:33:20 +0200 |
| commit | 4791195ae206483f3de1e1b602feefe354834222 (patch) | |
| tree | be7546130d60d793b25d54878d4142128f262193 /src | |
| parent | d4b2777c1bffca47d9b3b21d8907818f06591c59 (diff) | |
| download | vyos-1x-4791195ae206483f3de1e1b602feefe354834222.tar.gz vyos-1x-4791195ae206483f3de1e1b602feefe354834222.zip | |
login: T3699: verify system username does not conflict with Linux base users
(cherry picked from commit 7292631373ea50f9908796ef2eda32e672d1df2e)
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/system-login.py | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index da0fc2a25..f0b92aea8 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -43,12 +43,11 @@ radius_config_file = "/etc/pam_radius_auth.conf" def get_local_users(): """Return list of dynamically allocated users (see Debian Policy Manual)""" local_users = [] - for p in getpwall(): - username = p[0] - uid = getpwnam(username).pw_uid + for s_user in getpwall(): + uid = getpwnam(s_user.pw_name).pw_uid if uid in range(1000, 29999): - if username not in ['radius_user', 'radius_priv_user']: - local_users.append(username) + if s_user.pw_name not in ['radius_user', 'radius_priv_user']: + local_users.append(s_user.pw_name) return local_users @@ -104,7 +103,14 @@ def verify(login): raise ConfigError(f'Attempting to delete current user: {cur_user}') if 'user' in login: + system_users = getpwall() for user, user_config in login['user'].items(): + # Linux system users range up until UID 1000, we can not create a + # VyOS CLI user which already exists as system user + for s_user in system_users: + if s_user.pw_name == user and s_user.pw_uid < 1000: + raise ConfigError(f'User "{user}" can not be created, conflict with local system account!') + for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items(): if 'type' not in pubkey_options: raise ConfigError(f'Missing type for public-key "{pubkey}"!') |