diff options
| -rwxr-xr-x | smoketest/scripts/cli/test_system_login.py | 11 | ||||
| -rwxr-xr-x | src/conf_mode/system-login.py | 16 |
2 files changed, 22 insertions, 5 deletions
diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py index aa97511e0..8327235fb 100755 --- a/smoketest/scripts/cli/test_system_login.py +++ b/smoketest/scripts/cli/test_system_login.py @@ -41,6 +41,17 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase): self.cli_commit() + def test_add_linux_system_user(self): + system_user = 'backup' + self.cli_set(base_path + ['user', system_user, 'authentication', 'plaintext-password', system_user]) + + # check validate() - can not add username which exists on the Debian + # base system (UID < 1000) + with self.assertRaises(ConfigSessionError): + self.cli_commit() + + self.cli_delete(base_path + ['user', system_user]) + def test_system_login_user(self): # Check if user can be created and we can SSH to localhost self.cli_set(['service', 'ssh', 'port', '22']) diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index da0fc2a25..f0b92aea8 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -43,12 +43,11 @@ radius_config_file = "/etc/pam_radius_auth.conf" def get_local_users(): """Return list of dynamically allocated users (see Debian Policy Manual)""" local_users = [] - for p in getpwall(): - username = p[0] - uid = getpwnam(username).pw_uid + for s_user in getpwall(): + uid = getpwnam(s_user.pw_name).pw_uid if uid in range(1000, 29999): - if username not in ['radius_user', 'radius_priv_user']: - local_users.append(username) + if s_user.pw_name not in ['radius_user', 'radius_priv_user']: + local_users.append(s_user.pw_name) return local_users @@ -104,7 +103,14 @@ def verify(login): raise ConfigError(f'Attempting to delete current user: {cur_user}') if 'user' in login: + system_users = getpwall() for user, user_config in login['user'].items(): + # Linux system users range up until UID 1000, we can not create a + # VyOS CLI user which already exists as system user + for s_user in system_users: + if s_user.pw_name == user and s_user.pw_uid < 1000: + raise ConfigError(f'User "{user}" can not be created, conflict with local system account!') + for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items(): if 'type' not in pubkey_options: raise ConfigError(f'Missing type for public-key "{pubkey}"!') |