11 files changed, 22 insertions, 68 deletions

diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py
index aa97511e0..8327235fb 100755
--- a/smoketest/scripts/cli/test_system_login.py
+++ b/smoketest/scripts/cli/test_system_login.py
@@ -41,6 +41,17 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase):
 
         self.cli_commit()
 
+    def test_add_linux_system_user(self):
+        system_user = 'backup'
+        self.cli_set(base_path + ['user', system_user, 'authentication', 'plaintext-password', system_user])
+
+        # check validate() - can not add username which exists on the Debian
+        # base system (UID < 1000)
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        self.cli_delete(base_path + ['user', system_user])
+
     def test_system_login_user(self):
         # Check if user can be created and we can SSH to localhost
         self.cli_set(['service', 'ssh', 'port', '22'])
diff --git a/src/conf_mode/protocols_bfd.py b/src/conf_mode/protocols_bfd.py
index dd70d6bab..348bae59f 100755
--- a/src/conf_mode/protocols_bfd.py
+++ b/src/conf_mode/protocols_bfd.py
@@ -102,12 +102,6 @@ def apply(bfd):
     frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', bfd['new_frr_config'])
     frr_cfg.commit_configuration()
 
-    # If FRR config is blank, rerun the blank commit x times due to frr-reload
-    # behavior/bug not properly clearing out on one commit.
-    if bfd['new_frr_config'] == '':
-        for a in range(5):
-            frr_cfg.commit_configuration()
-
     return None
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index 95f277d74..1a2fabded 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -271,15 +271,6 @@ def apply(bgp):
     frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', bgp['frr_bgpd_config'])
     frr_cfg.commit_configuration(bgp_daemon)
 
-    # If FRR config is blank, re-run the blank commit x times due to frr-reload
-    # behavior/bug not properly clearing out on one commit.
-    if bgp['frr_bgpd_config'] == '':
-        for a in range(5):
-            frr_cfg.commit_configuration(bgp_daemon)
-    if bgp['frr_zebra_config'] == '':
-        for a in range(5):
-            frr_cfg.commit_configuration(zebra_daemon)
-
     # Save configuration to /run/frr/config/frr.conf
     frr.save_configuration()
 
diff --git a/src/conf_mode/protocols_isis.py b/src/conf_mode/protocols_isis.py
index c3a444f16..50c48db28 100755
--- a/src/conf_mode/protocols_isis.py
+++ b/src/conf_mode/protocols_isis.py
@@ -232,15 +232,6 @@ def apply(isis):
     frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', isis['frr_isisd_config'])
     frr_cfg.commit_configuration(isis_daemon)
 
-    # If FRR config is blank, rerun the blank commit x times due to frr-reload
-    # behavior/bug not properly clearing out on one commit.
-    if isis['frr_isisd_config'] == '':
-        for a in range(5):
-            frr_cfg.commit_configuration(isis_daemon)
-    if isis['frr_zebra_config'] == '':
-        for a in range(5):
-            frr_cfg.commit_configuration(zebra_daemon)
-
     # Save configuration to /run/frr/config/frr.conf
     frr.save_configuration()
 
diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py
index 21eb8e447..78c1c82bd 100755
--- a/src/conf_mode/protocols_ospf.py
+++ b/src/conf_mode/protocols_ospf.py
@@ -211,15 +211,6 @@ def apply(ospf):
     frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', ospf['frr_ospfd_config'])
     frr_cfg.commit_configuration(ospf_daemon)
 
-    # If FRR config is blank, rerun the blank commit x times due to frr-reload
-    # behavior/bug not properly clearing out on one commit.
-    if ospf['frr_ospfd_config'] == '':
-        for a in range(5):
-            frr_cfg.commit_configuration(ospf_daemon)
-    if ospf['frr_zebra_config'] == '':
-        for a in range(5):
-            frr_cfg.commit_configuration(zebra_daemon)
-
     # Save configuration to /run/frr/config/frr.conf
     frr.save_configuration()
 
diff --git a/src/conf_mode/protocols_ospfv3.py b/src/conf_mode/protocols_ospfv3.py
index 1964e9d34..fef0f509b 100755
--- a/src/conf_mode/protocols_ospfv3.py
+++ b/src/conf_mode/protocols_ospfv3.py
@@ -86,12 +86,6 @@ def apply(ospfv3):
     frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', ospfv3['new_frr_config'])
     frr_cfg.commit_configuration(frr_daemon)
 
-    # If FRR config is blank, re-run the blank commit x times due to frr-reload
-    # behavior/bug not properly clearing out on one commit.
-    if ospfv3['new_frr_config'] == '':
-        for a in range(5):
-            frr_cfg.commit_configuration(frr_daemon)
-
     # Save configuration to /run/frr/config/frr.conf
     frr.save_configuration()
 
diff --git a/src/conf_mode/protocols_rip.py b/src/conf_mode/protocols_rip.py
index 907ac54ac..e56eb1f56 100755
--- a/src/conf_mode/protocols_rip.py
+++ b/src/conf_mode/protocols_rip.py
@@ -117,12 +117,6 @@ def apply(rip):
     frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', rip['new_frr_config'])
     frr_cfg.commit_configuration(rip_daemon)
 
-    # If FRR config is blank, rerun the blank commit x times due to frr-reload
-    # behavior/bug not properly clearing out on one commit.
-    if rip['new_frr_config'] == '':
-        for a in range(5):
-            frr_cfg.commit_configuration(rip_daemon)
-
     # Save configuration to /run/frr/config/frr.conf
     frr.save_configuration()
 
diff --git a/src/conf_mode/protocols_ripng.py b/src/conf_mode/protocols_ripng.py
index 44c080546..aaec5dacb 100755
--- a/src/conf_mode/protocols_ripng.py
+++ b/src/conf_mode/protocols_ripng.py
@@ -108,12 +108,6 @@ def apply(ripng):
     frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', ripng['new_frr_config'])
     frr_cfg.commit_configuration(frr_daemon)
 
-    # If FRR config is blank, rerun the blank commit x times due to frr-reload
-    # behavior/bug not properly clearing out on one commit.
-    if ripng['new_frr_config'] == '':
-        for a in range(5):
-            frr_cfg.commit_configuration(frr_daemon)
-
     # Save configuration to /run/frr/config/frr.conf
     frr.save_configuration()
 
diff --git a/src/conf_mode/protocols_rpki.py b/src/conf_mode/protocols_rpki.py
index d8f99efb8..947c8ab7a 100755
--- a/src/conf_mode/protocols_rpki.py
+++ b/src/conf_mode/protocols_rpki.py
@@ -90,12 +90,6 @@ def apply(rpki):
     frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', rpki['new_frr_config'])
     frr_cfg.commit_configuration(frr_daemon)
 
-    # If FRR config is blank, re-run the blank commit x times due to frr-reload
-    # behavior/bug not properly clearing out on one commit.
-    if rpki['new_frr_config'] == '':
-        for a in range(5):
-            frr_cfg.commit_configuration(frr_daemon)
-
     return None
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/protocols_static.py b/src/conf_mode/protocols_static.py
index 1d45cb71c..338247e30 100755
--- a/src/conf_mode/protocols_static.py
+++ b/src/conf_mode/protocols_static.py
@@ -107,12 +107,6 @@ def apply(static):
     frr_cfg.add_before(r'(interface .*|line vty)', static['new_frr_config'])
     frr_cfg.commit_configuration(static_daemon)
 
-    # If FRR config is blank, rerun the blank commit x times due to frr-reload
-    # behavior/bug not properly clearing out on one commit.
-    if static['new_frr_config'] == '':
-        for a in range(5):
-            frr_cfg.commit_configuration(static_daemon)
-
     # Save configuration to /run/frr/config/frr.conf
     frr.save_configuration()
 
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index da0fc2a25..f0b92aea8 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -43,12 +43,11 @@ radius_config_file = "/etc/pam_radius_auth.conf"
 def get_local_users():
     """Return list of dynamically allocated users (see Debian Policy Manual)"""
     local_users = []
-    for p in getpwall():
-        username = p[0]
-        uid = getpwnam(username).pw_uid
+    for s_user in getpwall():
+        uid = getpwnam(s_user.pw_name).pw_uid
         if uid in range(1000, 29999):
-            if username not in ['radius_user', 'radius_priv_user']:
-                local_users.append(username)
+            if s_user.pw_name not in ['radius_user', 'radius_priv_user']:
+                local_users.append(s_user.pw_name)
 
     return local_users
 
@@ -104,7 +103,14 @@ def verify(login):
             raise ConfigError(f'Attempting to delete current user: {cur_user}')
 
     if 'user' in login:
+        system_users = getpwall()
         for user, user_config in login['user'].items():
+            # Linux system users range up until UID 1000, we can not create a
+            # VyOS CLI user which already exists as system user
+            for s_user in system_users:
+                if s_user.pw_name == user and s_user.pw_uid < 1000:
+                    raise ConfigError(f'User "{user}" can not be created, conflict with local system account!')
+
             for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items():
                 if 'type' not in pubkey_options:
                     raise ConfigError(f'Missing type for public-key "{pubkey}"!')