summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--python/vyos/utils/auth.py12
-rwxr-xr-xsrc/conf_mode/system_login.py17
2 files changed, 15 insertions, 14 deletions
diff --git a/python/vyos/utils/auth.py b/python/vyos/utils/auth.py
index a59858d72..d014f756f 100644
--- a/python/vyos/utils/auth.py
+++ b/python/vyos/utils/auth.py
@@ -1,6 +1,6 @@
# authutils -- miscelanneous functions for handling passwords and publis keys
#
-# Copyright (C) 2018 VyOS maintainers and contributors
+# Copyright (C) 2023-2024 VyOS maintainers and contributors
#
# This library is free software; you can redistribute it and/or modify it under the terms of
# the GNU Lesser General Public License as published by the Free Software Foundation;
@@ -11,13 +11,12 @@
# See the GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License along with this library;
-# if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+# if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
import re
from vyos.utils.process import cmd
-
def make_password_hash(password):
""" Makes a password hash for /etc/shadow using mkpasswd """
@@ -39,3 +38,10 @@ def split_ssh_public_key(key_string, defaultname=""):
raise ValueError("Bad key type \'{0}\', must be one of must be one of ssh-rsa, ssh-dss, ecdsa-sha2-nistp<256|384|521> or ssh-ed25519".format(key_type))
return({"type": key_type, "data": key_data, "name": key_name})
+
+def get_current_user() -> str:
+ import os
+ current_user = 'nobody'
+ if 'SUDO_USER' in os.environ:
+ current_user = os.environ['SUDO_USER']
+ return current_user
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index e616ec3db..afddae4dc 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -30,6 +30,7 @@ from vyos.configverify import verify_vrf
from vyos.defaults import directories
from vyos.template import render
from vyos.template import is_ipv4
+from vyos.utils.auth import get_current_user
from vyos.utils.dict import dict_search
from vyos.utils.file import chown
from vyos.utils.file import write_file
@@ -49,8 +50,6 @@ tacacs_pam_config_file = "/etc/tacplus_servers"
tacacs_nss_config_file = "/etc/tacplus_nss.conf"
nss_config_file = "/etc/nsswitch.conf"
-current_user = None
-
# Minimum UID used when adding system users
MIN_USER_UID: int = 1000
# Maximim UID used when adding system users
@@ -122,9 +121,6 @@ def get_config(config=None):
rm_users = [tmp for tmp in all_users if tmp not in cli_users]
if rm_users: login.update({'rm_users' : rm_users})
- if 'SUDO_USER' in os.environ:
- current_user = os.environ['SUDO_USER']
-
return login
def verify(login):
@@ -132,8 +128,9 @@ def verify(login):
# This check is required as the script is also executed from vyos-router
# init script and there is no SUDO_USER environment variable available
# during system boot.
- if current_user in login['rm_users']:
- raise ConfigError(f'Attempting to delete current user: {cur_user}')
+ tmp = get_current_user()
+ if tmp in login['rm_users']:
+ raise ConfigError(f'Attempting to delete current user: {tmp}')
if 'user' in login:
system_users = getpwall()
@@ -239,9 +236,9 @@ def generate(login):
# store encrypted password
tmp = os.path.join(env[config_dir], '/'.join(add_user_encrypt.split()))
- write_file(f'{tmp}/node.val', encrypted_password, user=current_user, group='vyattacfg', mode=0o664)
+ write_file(f'{tmp}/node.val', encrypted_password, user=get_current_user(), group='vyattacfg', mode=0o664)
if config_dir == 'VYATTA_CHANGES_ONLY_DIR':
- write_file(f'{tmp}/.modified', encrypted_password, user=current_user, group='vyattacfg', mode=0o664)
+ write_file(f'{tmp}/.modified', encrypted_password, user=get_current_user(), group='vyattacfg', mode=0o664)
else:
try:
@@ -276,8 +273,6 @@ def generate(login):
if os.path.isfile(tacacs_nss_config_file):
os.unlink(tacacs_nss_config_file)
-
-
# NSS must always be present on the system
render(nss_config_file, 'login/nsswitch.conf.j2', login,
permission=0o644, user='root', group='root')