From a4236f70d16654bedab6b5d02fc6b5d343196593 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sat, 6 Apr 2024 21:09:42 +0200
Subject: login: T5875: fix corner case for KeyError: 'getpwuid(): uid not
 found: XXXX'

Commit 1b364428f ("login: T5875: restore home directory permissions only when
needed") added logic to chown the users home directory if it's UID changes.
This might happen when a user account is deleted and re-added to the system.

Under rar e circumstances it was possible that the implementation triggered

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
KeyError: 'getpwuid(): uid not found: XXXX'

This has been fixed by re-arranging the code path with an additional try/except
if the PW database information could not be retrieved leading to an implicit
chown() of the home directory to the user beeing added.

(cherry picked from commit 1165bb497ec2d6d1b3b12d6c03435b0210efe9e5)
---
 src/conf_mode/system_login.py | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index cff0c5039..de02a64c6 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -336,27 +336,31 @@ def apply(login):
             command += f' --groups frr,frrvty,vyattacfg,sudo,adm,dip,disk {user}'
             try:
                 cmd(command)
-                # we should not rely on the value stored in
-                # user_config['home_directory'], as a crazy user will choose
-                # username root or any other system user which will fail.
+                # we should not rely on the value stored in user_config['home_directory'], as a
+                # crazy user will choose username root or any other system user which will fail.
                 #
                 # XXX: Should we deny using root at all?
                 home_dir = getpwnam(user).pw_dir
-                # T5875: ensure UID is properly set on home directory if user is re-added
-                # the home directory will always exist, as it's created above by --create-home,
-                # retrieve current owner of home directory and adjust it on demand
-                dir_owner = getpwuid(os.stat(home_dir).st_uid).pw_name
-                if dir_owner != user:
-                     chown(home_dir, user=user, recursive=True)
-
+                # always re-render SSH keys with appropriate permissions
                 render(f'{home_dir}/.ssh/authorized_keys', 'login/authorized_keys.j2',
                        user_config, permission=0o600,
                        formater=lambda _: _.replace("&quot;", '"'),
                        user=user, group='users')
-
             except Exception as e:
                 raise ConfigError(f'Adding user "{user}" raised exception: "{e}"')
 
+            # T5875: ensure UID is properly set on home directory if user is re-added
+            # the home directory will always exist, as it's created above by --create-home,
+            # retrieve current owner of home directory and adjust on demand
+            dir_owner = None
+            try:
+                dir_owner = getpwuid(os.stat(home_dir).st_uid).pw_name
+            except:
+                pass
+
+            if dir_owner != user:
+                    chown(home_dir, user=user, recursive=True)
+
             # Generate 2FA/MFA One-Time-Pad configuration
             if dict_search('authentication.otp.key', user_config):
                 enable_otp = True
-- 
cgit v1.2.3