From e1a34e661d3e5f0090550796ac266dac15e1e337 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 15 Jun 2024 08:44:10 +0200 Subject: T6489: add abstraction vyos.utils.auth.get_current_user() --- python/vyos/utils/auth.py | 12 +++++++++--- src/conf_mode/system_login.py | 17 ++++++----------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/python/vyos/utils/auth.py b/python/vyos/utils/auth.py index a59858d72..d014f756f 100644 --- a/python/vyos/utils/auth.py +++ b/python/vyos/utils/auth.py @@ -1,6 +1,6 @@ # authutils -- miscelanneous functions for handling passwords and publis keys # -# Copyright (C) 2018 VyOS maintainers and contributors +# Copyright (C) 2023-2024 VyOS maintainers and contributors # # This library is free software; you can redistribute it and/or modify it under the terms of # the GNU Lesser General Public License as published by the Free Software Foundation; @@ -11,13 +11,12 @@ # See the GNU Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public License along with this library; -# if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA import re from vyos.utils.process import cmd - def make_password_hash(password): """ Makes a password hash for /etc/shadow using mkpasswd """ @@ -39,3 +38,10 @@ def split_ssh_public_key(key_string, defaultname=""): raise ValueError("Bad key type \'{0}\', must be one of must be one of ssh-rsa, ssh-dss, ecdsa-sha2-nistp<256|384|521> or ssh-ed25519".format(key_type)) return({"type": key_type, "data": key_data, "name": key_name}) + +def get_current_user() -> str: + import os + current_user = 'nobody' + if 'SUDO_USER' in os.environ: + current_user = os.environ['SUDO_USER'] + return current_user diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index e616ec3db..afddae4dc 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -30,6 +30,7 @@ from vyos.configverify import verify_vrf from vyos.defaults import directories from vyos.template import render from vyos.template import is_ipv4 +from vyos.utils.auth import get_current_user from vyos.utils.dict import dict_search from vyos.utils.file import chown from vyos.utils.file import write_file @@ -49,8 +50,6 @@ tacacs_pam_config_file = "/etc/tacplus_servers" tacacs_nss_config_file = "/etc/tacplus_nss.conf" nss_config_file = "/etc/nsswitch.conf" -current_user = None - # Minimum UID used when adding system users MIN_USER_UID: int = 1000 # Maximim UID used when adding system users @@ -122,9 +121,6 @@ def get_config(config=None): rm_users = [tmp for tmp in all_users if tmp not in cli_users] if rm_users: login.update({'rm_users' : rm_users}) - if 'SUDO_USER' in os.environ: - current_user = os.environ['SUDO_USER'] - return login def verify(login): @@ -132,8 +128,9 @@ def verify(login): # This check is required as the script is also executed from vyos-router # init script and there is no SUDO_USER environment variable available # during system boot. - if current_user in login['rm_users']: - raise ConfigError(f'Attempting to delete current user: {cur_user}') + tmp = get_current_user() + if tmp in login['rm_users']: + raise ConfigError(f'Attempting to delete current user: {tmp}') if 'user' in login: system_users = getpwall() @@ -239,9 +236,9 @@ def generate(login): # store encrypted password tmp = os.path.join(env[config_dir], '/'.join(add_user_encrypt.split())) - write_file(f'{tmp}/node.val', encrypted_password, user=current_user, group='vyattacfg', mode=0o664) + write_file(f'{tmp}/node.val', encrypted_password, user=get_current_user(), group='vyattacfg', mode=0o664) if config_dir == 'VYATTA_CHANGES_ONLY_DIR': - write_file(f'{tmp}/.modified', encrypted_password, user=current_user, group='vyattacfg', mode=0o664) + write_file(f'{tmp}/.modified', encrypted_password, user=get_current_user(), group='vyattacfg', mode=0o664) else: try: @@ -276,8 +273,6 @@ def generate(login): if os.path.isfile(tacacs_nss_config_file): os.unlink(tacacs_nss_config_file) - - # NSS must always be present on the system render(nss_config_file, 'login/nsswitch.conf.j2', login, permission=0o644, user='root', group='root') -- cgit v1.2.3