From 07e802a2d3f98cdf29928bf321cc8b89cb41766c Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Tue, 9 Jan 2024 07:32:41 +0100
Subject: boot-config-loader: T1622: add missing groups to failsafe user

This extends commit 86d1291ec5 ("[boot-config-loader] T1622: Add failsafe
and back trace") and adds missing groups to the vyos user. Without this
change the vyos user will only have operator (vyos@vyos>) privileges,
even if this level is discontinued.

One could hack himself up as the user has sudo rights, but rather place
the user in the right groups from the beginning.

NOTE: This user is only added if booted with "vyos-config-debug" and
an error when the configuration can not be loaded at all.
---
 src/helpers/vyos-boot-config-loader.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/helpers/vyos-boot-config-loader.py')

diff --git a/src/helpers/vyos-boot-config-loader.py b/src/helpers/vyos-boot-config-loader.py
index 01b06526d..42de696ce 100755
--- a/src/helpers/vyos-boot-config-loader.py
+++ b/src/helpers/vyos-boot-config-loader.py
@@ -102,7 +102,8 @@ def failsafe(config_file_name):
                                       'authentication',
                                       'encrypted-password'])
 
-    cmd(f"useradd -s /bin/bash -G 'users,sudo' -m -N -p '{passwd}' vyos")
+    cmd(f"useradd --create-home --no-user-group --shell /bin/vbash --password '{passwd}' "\
+        "--groups frr,frrvty,vyattacfg,sudo,adm,dip,disk vyos")
 
 if __name__ == '__main__':
     if len(sys.argv) < 2:
-- 
cgit v1.2.3