From 800c3161bffc40cc46833925ec5aa50f30231476 Mon Sep 17 00:00:00 2001
From: John Estabrook <jestabro@vyos.io>
Date: Sat, 24 Jun 2023 19:23:56 -0500
Subject: tacacs: T141: check upper bound on dynamically allocated user
 accounts

Check upper bound as defined in Debian Policy Manual. Without this
check, user 'nobody' will not be available.
---
 src/conf_mode/system-login.py | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src')

diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 5f8dd17cd..24766a5b5 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -49,6 +49,8 @@ nss_config_file = "/etc/nsswitch.conf"
 
 # Minimum UID used when adding system users
 MIN_USER_UID: int = 1000
+# Maximim UID used when adding system users
+MAX_USER_UID: int = 59999
 # LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec
 MAX_RADIUS_TIMEOUT: int = 50
 # MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout)
@@ -68,6 +70,8 @@ def get_local_users():
     for s_user in getpwall():
         if getpwnam(s_user.pw_name).pw_uid < MIN_USER_UID:
             continue
+        if getpwnam(s_user.pw_name).pw_uid > MAX_USER_UID:
+            continue
         if s_user.pw_name in SYSTEM_USER_SKIP_LIST:
             continue
         local_users.append(s_user.pw_name)
-- 
cgit v1.2.3