From fad0128567931fd32e568896a0ba789396ab9311 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 15 Jun 2024 08:03:37 +0200 Subject: login: T6489: add smarter way to interact with the working config instead of my_set/my_delete (cherry picked from commit da29c9b3ab7b0cc23d64c8b033fc5a79c1b09174) --- src/conf_mode/system_login.py | 59 +++++++++++++++++++------------------------ 1 file changed, 26 insertions(+), 33 deletions(-) (limited to 'src') diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index 20121f170..e616ec3db 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020-2023 VyOS maintainers and contributors +# Copyright (C) 2020-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -21,6 +21,7 @@ from psutil import users from pwd import getpwall from pwd import getpwnam from pwd import getpwuid +from shutil import rmtree from sys import exit from time import sleep @@ -31,6 +32,7 @@ from vyos.template import render from vyos.template import is_ipv4 from vyos.utils.dict import dict_search from vyos.utils.file import chown +from vyos.utils.file import write_file from vyos.utils.process import cmd from vyos.utils.process import call from vyos.utils.process import rc_cmd @@ -47,6 +49,8 @@ tacacs_pam_config_file = "/etc/tacplus_servers" tacacs_nss_config_file = "/etc/tacplus_nss.conf" nss_config_file = "/etc/nsswitch.conf" +current_user = None + # Minimum UID used when adding system users MIN_USER_UID: int = 1000 # Maximim UID used when adding system users @@ -118,6 +122,9 @@ def get_config(config=None): rm_users = [tmp for tmp in all_users if tmp not in cli_users] if rm_users: login.update({'rm_users' : rm_users}) + if 'SUDO_USER' in os.environ: + current_user = os.environ['SUDO_USER'] + return login def verify(login): @@ -125,10 +132,8 @@ def verify(login): # This check is required as the script is also executed from vyos-router # init script and there is no SUDO_USER environment variable available # during system boot. - if 'SUDO_USER' in os.environ: - cur_user = os.environ['SUDO_USER'] - if cur_user in login['rm_users']: - raise ConfigError(f'Attempting to delete current user: {cur_user}') + if current_user in login['rm_users']: + raise ConfigError(f'Attempting to delete current user: {cur_user}') if 'user' in login: system_users = getpwall() @@ -214,6 +219,7 @@ def verify(login): def generate(login): # calculate users encrypted password if 'user' in login: + env = os.environ.copy() for user, user_config in login['user'].items(): tmp = dict_search('authentication.plaintext_password', user_config) if tmp: @@ -221,35 +227,22 @@ def generate(login): login['user'][user]['authentication']['encrypted_password'] = encrypted_password del login['user'][user]['authentication']['plaintext_password'] - # remove old plaintext password and set new encrypted password - env = os.environ.copy() - env['vyos_libexec_dir'] = directories['base'] - # Set default commands for re-adding user with encrypted password - del_user_plain = f"system login user {user} authentication plaintext-password" - add_user_encrypt = f"system login user {user} authentication encrypted-password '{encrypted_password}'" - - lvl = env['VYATTA_EDIT_LEVEL'] - # We're in config edit level, for example "edit system login" - # Change default commands for re-adding user with encrypted password - if lvl != '/': - # Replace '/system/login' to 'system login' - lvl = lvl.strip('/').split('/') - # Convert command str to list - del_user_plain = del_user_plain.split() - # New command exclude level, for example "edit system login" - del_user_plain = del_user_plain[len(lvl):] - # Convert string to list - del_user_plain = " ".join(del_user_plain) - - add_user_encrypt = add_user_encrypt.split() - add_user_encrypt = add_user_encrypt[len(lvl):] - add_user_encrypt = " ".join(add_user_encrypt) - - ret, out = rc_cmd(f"/opt/vyatta/sbin/my_delete {del_user_plain}", env=env) - if ret: raise ConfigError(out) - ret, out = rc_cmd(f"/opt/vyatta/sbin/my_set {add_user_encrypt}", env=env) - if ret: raise ConfigError(out) + del_user_plain = f'system login user {user} authentication plaintext-password' + add_user_encrypt = f'system login user {user} authentication encrypted-password' + + for config_dir in ['VYATTA_TEMP_CONFIG_DIR', 'VYATTA_CHANGES_ONLY_DIR']: + tmp = os.path.join(env[config_dir], '/'.join(del_user_plain.split())) + # delete temporary plaintext-password CLI node + if os.path.exists(tmp): + rmtree(tmp) + + # store encrypted password + tmp = os.path.join(env[config_dir], '/'.join(add_user_encrypt.split())) + write_file(f'{tmp}/node.val', encrypted_password, user=current_user, group='vyattacfg', mode=0o664) + if config_dir == 'VYATTA_CHANGES_ONLY_DIR': + write_file(f'{tmp}/.modified', encrypted_password, user=current_user, group='vyattacfg', mode=0o664) + else: try: if get_shadow_password(user) == dict_search('authentication.encrypted_password', user_config): -- cgit v1.2.3