* [pbs-devel] [PATCH proxmox-backup] api2/access/user: remove password for @pbs users on removal
@ 2021-04-14 13:30 Dominik Csapak
0 siblings, 0 replies; only message in thread
From: Dominik Csapak @ 2021-04-14 13:30 UTC (permalink / raw)
To: pbs-devel
so that their password entry is not left in the shadow.json
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/api2/access/user.rs | 11 +++++++++++
src/auth.rs | 24 ++++++++++++++++++++++++
2 files changed, 35 insertions(+)
diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
index c49b12b1..e080d57a 100644
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@@ -477,6 +477,17 @@ pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error>
user::save_config(&config)?;
+ let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
+ match authenticator.remove_password(userid.name()) {
+ Ok(()) => {},
+ Err(err) => {
+ eprintln!(
+ "error removing password after deleting user {:?}: {}",
+ userid, err
+ );
+ }
+ }
+
match crate::config::tfa::read().and_then(|mut cfg| {
let _: bool = cfg.remove_user(&userid);
crate::config::tfa::write(&cfg)
diff --git a/src/auth.rs b/src/auth.rs
index faad760e..3272dd6d 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -14,6 +14,7 @@ use crate::api2::types::{Userid, UsernameRef, RealmRef};
pub trait ProxmoxAuthenticator {
fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
+ fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>;
}
pub struct PAM();
@@ -60,6 +61,11 @@ impl ProxmoxAuthenticator for PAM {
Ok(())
}
+
+ // do not remove password for pam users
+ fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
+ Ok(())
+ }
}
pub struct PBS();
@@ -132,6 +138,24 @@ impl ProxmoxAuthenticator for PBS {
Ok(())
}
+
+ fn remove_password(&self, username: &UsernameRef) -> Result<(), Error> {
+ let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
+ if let Some(map) = data.as_object_mut() {
+ map.remove(username.as_str());
+ }
+
+ let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
+ let options = proxmox::tools::fs::CreateOptions::new()
+ .perm(mode)
+ .owner(nix::unistd::ROOT)
+ .group(nix::unistd::Gid::from_raw(0));
+
+ let data = serde_json::to_vec_pretty(&data)?;
+ proxmox::tools::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options)?;
+
+ Ok(())
+ }
}
/// Lookup the autenticator for the specified realm
--
2.20.1
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-04-14 13:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-14 13:30 [pbs-devel] [PATCH proxmox-backup] api2/access/user: remove password for @pbs users on removal Dominik Csapak
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal