From: Dominik Csapak <d.csapak@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup] api2/access/user: remove password for @pbs users on removal
Date: Wed, 14 Apr 2021 15:30:42 +0200 [thread overview]
Message-ID: <20210414133042.19382-1-d.csapak@proxmox.com> (raw)
so that their password entry is not left in the shadow.json
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/api2/access/user.rs | 11 +++++++++++
src/auth.rs | 24 ++++++++++++++++++++++++
2 files changed, 35 insertions(+)
diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
index c49b12b1..e080d57a 100644
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@@ -477,6 +477,17 @@ pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error>
user::save_config(&config)?;
+ let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
+ match authenticator.remove_password(userid.name()) {
+ Ok(()) => {},
+ Err(err) => {
+ eprintln!(
+ "error removing password after deleting user {:?}: {}",
+ userid, err
+ );
+ }
+ }
+
match crate::config::tfa::read().and_then(|mut cfg| {
let _: bool = cfg.remove_user(&userid);
crate::config::tfa::write(&cfg)
diff --git a/src/auth.rs b/src/auth.rs
index faad760e..3272dd6d 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -14,6 +14,7 @@ use crate::api2::types::{Userid, UsernameRef, RealmRef};
pub trait ProxmoxAuthenticator {
fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
+ fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>;
}
pub struct PAM();
@@ -60,6 +61,11 @@ impl ProxmoxAuthenticator for PAM {
Ok(())
}
+
+ // do not remove password for pam users
+ fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
+ Ok(())
+ }
}
pub struct PBS();
@@ -132,6 +138,24 @@ impl ProxmoxAuthenticator for PBS {
Ok(())
}
+
+ fn remove_password(&self, username: &UsernameRef) -> Result<(), Error> {
+ let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
+ if let Some(map) = data.as_object_mut() {
+ map.remove(username.as_str());
+ }
+
+ let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
+ let options = proxmox::tools::fs::CreateOptions::new()
+ .perm(mode)
+ .owner(nix::unistd::ROOT)
+ .group(nix::unistd::Gid::from_raw(0));
+
+ let data = serde_json::to_vec_pretty(&data)?;
+ proxmox::tools::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options)?;
+
+ Ok(())
+ }
}
/// Lookup the autenticator for the specified realm
--
2.20.1
reply other threads:[~2021-04-14 13:30 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210414133042.19382-1-d.csapak@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox