[tacacs]: do not modify local user if there is no priviledge

check the uid before modify local user account.

when run sudo, the process the invoke nss_tacplus library
does not have priviledge to modify the user profile, and
will generate below error messages:

    user_rw@sonic:~$ sudo bash
    usermod: Permission denied.
    usermod: cannot lock /etc/passwd; try again later.
    usermod: Permission denied.
    usermod: cannot lock /etc/passwd; try again later.

Signed-off-by: Guohan Lu <lguohan@gmail.com>
This commit is contained in:
Guohan Lu 2021-02-06 01:16:15 -08:00
parent 87ecaebafc
commit 47e5f05c4e
2 changed files with 33 additions and 0 deletions

View File

@ -0,0 +1,32 @@
From c59b775a7c9226954c5eea4ba05469879b41a60d Mon Sep 17 00:00:00 2001
From: Guohan Lu <lguohan@gmail.com>
Date: Sat, 6 Feb 2021 06:49:17 +0000
Subject: [PATCH] do not create or modify local user if there is no privilege
---
nss_tacplus.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/nss_tacplus.c b/nss_tacplus.c
index fc9316f..cc6f0aa 100644
--- a/nss_tacplus.c
+++ b/nss_tacplus.c
@@ -629,8 +629,13 @@ static int lookup_user_pw(struct pwbuf *pb, int level)
if(0 != ret)
return ret;
- if(0 != create_or_modify_local_user(username, level, found))
- return -1;
+ if(0 == getuid()) {
+ if(0 != create_or_modify_local_user(username, level, found))
+ return -1;
+ } else {
+ if(debug)
+ syslog(LOG_DEBUG, "%d does not privilege to create or modify user %s", getuid(), username);
+ }
ret = lookup_pw_local(username, pb, &found);
if(0 == ret && !found) {
--
2.25.1

View File

@ -5,3 +5,4 @@
0005-libnss-Modify-parsing-of-IP-addr-and-port-number-str.patch
0006-fix-compiling-warning-about-token-dereference.patch
0007-Add-support-for-TACACS-source-address.patch
0008-do-not-create-or-modify-local-user-if-there-is-no-pr.patch