api2/access/user: remove password for @pbs users on removal

so that their password entry is not left in the shadow.json Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-04-14 15:30:42 +02:00 · 2021-04-14 15:30:42 +02:00 · a4e871f52c
commit a4e871f52c
parent bc3072ef7a
2 changed files with 35 additions and 0 deletions
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@ -477,6 +477,17 @@ pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error>

    user::save_config(&config)?;

+    let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
+    match authenticator.remove_password(userid.name()) {
+        Ok(()) => {},
+        Err(err) => {
+            eprintln!(
+                "error removing password after deleting user {:?}: {}",
+                userid, err
+            );
+        }
+    }
+
    match crate::config::tfa::read().and_then(|mut cfg| {
        let _: bool = cfg.remove_user(&userid);
        crate::config::tfa::write(&cfg)
--- a/src/auth.rs
+++ b/src/auth.rs
@ -14,6 +14,7 @@ use crate::api2::types::{Userid, UsernameRef, RealmRef};
 pub trait ProxmoxAuthenticator {
    fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
    fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
+    fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>;
 }

 pub struct PAM();
@ -60,6 +61,11 @@ impl ProxmoxAuthenticator for PAM {

        Ok(())
    }
+
+    // do not remove password for pam users
+    fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
+        Ok(())
+    }
 }

 pub struct PBS();
@ -132,6 +138,24 @@ impl ProxmoxAuthenticator for PBS {

        Ok(())
    }
+
+    fn remove_password(&self, username: &UsernameRef) -> Result<(), Error> {
+        let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
+        if let Some(map) = data.as_object_mut() {
+            map.remove(username.as_str());
+        }
+
+        let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
+        let options =  proxmox::tools::fs::CreateOptions::new()
+            .perm(mode)
+            .owner(nix::unistd::ROOT)
+            .group(nix::unistd::Gid::from_raw(0));
+
+        let data = serde_json::to_vec_pretty(&data)?;
+        proxmox::tools::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options)?;
+
+        Ok(())
+    }
 }

 /// Lookup the autenticator for the specified realm