api2/access/user: remove password for @pbs users on removal

so that their password entry is not left in the shadow.json

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>

src/api2/access/user.rs

@@ -477,6 +477,17 @@ pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error>
 
     user::save_config(&config)?;
 
+    let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
+    match authenticator.remove_password(userid.name()) {
+        Ok(()) => {},
+        Err(err) => {
+            eprintln!(
+                "error removing password after deleting user {:?}: {}",
+                userid, err
+            );
+        }
+    }
+
     match crate::config::tfa::read().and_then(|mut cfg| {
         let _: bool = cfg.remove_user(&userid);
         crate::config::tfa::write(&cfg)

src/auth.rs

@@ -14,6 +14,7 @@ use crate::api2::types::{Userid, UsernameRef, RealmRef};
 pub trait ProxmoxAuthenticator {
     fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
     fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
+    fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>;
 }
 
 pub struct PAM();
@@ -60,6 +61,11 @@ impl ProxmoxAuthenticator for PAM {
 
         Ok(())
     }
+
+    // do not remove password for pam users
+    fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
+        Ok(())
+    }
 }
 
 pub struct PBS();
@@ -132,6 +138,24 @@ impl ProxmoxAuthenticator for PBS {
 
         Ok(())
     }
+
+    fn remove_password(&self, username: &UsernameRef) -> Result<(), Error> {
+        let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
+        if let Some(map) = data.as_object_mut() {
+            map.remove(username.as_str());
+        }
+
+        let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
+        let options =  proxmox::tools::fs::CreateOptions::new()
+            .perm(mode)
+            .owner(nix::unistd::ROOT)
+            .group(nix::unistd::Gid::from_raw(0));
+
+        let data = serde_json::to_vec_pretty(&data)?;
+        proxmox::tools::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options)?;
+
+        Ok(())
+    }
 }
 
 /// Lookup the autenticator for the specified realm