api2/access/user: remove password for @pbs users on removal

so that their password entry is not left in the shadow.json

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2021-04-14 15:30:42 +02:00 committed by Dietmar Maurer
parent bc3072ef7a
commit a4e871f52c
2 changed files with 35 additions and 0 deletions

View File

@ -477,6 +477,17 @@ pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error>
user::save_config(&config)?; user::save_config(&config)?;
let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
match authenticator.remove_password(userid.name()) {
Ok(()) => {},
Err(err) => {
eprintln!(
"error removing password after deleting user {:?}: {}",
userid, err
);
}
}
match crate::config::tfa::read().and_then(|mut cfg| { match crate::config::tfa::read().and_then(|mut cfg| {
let _: bool = cfg.remove_user(&userid); let _: bool = cfg.remove_user(&userid);
crate::config::tfa::write(&cfg) crate::config::tfa::write(&cfg)

View File

@ -14,6 +14,7 @@ use crate::api2::types::{Userid, UsernameRef, RealmRef};
pub trait ProxmoxAuthenticator { pub trait ProxmoxAuthenticator {
fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>; fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>; fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>;
} }
pub struct PAM(); pub struct PAM();
@ -60,6 +61,11 @@ impl ProxmoxAuthenticator for PAM {
Ok(()) Ok(())
} }
// do not remove password for pam users
fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
Ok(())
}
} }
pub struct PBS(); pub struct PBS();
@ -132,6 +138,24 @@ impl ProxmoxAuthenticator for PBS {
Ok(()) Ok(())
} }
fn remove_password(&self, username: &UsernameRef) -> Result<(), Error> {
let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
if let Some(map) = data.as_object_mut() {
map.remove(username.as_str());
}
let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
let options = proxmox::tools::fs::CreateOptions::new()
.perm(mode)
.owner(nix::unistd::ROOT)
.group(nix::unistd::Gid::from_raw(0));
let data = serde_json::to_vec_pretty(&data)?;
proxmox::tools::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options)?;
Ok(())
}
} }
/// Lookup the autenticator for the specified realm /// Lookup the autenticator for the specified realm