api2/access/user: remove password for @pbs users on removal
so that their password entry is not left in the shadow.json Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
parent
bc3072ef7a
commit
a4e871f52c
@ -477,6 +477,17 @@ pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error>
|
|||||||
|
|
||||||
user::save_config(&config)?;
|
user::save_config(&config)?;
|
||||||
|
|
||||||
|
let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
|
||||||
|
match authenticator.remove_password(userid.name()) {
|
||||||
|
Ok(()) => {},
|
||||||
|
Err(err) => {
|
||||||
|
eprintln!(
|
||||||
|
"error removing password after deleting user {:?}: {}",
|
||||||
|
userid, err
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
match crate::config::tfa::read().and_then(|mut cfg| {
|
match crate::config::tfa::read().and_then(|mut cfg| {
|
||||||
let _: bool = cfg.remove_user(&userid);
|
let _: bool = cfg.remove_user(&userid);
|
||||||
crate::config::tfa::write(&cfg)
|
crate::config::tfa::write(&cfg)
|
||||||
|
24
src/auth.rs
24
src/auth.rs
@ -14,6 +14,7 @@ use crate::api2::types::{Userid, UsernameRef, RealmRef};
|
|||||||
pub trait ProxmoxAuthenticator {
|
pub trait ProxmoxAuthenticator {
|
||||||
fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
|
fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
|
||||||
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
|
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
|
||||||
|
fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>;
|
||||||
}
|
}
|
||||||
|
|
||||||
pub struct PAM();
|
pub struct PAM();
|
||||||
@ -60,6 +61,11 @@ impl ProxmoxAuthenticator for PAM {
|
|||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// do not remove password for pam users
|
||||||
|
fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub struct PBS();
|
pub struct PBS();
|
||||||
@ -132,6 +138,24 @@ impl ProxmoxAuthenticator for PBS {
|
|||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn remove_password(&self, username: &UsernameRef) -> Result<(), Error> {
|
||||||
|
let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
|
||||||
|
if let Some(map) = data.as_object_mut() {
|
||||||
|
map.remove(username.as_str());
|
||||||
|
}
|
||||||
|
|
||||||
|
let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
|
||||||
|
let options = proxmox::tools::fs::CreateOptions::new()
|
||||||
|
.perm(mode)
|
||||||
|
.owner(nix::unistd::ROOT)
|
||||||
|
.group(nix::unistd::Gid::from_raw(0));
|
||||||
|
|
||||||
|
let data = serde_json::to_vec_pretty(&data)?;
|
||||||
|
proxmox::tools::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options)?;
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Lookup the autenticator for the specified realm
|
/// Lookup the autenticator for the specified realm
|
||||||
|
Loading…
Reference in New Issue
Block a user