tacacs: T141: check upper bound on dynamically allocated user accounts

Check upper bound as defined in Debian Policy Manual. Without this check, user 'nobody' will not be available.
vyos · Jun 25, 2023 · 800c316 · 800c316
1 parent b5346bc
commit 800c316
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
@@ -49,6 +49,8 @@
 
 # Minimum UID used when adding system users
 MIN_USER_UID: int = 1000
+# Maximim UID used when adding system users
+MAX_USER_UID: int = 59999
 # LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec
 MAX_RADIUS_TIMEOUT: int = 50
 # MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout)
@@ -68,6 +70,8 @@ def get_local_users():
     for s_user in getpwall():
         if getpwnam(s_user.pw_name).pw_uid < MIN_USER_UID:
             continue
+        if getpwnam(s_user.pw_name).pw_uid > MAX_USER_UID:
+            continue
         if s_user.pw_name in SYSTEM_USER_SKIP_LIST:
             continue
         local_users.append(s_user.pw_name)