Merge pull request #3719 from vyos/mergify/bp/circinus/pr-3701

configd: T6504: send sudo_user on session init and set env variable (backport #3701)
vyos · Jun 24, 2024 · 0259c43 · 0259c43
2 parents 340e44c + 99c81fb
commit 0259c43
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 3 deletions.
diff --git a/python/vyos/utils/auth.py b/python/vyos/utils/auth.py
@@ -42,6 +42,10 @@ def split_ssh_public_key(key_string, defaultname=""):
 def get_current_user() -> str:
     import os
     current_user = 'nobody'
+    # During CLI "owner" script execution we use SUDO_USER
     if 'SUDO_USER' in os.environ:
         current_user = os.environ['SUDO_USER']
+    # During op-mode or config-mode interactive CLI we use USER
+    elif 'USER' in os.environ:
+        current_user = os.environ['USER']
     return current_user
diff --git a/smoketest/scripts/cli/base_vyostest_shim.py b/smoketest/scripts/cli/base_vyostest_shim.py
@@ -74,6 +74,11 @@ def cli_delete(self, config):
                 print('del ' + ' '.join(config))
             self._session.delete(config)
 
+        def cli_discard(self):
+            if self.debug:
+                print('DISCARD')
+            self._session.discard()
+
         def cli_commit(self):
             self._session.commit()
             # during a commit there is a process opening commit_lock, and run() returns 0

diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py
@@ -24,6 +24,7 @@
 from pwd import getpwall
 
 from vyos.configsession import ConfigSessionError
+from vyos.utils.auth import get_current_user
 from vyos.utils.process import cmd
 from vyos.utils.file import read_file
 from vyos.template import inc_ip
@@ -334,5 +335,14 @@ def test_system_login_tacacs(self):
             self.assertIn(f'secret={tacacs_secret}', nss_tacacs_conf)
             self.assertIn(f'server={server}', nss_tacacs_conf)
 
+    def test_delete_current_user(self):
+        current_user = get_current_user()
+
+        # We are not allowed to delete the current user
+        self.cli_delete(base_path + ['user', current_user])
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_discard()
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/src/services/vyos-configd b/src/services/vyos-configd
@@ -179,8 +179,13 @@ def initialization(socket):
     pid_string = socket.recv().decode("utf-8", "ignore")
     resp = "pid"
     socket.send(resp.encode())
+    sudo_user_string = socket.recv().decode("utf-8", "ignore")
+    resp = "sudo_user"
+    socket.send(resp.encode())
 
     logger.debug(f"config session pid is {pid_string}")
+    logger.debug(f"config session sudo_user is {sudo_user_string}")
+
     try:
         session_out = os.readlink(f"/proc/{pid_string}/fd/1")
         session_mode = 'w'
@@ -192,6 +197,8 @@ def initialization(socket):
         session_out = script_stdout_log
         session_mode = 'a'
 
+    os.environ['SUDO_USER'] = sudo_user_string
+
     try:
         configsource = ConfigSourceString(running_config_text=active_string,
                                           session_config_text=session_string)
@@ -266,9 +273,6 @@ if __name__ == '__main__':
     cfg_group = grp.getgrnam(CFG_GROUP)
     os.setgid(cfg_group.gr_gid)
 
-    os.environ['SUDO_USER'] = 'vyos'
-    os.environ['SUDO_GID'] = str(cfg_group.gr_gid)
-
     def sig_handler(signum, frame):
         shutdown()
 

diff --git a/src/shim/vyshim.c b/src/shim/vyshim.c
@@ -178,6 +178,13 @@ int initialization(void* Requester)
     strsep(&pid_val, "_");
     debug_print("config session pid: %s\n", pid_val);
 
+    char *sudo_user = getenv("SUDO_USER");
+    if (!sudo_user) {
+        char nobody[] = "nobody";
+        sudo_user = nobody;
+    }
+    debug_print("sudo_user is %s\n", sudo_user);
+
     debug_print("Sending init announcement\n");
     char *init_announce = mkjson(MKJSON_OBJ, 1,
                                  MKJSON_STRING, "type", "init");
@@ -240,6 +247,10 @@ int initialization(void* Requester)
     zmq_recv(Requester, buffer, 16, 0);
     debug_print("Received pid receipt\n");
 
+    debug_print("Sending config session sudo_user\n");
+    zmq_send(Requester, sudo_user, strlen(sudo_user), 0);
+    zmq_recv(Requester, buffer, 16, 0);
+    debug_print("Received sudo_user receipt\n");
 
     return 0;
 }