diff options
author | jim-p <jimp@pfsense.org> | 2010-07-12 17:11:24 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2010-07-12 17:11:24 -0400 |
commit | df8d74dee38c56785c9c54385f3a4cb8f8dc74fa (patch) | |
tree | b020dfc600b47cf0f7d5a9394750fe378b6011f2 | |
parent | d8d2d3e462305a9e9edcc1fbdabcc39c61d7c71c (diff) | |
download | pfsense-df8d74dee38c56785c9c54385f3a4cb8f8dc74fa.zip pfsense-df8d74dee38c56785c9c54385f3a4cb8f8dc74fa.tar.gz |
Lock out shell accounts that have no OS access, or are expired/disabled.
-rw-r--r-- | etc/inc/auth.inc | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 2b66355..33fc3ad 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -285,6 +285,7 @@ function local_user_set(& $user) { if (!is_dir($home_base)) mkdir($home_base, 0755); + $lock_account = false; /* configure shell type */ if (userHasPrivilege($user, "user-shell-access") || userHasPrivilege($user, "page-all")) { $user_shell = "/bin/tcsh"; @@ -294,6 +295,13 @@ function local_user_set(& $user) { $user_shell = "/usr/local/bin/scponly"; } else { $user_shell = "/sbin/nologin"; + $lock_account = true; + } + + /* Lock out disabled or expired users, unless it's root/admin. */ + if ((is_account_disabled($user_name) || is_account_expired($user_name)) && ($user_uid != 0)) { + $user_shell = "/sbin/nologin"; + $lock_account = true; } /* root user special handling */ @@ -350,6 +358,9 @@ function local_user_set(& $user) { file_put_contents("{$user_home}/.ssh/authorized_keys", $keys); chown("{$user_home}/.ssh/authorized_keys", $user_name); } + + $un = $lock_account ? "" : "un"; + exec("/usr/sbin/pw {$un}lock {$user_name}"); conf_mount_ro(); } |