1 /* 2 // Copyright (c) 2018 Intel Corporation 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 */ 16 17 #include "config.h" 18 19 #include "user_mgr.hpp" 20 21 #include "file.hpp" 22 #include "shadowlock.hpp" 23 #include "users.hpp" 24 25 #include <grp.h> 26 #include <pwd.h> 27 #include <shadow.h> 28 #include <sys/types.h> 29 #include <sys/wait.h> 30 #include <time.h> 31 #include <unistd.h> 32 33 #include <boost/algorithm/string/split.hpp> 34 #include <phosphor-logging/elog-errors.hpp> 35 #include <phosphor-logging/elog.hpp> 36 #include <phosphor-logging/lg2.hpp> 37 #include <xyz/openbmc_project/Common/error.hpp> 38 #include <xyz/openbmc_project/User/Common/error.hpp> 39 40 #include <algorithm> 41 #include <array> 42 #include <ctime> 43 #include <fstream> 44 #include <numeric> 45 #include <regex> 46 #include <span> 47 #include <string> 48 #include <string_view> 49 #include <vector> 50 51 namespace phosphor 52 { 53 namespace user 54 { 55 56 static constexpr const char* passwdFileName = "/etc/passwd"; 57 static constexpr size_t ipmiMaxUserNameLen = 16; 58 static constexpr size_t systemMaxUserNameLen = 30; 59 static constexpr const char* grpSsh = "ssh"; 60 static constexpr int success = 0; 61 static constexpr int failure = -1; 62 63 // pam modules related 64 static constexpr const char* minPasswdLenProp = "minlen"; 65 static constexpr const char* remOldPasswdCount = "remember"; 66 static constexpr const char* maxFailedAttempt = "deny"; 67 static constexpr const char* unlockTimeout = "unlock_time"; 68 static constexpr const char* defaultFaillockConfigFile = 69 "/etc/security/faillock.conf"; 70 static constexpr const char* defaultPWHistoryConfigFile = 71 "/etc/security/pwhistory.conf"; 72 static constexpr const char* defaultPWQualityConfigFile = 73 "/etc/security/pwquality.conf"; 74 75 // Object Manager related 76 static constexpr const char* ldapMgrObjBasePath = 77 "/xyz/openbmc_project/user/ldap"; 78 79 // Object Mapper related 80 static constexpr const char* objMapperService = 81 "xyz.openbmc_project.ObjectMapper"; 82 static constexpr const char* objMapperPath = 83 "/xyz/openbmc_project/object_mapper"; 84 static constexpr const char* objMapperInterface = 85 "xyz.openbmc_project.ObjectMapper"; 86 87 using namespace phosphor::logging; 88 using InsufficientPermission = 89 sdbusplus::xyz::openbmc_project::Common::Error::InsufficientPermission; 90 using InternalFailure = 91 sdbusplus::xyz::openbmc_project::Common::Error::InternalFailure; 92 using InvalidArgument = 93 sdbusplus::xyz::openbmc_project::Common::Error::InvalidArgument; 94 using UserNameExists = 95 sdbusplus::xyz::openbmc_project::User::Common::Error::UserNameExists; 96 using UserNameDoesNotExist = 97 sdbusplus::xyz::openbmc_project::User::Common::Error::UserNameDoesNotExist; 98 using UserNameGroupFail = 99 sdbusplus::xyz::openbmc_project::User::Common::Error::UserNameGroupFail; 100 using NoResource = 101 sdbusplus::xyz::openbmc_project::User::Common::Error::NoResource; 102 using Argument = xyz::openbmc_project::Common::InvalidArgument; 103 using GroupNameExists = 104 sdbusplus::xyz::openbmc_project::User::Common::Error::GroupNameExists; 105 using GroupNameDoesNotExists = 106 sdbusplus::xyz::openbmc_project::User::Common::Error::GroupNameDoesNotExist; 107 108 namespace 109 { 110 111 // The hardcoded groups in OpenBMC projects 112 constexpr std::array<const char*, 4> predefinedGroups = { 113 "redfish", "ipmi", "ssh", "hostconsole"}; 114 115 // These prefixes are for Dynamic Redfish authorization. See 116 // https://github.com/openbmc/docs/blob/master/designs/redfish-authorization.md 117 118 // Base role and base privileges are added by Redfish implementation (e.g., 119 // BMCWeb) at compile time 120 constexpr std::array<const char*, 4> allowedGroupPrefix = { 121 "openbmc_rfr_", // OpenBMC Redfish Base Role 122 "openbmc_rfp_", // OpenBMC Redfish Base Privileges 123 "openbmc_orfr_", // OpenBMC Redfish OEM Role 124 "openbmc_orfp_", // OpenBMC Redfish OEM Privileges 125 }; 126 127 void checkAndThrowsForGroupChangeAllowed(const std::string& groupName) 128 { 129 bool allowed = false; 130 for (std::string_view prefix : allowedGroupPrefix) 131 { 132 if (groupName.starts_with(prefix)) 133 { 134 allowed = true; 135 break; 136 } 137 } 138 if (!allowed) 139 { 140 lg2::error("Group name '{GROUP}' is not in the allowed list", "GROUP", 141 groupName); 142 elog<InvalidArgument>(Argument::ARGUMENT_NAME("Group Name"), 143 Argument::ARGUMENT_VALUE(groupName.c_str())); 144 } 145 } 146 147 } // namespace 148 149 std::string getCSVFromVector(std::span<const std::string> vec) 150 { 151 if (vec.empty()) 152 { 153 return ""; 154 } 155 return std::accumulate(std::next(vec.begin()), vec.end(), vec[0], 156 [](std::string&& val, std::string_view element) { 157 val += ','; 158 val += element; 159 return val; 160 }); 161 } 162 163 bool removeStringFromCSV(std::string& csvStr, const std::string& delStr) 164 { 165 std::string::size_type delStrPos = csvStr.find(delStr); 166 if (delStrPos != std::string::npos) 167 { 168 // need to also delete the comma char 169 if (delStrPos == 0) 170 { 171 csvStr.erase(delStrPos, delStr.size() + 1); 172 } 173 else 174 { 175 csvStr.erase(delStrPos - 1, delStr.size() + 1); 176 } 177 return true; 178 } 179 return false; 180 } 181 182 bool UserMgr::isUserExist(const std::string& userName) 183 { 184 if (userName.empty()) 185 { 186 lg2::error("User name is empty"); 187 elog<InvalidArgument>(Argument::ARGUMENT_NAME("User name"), 188 Argument::ARGUMENT_VALUE("Null")); 189 } 190 if (usersList.find(userName) == usersList.end()) 191 { 192 return false; 193 } 194 return true; 195 } 196 197 void UserMgr::throwForUserDoesNotExist(const std::string& userName) 198 { 199 if (!isUserExist(userName)) 200 { 201 lg2::error("User '{USERNAME}' does not exist", "USERNAME", userName); 202 elog<UserNameDoesNotExist>(); 203 } 204 } 205 206 void UserMgr::checkAndThrowForDisallowedGroupCreation( 207 const std::string& groupName) 208 { 209 if (groupName.size() > maxSystemGroupNameLength || 210 !std::regex_match(groupName.c_str(), 211 std::regex("[a-zA-Z_][a-zA-Z_0-9]*"))) 212 { 213 lg2::error("Invalid group name '{GROUP}'", "GROUP", groupName); 214 elog<InvalidArgument>(Argument::ARGUMENT_NAME("Group Name"), 215 Argument::ARGUMENT_VALUE(groupName.c_str())); 216 } 217 checkAndThrowsForGroupChangeAllowed(groupName); 218 } 219 220 void UserMgr::throwForUserExists(const std::string& userName) 221 { 222 if (isUserExist(userName)) 223 { 224 lg2::error("User '{USERNAME}' already exists", "USERNAME", userName); 225 elog<UserNameExists>(); 226 } 227 } 228 229 void UserMgr::throwForUserNameConstraints( 230 const std::string& userName, const std::vector<std::string>& groupNames) 231 { 232 if (std::find(groupNames.begin(), groupNames.end(), "ipmi") != 233 groupNames.end()) 234 { 235 if (userName.length() > ipmiMaxUserNameLen) 236 { 237 lg2::error("User '{USERNAME}' exceeds IPMI username length limit " 238 "({LENGTH} > {LIMIT})", 239 "USERNAME", userName, "LENGTH", userName.length(), 240 "LIMIT", ipmiMaxUserNameLen); 241 elog<UserNameGroupFail>( 242 xyz::openbmc_project::User::Common::UserNameGroupFail::REASON( 243 "IPMI length")); 244 } 245 } 246 if (userName.length() > systemMaxUserNameLen) 247 { 248 lg2::error("User '{USERNAME}' exceeds system username length limit " 249 "({LENGTH} > {LIMIT})", 250 "USERNAME", userName, "LENGTH", userName.length(), "LIMIT", 251 systemMaxUserNameLen); 252 elog<InvalidArgument>(Argument::ARGUMENT_NAME("User name"), 253 Argument::ARGUMENT_VALUE("Invalid length")); 254 } 255 if (!std::regex_match(userName.c_str(), 256 std::regex("[a-zA-Z_][a-zA-Z_0-9]*"))) 257 { 258 lg2::error("Invalid username '{USERNAME}'", "USERNAME", userName); 259 elog<InvalidArgument>(Argument::ARGUMENT_NAME("User name"), 260 Argument::ARGUMENT_VALUE("Invalid data")); 261 } 262 } 263 264 void UserMgr::throwForMaxGrpUserCount( 265 const std::vector<std::string>& groupNames) 266 { 267 if (std::find(groupNames.begin(), groupNames.end(), "ipmi") != 268 groupNames.end()) 269 { 270 if (getIpmiUsersCount() >= ipmiMaxUsers) 271 { 272 lg2::error("IPMI user limit reached"); 273 elog<NoResource>( 274 xyz::openbmc_project::User::Common::NoResource::REASON( 275 "IPMI user limit reached")); 276 } 277 } 278 else 279 { 280 if (usersList.size() > 0 && (usersList.size() - getIpmiUsersCount()) >= 281 (maxSystemUsers - ipmiMaxUsers)) 282 { 283 lg2::error("Non-ipmi User limit reached"); 284 elog<NoResource>( 285 xyz::openbmc_project::User::Common::NoResource::REASON( 286 "Non-ipmi user limit reached")); 287 } 288 } 289 return; 290 } 291 292 void UserMgr::throwForInvalidPrivilege(const std::string& priv) 293 { 294 if (!priv.empty() && 295 (std::find(privMgr.begin(), privMgr.end(), priv) == privMgr.end())) 296 { 297 lg2::error("Invalid privilege '{PRIVILEGE}'", "PRIVILEGE", priv); 298 elog<InvalidArgument>(Argument::ARGUMENT_NAME("Privilege"), 299 Argument::ARGUMENT_VALUE(priv.c_str())); 300 } 301 } 302 303 void UserMgr::throwForInvalidGroups(const std::vector<std::string>& groupNames) 304 { 305 for (auto& group : groupNames) 306 { 307 if (std::find(groupsMgr.begin(), groupsMgr.end(), group) == 308 groupsMgr.end()) 309 { 310 lg2::error("Invalid Group Name '{GROUPNAME}'", "GROUPNAME", group); 311 elog<InvalidArgument>(Argument::ARGUMENT_NAME("GroupName"), 312 Argument::ARGUMENT_VALUE(group.c_str())); 313 } 314 } 315 } 316 317 std::vector<std::string> UserMgr::readAllGroupsOnSystem() 318 { 319 std::vector<std::string> allGroups = {predefinedGroups.begin(), 320 predefinedGroups.end()}; 321 // rewinds to the beginning of the group database 322 setgrent(); 323 struct group* gr = getgrent(); 324 while (gr != nullptr) 325 { 326 std::string group(gr->gr_name); 327 for (std::string_view prefix : allowedGroupPrefix) 328 { 329 if (group.starts_with(prefix)) 330 { 331 allGroups.push_back(gr->gr_name); 332 } 333 } 334 gr = getgrent(); 335 } 336 // close the group database 337 endgrent(); 338 return allGroups; 339 } 340 341 void UserMgr::createUser(std::string userName, 342 std::vector<std::string> groupNames, std::string priv, 343 bool enabled) 344 { 345 throwForInvalidPrivilege(priv); 346 throwForInvalidGroups(groupNames); 347 // All user management lock has to be based on /etc/shadow 348 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; 349 throwForUserExists(userName); 350 throwForUserNameConstraints(userName, groupNames); 351 throwForMaxGrpUserCount(groupNames); 352 353 std::string groups = getCSVFromVector(groupNames); 354 bool sshRequested = removeStringFromCSV(groups, grpSsh); 355 356 // treat privilege as a group - This is to avoid using different file to 357 // store the same. 358 if (!priv.empty()) 359 { 360 if (groups.size() != 0) 361 { 362 groups += ","; 363 } 364 groups += priv; 365 } 366 try 367 { 368 executeUserAdd(userName.c_str(), groups.c_str(), sshRequested, enabled); 369 } 370 catch (const InternalFailure& e) 371 { 372 lg2::error("Unable to create new user '{USERNAME}'", "USERNAME", 373 userName); 374 elog<InternalFailure>(); 375 } 376 377 // Add the users object before sending out the signal 378 sdbusplus::message::object_path tempObjPath(usersObjPath); 379 tempObjPath /= userName; 380 std::string userObj(tempObjPath); 381 std::sort(groupNames.begin(), groupNames.end()); 382 usersList.emplace( 383 userName, std::make_unique<phosphor::user::Users>( 384 bus, userObj.c_str(), groupNames, priv, enabled, *this)); 385 386 lg2::info("User '{USERNAME}' created successfully", "USERNAME", userName); 387 return; 388 } 389 390 void UserMgr::deleteUser(std::string userName) 391 { 392 // All user management lock has to be based on /etc/shadow 393 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; 394 throwForUserDoesNotExist(userName); 395 try 396 { 397 // Clear user fail records 398 executeUserClearFailRecords(userName.c_str()); 399 400 executeUserDelete(userName.c_str()); 401 } 402 catch (const InternalFailure& e) 403 { 404 lg2::error("Delete User '{USERNAME}' failed", "USERNAME", userName); 405 elog<InternalFailure>(); 406 } 407 408 usersList.erase(userName); 409 410 lg2::info("User '{USERNAME}' deleted successfully", "USERNAME", userName); 411 return; 412 } 413 414 void UserMgr::checkDeleteGroupConstraints(const std::string& groupName) 415 { 416 if (std::find(groupsMgr.begin(), groupsMgr.end(), groupName) == 417 groupsMgr.end()) 418 { 419 lg2::error("Group '{GROUP}' already exists", "GROUP", groupName); 420 elog<GroupNameDoesNotExists>(); 421 } 422 checkAndThrowsForGroupChangeAllowed(groupName); 423 } 424 425 void UserMgr::deleteGroup(std::string groupName) 426 { 427 checkDeleteGroupConstraints(groupName); 428 try 429 { 430 executeGroupDeletion(groupName.c_str()); 431 } 432 catch (const InternalFailure& e) 433 { 434 lg2::error("Failed to delete group '{GROUP}'", "GROUP", groupName); 435 elog<InternalFailure>(); 436 } 437 438 groupsMgr.erase(std::find(groupsMgr.begin(), groupsMgr.end(), groupName)); 439 UserMgrIface::allGroups(groupsMgr); 440 lg2::info("Successfully deleted group '{GROUP}'", "GROUP", groupName); 441 } 442 443 void UserMgr::checkCreateGroupConstraints(const std::string& groupName) 444 { 445 if (std::find(groupsMgr.begin(), groupsMgr.end(), groupName) != 446 groupsMgr.end()) 447 { 448 lg2::error("Group '{GROUP}' already exists", "GROUP", groupName); 449 elog<GroupNameExists>(); 450 } 451 checkAndThrowForDisallowedGroupCreation(groupName); 452 if (groupsMgr.size() >= maxSystemGroupCount) 453 { 454 lg2::error("Group limit reached"); 455 elog<NoResource>(xyz::openbmc_project::User::Common::NoResource::REASON( 456 "Group limit reached")); 457 } 458 } 459 460 void UserMgr::createGroup(std::string groupName) 461 { 462 checkCreateGroupConstraints(groupName); 463 try 464 { 465 executeGroupCreation(groupName.c_str()); 466 } 467 catch (const InternalFailure& e) 468 { 469 lg2::error("Failed to create group '{GROUP}'", "GROUP", groupName); 470 elog<InternalFailure>(); 471 } 472 groupsMgr.push_back(groupName); 473 UserMgrIface::allGroups(groupsMgr); 474 } 475 476 void UserMgr::renameUser(std::string userName, std::string newUserName) 477 { 478 // All user management lock has to be based on /etc/shadow 479 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; 480 throwForUserDoesNotExist(userName); 481 throwForUserExists(newUserName); 482 throwForUserNameConstraints(newUserName, 483 usersList[userName].get()->userGroups()); 484 try 485 { 486 executeUserRename(userName.c_str(), newUserName.c_str()); 487 } 488 catch (const InternalFailure& e) 489 { 490 lg2::error("Rename '{USERNAME}' to '{NEWUSERNAME}' failed", "USERNAME", 491 userName, "NEWUSERNAME", newUserName); 492 elog<InternalFailure>(); 493 } 494 const auto& user = usersList[userName]; 495 std::string priv = user.get()->userPrivilege(); 496 std::vector<std::string> groupNames = user.get()->userGroups(); 497 bool enabled = user.get()->userEnabled(); 498 sdbusplus::message::object_path tempObjPath(usersObjPath); 499 tempObjPath /= newUserName; 500 std::string newUserObj(tempObjPath); 501 // Special group 'ipmi' needs a way to identify user renamed, in order to 502 // update encrypted password. It can't rely only on InterfacesRemoved & 503 // InterfacesAdded. So first send out userRenamed signal. 504 this->userRenamed(userName, newUserName); 505 usersList.erase(userName); 506 usersList.emplace(newUserName, std::make_unique<phosphor::user::Users>( 507 bus, newUserObj.c_str(), groupNames, 508 priv, enabled, *this)); 509 return; 510 } 511 512 void UserMgr::updateGroupsAndPriv(const std::string& userName, 513 std::vector<std::string> groupNames, 514 const std::string& priv) 515 { 516 throwForInvalidPrivilege(priv); 517 throwForInvalidGroups(groupNames); 518 // All user management lock has to be based on /etc/shadow 519 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; 520 throwForUserDoesNotExist(userName); 521 const std::vector<std::string>& oldGroupNames = 522 usersList[userName].get()->userGroups(); 523 std::vector<std::string> groupDiff; 524 // Note: already dealing with sorted group lists. 525 std::set_symmetric_difference(oldGroupNames.begin(), oldGroupNames.end(), 526 groupNames.begin(), groupNames.end(), 527 std::back_inserter(groupDiff)); 528 if (std::find(groupDiff.begin(), groupDiff.end(), "ipmi") != 529 groupDiff.end()) 530 { 531 throwForUserNameConstraints(userName, groupNames); 532 throwForMaxGrpUserCount(groupNames); 533 } 534 535 std::string groups = getCSVFromVector(groupNames); 536 bool sshRequested = removeStringFromCSV(groups, grpSsh); 537 538 // treat privilege as a group - This is to avoid using different file to 539 // store the same. 540 if (!priv.empty()) 541 { 542 if (groups.size() != 0) 543 { 544 groups += ","; 545 } 546 groups += priv; 547 } 548 try 549 { 550 executeUserModify(userName.c_str(), groups.c_str(), sshRequested); 551 } 552 catch (const InternalFailure& e) 553 { 554 lg2::error( 555 "Unable to modify user privilege / groups for user '{USERNAME}'", 556 "USERNAME", userName); 557 elog<InternalFailure>(); 558 } 559 560 std::sort(groupNames.begin(), groupNames.end()); 561 usersList[userName]->setUserGroups(groupNames); 562 usersList[userName]->setUserPrivilege(priv); 563 lg2::info("User '{USERNAME}' groups / privilege updated successfully", 564 "USERNAME", userName); 565 } 566 567 uint8_t UserMgr::minPasswordLength(uint8_t value) 568 { 569 if (value == AccountPolicyIface::minPasswordLength()) 570 { 571 return value; 572 } 573 if (value < minPasswdLength) 574 { 575 lg2::error("Attempting to set minPasswordLength to {VALUE}, less than " 576 "{MINVALUE}", 577 "VALUE", value, "MINVALUE", minPasswdLength); 578 elog<InvalidArgument>( 579 Argument::ARGUMENT_NAME("minPasswordLength"), 580 Argument::ARGUMENT_VALUE(std::to_string(value).c_str())); 581 } 582 if (setPamModuleConfValue(pwQualityConfigFile, minPasswdLenProp, 583 std::to_string(value)) != success) 584 { 585 lg2::error("Unable to set minPasswordLength to {VALUE}", "VALUE", 586 value); 587 elog<InternalFailure>(); 588 } 589 return AccountPolicyIface::minPasswordLength(value); 590 } 591 592 uint8_t UserMgr::rememberOldPasswordTimes(uint8_t value) 593 { 594 if (value == AccountPolicyIface::rememberOldPasswordTimes()) 595 { 596 return value; 597 } 598 if (setPamModuleConfValue(pwHistoryConfigFile, remOldPasswdCount, 599 std::to_string(value)) != success) 600 { 601 lg2::error("Unable to set rememberOldPasswordTimes to {VALUE}", "VALUE", 602 value); 603 elog<InternalFailure>(); 604 } 605 return AccountPolicyIface::rememberOldPasswordTimes(value); 606 } 607 608 uint16_t UserMgr::maxLoginAttemptBeforeLockout(uint16_t value) 609 { 610 if (value == AccountPolicyIface::maxLoginAttemptBeforeLockout()) 611 { 612 return value; 613 } 614 if (setPamModuleConfValue(faillockConfigFile, maxFailedAttempt, 615 std::to_string(value)) != success) 616 { 617 lg2::error("Unable to set maxLoginAttemptBeforeLockout to {VALUE}", 618 "VALUE", value); 619 elog<InternalFailure>(); 620 } 621 return AccountPolicyIface::maxLoginAttemptBeforeLockout(value); 622 } 623 624 uint32_t UserMgr::accountUnlockTimeout(uint32_t value) 625 { 626 if (value == AccountPolicyIface::accountUnlockTimeout()) 627 { 628 return value; 629 } 630 if (setPamModuleConfValue(faillockConfigFile, unlockTimeout, 631 std::to_string(value)) != success) 632 { 633 lg2::error("Unable to set accountUnlockTimeout to {VALUE}", "VALUE", 634 value); 635 elog<InternalFailure>(); 636 } 637 return AccountPolicyIface::accountUnlockTimeout(value); 638 } 639 640 int UserMgr::getPamModuleConfValue(const std::string& confFile, 641 const std::string& argName, 642 std::string& argValue) 643 { 644 std::ifstream fileToRead(confFile, std::ios::in); 645 if (!fileToRead.is_open()) 646 { 647 lg2::error("Failed to open pam configuration file {FILENAME}", 648 "FILENAME", confFile); 649 return failure; 650 } 651 std::string line; 652 auto argSearch = argName + "="; 653 size_t startPos = 0; 654 size_t endPos = 0; 655 while (getline(fileToRead, line)) 656 { 657 // skip comments section starting with # 658 if ((startPos = line.find('#')) != std::string::npos) 659 { 660 if (startPos == 0) 661 { 662 continue; 663 } 664 // skip comments after meaningful section and process those 665 line = line.substr(0, startPos); 666 } 667 if ((startPos = line.find(argSearch)) != std::string::npos) 668 { 669 if ((endPos = line.find(' ', startPos)) == std::string::npos) 670 { 671 endPos = line.size(); 672 } 673 startPos += argSearch.size(); 674 argValue = line.substr(startPos, endPos - startPos); 675 return success; 676 } 677 } 678 return failure; 679 } 680 681 int UserMgr::setPamModuleConfValue(const std::string& confFile, 682 const std::string& argName, 683 const std::string& argValue) 684 { 685 std::string tmpConfFile = confFile + "_tmp"; 686 std::ifstream fileToRead(confFile, std::ios::in); 687 std::ofstream fileToWrite(tmpConfFile, std::ios::out); 688 if (!fileToRead.is_open() || !fileToWrite.is_open()) 689 { 690 lg2::error("Failed to open pam configuration file {FILENAME}", 691 "FILENAME", confFile); 692 // Delete the unused tmp file 693 std::remove(tmpConfFile.c_str()); 694 return failure; 695 } 696 std::string line; 697 auto argSearch = argName + "="; 698 size_t startPos = 0; 699 size_t endPos = 0; 700 bool found = false; 701 while (getline(fileToRead, line)) 702 { 703 // skip comments section starting with # 704 if ((startPos = line.find('#')) != std::string::npos) 705 { 706 if (startPos == 0) 707 { 708 fileToWrite << line << std::endl; 709 continue; 710 } 711 // skip comments after meaningful section and process those 712 line = line.substr(0, startPos); 713 } 714 if ((startPos = line.find(argSearch)) != std::string::npos) 715 { 716 if ((endPos = line.find(' ', startPos)) == std::string::npos) 717 { 718 endPos = line.size(); 719 } 720 startPos += argSearch.size(); 721 fileToWrite << line.substr(0, startPos) << argValue 722 << line.substr(endPos, line.size() - endPos) 723 << std::endl; 724 found = true; 725 continue; 726 } 727 fileToWrite << line << std::endl; 728 } 729 fileToWrite.close(); 730 fileToRead.close(); 731 if (found) 732 { 733 if (std::rename(tmpConfFile.c_str(), confFile.c_str()) == 0) 734 { 735 return success; 736 } 737 } 738 // No changes, so delete the unused tmp file 739 std::remove(tmpConfFile.c_str()); 740 return failure; 741 } 742 743 void UserMgr::userEnable(const std::string& userName, bool enabled) 744 { 745 // All user management lock has to be based on /etc/shadow 746 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; 747 throwForUserDoesNotExist(userName); 748 try 749 { 750 executeUserModifyUserEnable(userName.c_str(), enabled); 751 } 752 catch (const InternalFailure& e) 753 { 754 lg2::error("Unable to modify user enabled state for '{USERNAME}'", 755 "USERNAME", userName); 756 elog<InternalFailure>(); 757 } 758 759 usersList[userName]->setUserEnabled(enabled); 760 lg2::info("User '{USERNAME}' has been {STATUS}", "USERNAME", userName, 761 "STATUS", enabled ? "Enabled" : "Disabled"); 762 } 763 764 /** 765 * faillock app will provide the user failed login list with when the attempt 766 * was made, the type, the source, and if it's valid. 767 * 768 * Valid in this case means that the attempt was made within the fail_interval 769 * time. So, we can check this list for the number of valid entries (lines 770 * ending with 'V') compared to the maximum allowed to determine if the user is 771 * locked out. 772 * 773 * This data is only refreshed when an attempt is made, so if the user appears 774 * to be locked out, we must also check if the most recent attempt was older 775 * than the unlock_time to know if the user has since been unlocked. 776 **/ 777 bool UserMgr::parseFaillockForLockout( 778 const std::vector<std::string>& faillockOutput) 779 { 780 uint16_t failAttempts = 0; 781 time_t lastFailedAttempt{}; 782 for (const std::string& line : faillockOutput) 783 { 784 if (!line.ends_with("V")) 785 { 786 continue; 787 } 788 789 // Count this failed attempt 790 failAttempts++; 791 792 // Update the last attempt time 793 // First get the "when" which is the first two words (date and time) 794 size_t pos = line.find(" "); 795 if (pos == std::string::npos) 796 { 797 continue; 798 } 799 pos = line.find(" ", pos + 1); 800 if (pos == std::string::npos) 801 { 802 continue; 803 } 804 std::string failDateTime = line.substr(0, pos); 805 806 // NOTE: Cannot use std::get_time() here as the implementation of %y in 807 // libstdc++ does not match POSIX strptime() before gcc 12.1.0 808 // https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=a8d3c98746098e2784be7144c1ccc9fcc34a0888 809 std::tm tmStruct = {}; 810 if (!strptime(failDateTime.c_str(), "%F %T", &tmStruct)) 811 { 812 lg2::error("Failed to parse latest failure date/time"); 813 elog<InternalFailure>(); 814 } 815 816 time_t failTimestamp = std::mktime(&tmStruct); 817 lastFailedAttempt = std::max(failTimestamp, lastFailedAttempt); 818 } 819 820 if (failAttempts < AccountPolicyIface::maxLoginAttemptBeforeLockout()) 821 { 822 return false; 823 } 824 825 if (lastFailedAttempt + 826 static_cast<time_t>(AccountPolicyIface::accountUnlockTimeout()) <= 827 std::time(NULL)) 828 { 829 return false; 830 } 831 832 return true; 833 } 834 835 bool UserMgr::userLockedForFailedAttempt(const std::string& userName) 836 { 837 // All user management lock has to be based on /etc/shadow 838 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; 839 if (AccountPolicyIface::maxLoginAttemptBeforeLockout() == 0) 840 { 841 return false; 842 } 843 844 std::vector<std::string> output; 845 try 846 { 847 output = getFailedAttempt(userName.c_str()); 848 } 849 catch (const InternalFailure& e) 850 { 851 lg2::error("Unable to read login failure counter"); 852 elog<InternalFailure>(); 853 } 854 855 return parseFaillockForLockout(output); 856 } 857 858 bool UserMgr::userLockedForFailedAttempt(const std::string& userName, 859 const bool& value) 860 { 861 // All user management lock has to be based on /etc/shadow 862 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; 863 if (value == true) 864 { 865 return userLockedForFailedAttempt(userName); 866 } 867 868 try 869 { 870 // Clear user fail records 871 executeUserClearFailRecords(userName.c_str()); 872 } 873 catch (const InternalFailure& e) 874 { 875 lg2::error("Unable to reset login failure counter"); 876 elog<InternalFailure>(); 877 } 878 879 return userLockedForFailedAttempt(userName); 880 } 881 882 bool UserMgr::userPasswordExpired(const std::string& userName) 883 { 884 // All user management lock has to be based on /etc/shadow 885 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; 886 887 struct spwd spwd 888 {}; 889 struct spwd* spwdPtr = nullptr; 890 auto buflen = sysconf(_SC_GETPW_R_SIZE_MAX); 891 if (buflen <= 0) 892 { 893 // Use a default size if there is no hard limit suggested by sysconf() 894 buflen = 1024; 895 } 896 std::vector<char> buffer(buflen); 897 auto status = 898 getspnam_r(userName.c_str(), &spwd, buffer.data(), buflen, &spwdPtr); 899 // On success, getspnam_r() returns zero, and sets *spwdPtr to spwd. 900 // If no matching password record was found, these functions return 0 901 // and store NULL in *spwdPtr 902 if ((status == 0) && (&spwd == spwdPtr)) 903 { 904 // Determine password validity per "chage" docs, where: 905 // spwd.sp_lstchg == 0 means password is expired, and 906 // spwd.sp_max == -1 means the password does not expire. 907 constexpr long secondsPerDay = 60 * 60 * 24; 908 long today = static_cast<long>(time(NULL)) / secondsPerDay; 909 if ((spwd.sp_lstchg == 0) || 910 ((spwd.sp_max != -1) && ((spwd.sp_max + spwd.sp_lstchg) < today))) 911 { 912 return true; 913 } 914 } 915 else 916 { 917 // User entry is missing in /etc/shadow, indicating no SHA password. 918 // Treat this as new user without password entry in /etc/shadow 919 // TODO: Add property to indicate user password was not set yet 920 // https://github.com/openbmc/phosphor-user-manager/issues/8 921 return false; 922 } 923 924 return false; 925 } 926 927 UserSSHLists UserMgr::getUserAndSshGrpList() 928 { 929 // All user management lock has to be based on /etc/shadow 930 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; 931 932 std::vector<std::string> userList; 933 std::vector<std::string> sshUsersList; 934 struct passwd pw, *pwp = nullptr; 935 std::array<char, 1024> buffer{}; 936 937 phosphor::user::File passwd(passwdFileName, "r"); 938 if ((passwd)() == NULL) 939 { 940 lg2::error("Error opening {FILENAME}", "FILENAME", passwdFileName); 941 elog<InternalFailure>(); 942 } 943 944 while (true) 945 { 946 auto r = fgetpwent_r((passwd)(), &pw, buffer.data(), buffer.max_size(), 947 &pwp); 948 if ((r != 0) || (pwp == NULL)) 949 { 950 // Any error, break the loop. 951 break; 952 } 953 #ifdef ENABLE_ROOT_USER_MGMT 954 // Add all users whose UID >= 1000 and < 65534 955 // and special UID 0. 956 if ((pwp->pw_uid == 0) || 957 ((pwp->pw_uid >= 1000) && (pwp->pw_uid < 65534))) 958 #else 959 // Add all users whose UID >=1000 and < 65534 960 if ((pwp->pw_uid >= 1000) && (pwp->pw_uid < 65534)) 961 #endif 962 { 963 std::string userName(pwp->pw_name); 964 userList.emplace_back(userName); 965 966 // ssh doesn't have separate group. Check login shell entry to 967 // get all users list which are member of ssh group. 968 std::string loginShell(pwp->pw_shell); 969 if (loginShell == "/bin/sh") 970 { 971 sshUsersList.emplace_back(userName); 972 } 973 } 974 } 975 endpwent(); 976 return std::make_pair(std::move(userList), std::move(sshUsersList)); 977 } 978 979 size_t UserMgr::getIpmiUsersCount() 980 { 981 std::vector<std::string> userList = getUsersInGroup("ipmi"); 982 return userList.size(); 983 } 984 985 size_t UserMgr::getNonIpmiUsersCount() 986 { 987 std::vector<std::string> ipmiUsers = getUsersInGroup("ipmi"); 988 return usersList.size() - ipmiUsers.size(); 989 } 990 991 bool UserMgr::isUserEnabled(const std::string& userName) 992 { 993 // All user management lock has to be based on /etc/shadow 994 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; 995 std::array<char, 4096> buffer{}; 996 struct spwd spwd; 997 struct spwd* resultPtr = nullptr; 998 int status = getspnam_r(userName.c_str(), &spwd, buffer.data(), 999 buffer.max_size(), &resultPtr); 1000 if (!status && (&spwd == resultPtr)) 1001 { 1002 if (resultPtr->sp_expire >= 0) 1003 { 1004 return false; // user locked out 1005 } 1006 return true; 1007 } 1008 return false; // assume user is disabled for any error. 1009 } 1010 1011 std::vector<std::string> UserMgr::getUsersInGroup(const std::string& groupName) 1012 { 1013 std::vector<std::string> usersInGroup; 1014 // Should be more than enough to get the pwd structure. 1015 std::array<char, 4096> buffer{}; 1016 struct group grp; 1017 struct group* resultPtr = nullptr; 1018 1019 int status = getgrnam_r(groupName.c_str(), &grp, buffer.data(), 1020 buffer.max_size(), &resultPtr); 1021 1022 if (!status && (&grp == resultPtr)) 1023 { 1024 for (; *(grp.gr_mem) != NULL; ++(grp.gr_mem)) 1025 { 1026 usersInGroup.emplace_back(*(grp.gr_mem)); 1027 } 1028 } 1029 else 1030 { 1031 lg2::error("Group '{GROUPNAME}' not found", "GROUPNAME", groupName); 1032 // Don't throw error, just return empty userList - fallback 1033 } 1034 return usersInGroup; 1035 } 1036 1037 DbusUserObj UserMgr::getPrivilegeMapperObject(void) 1038 { 1039 DbusUserObj objects; 1040 try 1041 { 1042 std::string basePath = "/xyz/openbmc_project/user/ldap/openldap"; 1043 std::string interface = "xyz.openbmc_project.User.Ldap.Config"; 1044 1045 auto ldapMgmtService = 1046 getServiceName(std::move(basePath), std::move(interface)); 1047 auto method = bus.new_method_call( 1048 ldapMgmtService.c_str(), ldapMgrObjBasePath, 1049 "org.freedesktop.DBus.ObjectManager", "GetManagedObjects"); 1050 1051 auto reply = bus.call(method); 1052 reply.read(objects); 1053 } 1054 catch (const InternalFailure& e) 1055 { 1056 lg2::error("Unable to get the User Service: {ERR}", "ERR", e); 1057 throw; 1058 } 1059 catch (const sdbusplus::exception_t& e) 1060 { 1061 lg2::error("Failed to execute GetManagedObjects at {PATH}: {ERR}", 1062 "PATH", ldapMgrObjBasePath, "ERR", e); 1063 throw; 1064 } 1065 return objects; 1066 } 1067 1068 std::string UserMgr::getServiceName(std::string&& path, std::string&& intf) 1069 { 1070 auto mapperCall = bus.new_method_call(objMapperService, objMapperPath, 1071 objMapperInterface, "GetObject"); 1072 1073 mapperCall.append(std::move(path)); 1074 mapperCall.append(std::vector<std::string>({std::move(intf)})); 1075 1076 auto mapperResponseMsg = bus.call(mapperCall); 1077 1078 if (mapperResponseMsg.is_method_error()) 1079 { 1080 lg2::error("Error in mapper call"); 1081 elog<InternalFailure>(); 1082 } 1083 1084 std::map<std::string, std::vector<std::string>> mapperResponse; 1085 mapperResponseMsg.read(mapperResponse); 1086 1087 if (mapperResponse.begin() == mapperResponse.end()) 1088 { 1089 lg2::error("Invalid response from mapper"); 1090 elog<InternalFailure>(); 1091 } 1092 1093 return mapperResponse.begin()->first; 1094 } 1095 1096 gid_t UserMgr::getPrimaryGroup(const std::string& userName) const 1097 { 1098 static auto buflen = sysconf(_SC_GETPW_R_SIZE_MAX); 1099 if (buflen <= 0) 1100 { 1101 // Use a default size if there is no hard limit suggested by sysconf() 1102 buflen = 1024; 1103 } 1104 1105 struct passwd pwd; 1106 struct passwd* pwdPtr = nullptr; 1107 std::vector<char> buffer(buflen); 1108 1109 auto status = getpwnam_r(userName.c_str(), &pwd, buffer.data(), 1110 buffer.size(), &pwdPtr); 1111 // On success, getpwnam_r() returns zero, and set *pwdPtr to pwd. 1112 // If no matching password record was found, these functions return 0 1113 // and store NULL in *pwdPtr 1114 if (!status && (&pwd == pwdPtr)) 1115 { 1116 return pwd.pw_gid; 1117 } 1118 1119 lg2::error("User {USERNAME} does not exist", "USERNAME", userName); 1120 elog<UserNameDoesNotExist>(); 1121 } 1122 1123 bool UserMgr::isGroupMember(const std::string& userName, gid_t primaryGid, 1124 const std::string& groupName) const 1125 { 1126 static auto buflen = sysconf(_SC_GETGR_R_SIZE_MAX); 1127 if (buflen <= 0) 1128 { 1129 // Use a default size if there is no hard limit suggested by sysconf() 1130 buflen = 1024; 1131 } 1132 1133 struct group grp; 1134 struct group* grpPtr = nullptr; 1135 std::vector<char> buffer(buflen); 1136 1137 auto status = getgrnam_r(groupName.c_str(), &grp, buffer.data(), 1138 buffer.size(), &grpPtr); 1139 1140 // Groups with a lot of members may require a buffer of bigger size than 1141 // suggested by _SC_GETGR_R_SIZE_MAX. 1142 // 32K should be enough for about 2K members. 1143 constexpr auto maxBufferLength = 32 * 1024; 1144 while (status == ERANGE && buflen < maxBufferLength) 1145 { 1146 buflen *= 2; 1147 buffer.resize(buflen); 1148 1149 lg2::debug("Increase buffer for getgrnam_r() to {SIZE}", "SIZE", 1150 buflen); 1151 1152 status = getgrnam_r(groupName.c_str(), &grp, buffer.data(), 1153 buffer.size(), &grpPtr); 1154 } 1155 1156 // On success, getgrnam_r() returns zero, and set *grpPtr to grp. 1157 // If no matching group record was found, these functions return 0 1158 // and store NULL in *grpPtr 1159 if (!status && (&grp == grpPtr)) 1160 { 1161 if (primaryGid == grp.gr_gid) 1162 { 1163 return true; 1164 } 1165 1166 for (auto i = 0; grp.gr_mem && grp.gr_mem[i]; ++i) 1167 { 1168 if (userName == grp.gr_mem[i]) 1169 { 1170 return true; 1171 } 1172 } 1173 } 1174 else if (status == ERANGE) 1175 { 1176 lg2::error("Group info of {GROUP} requires too much memory", "GROUP", 1177 groupName); 1178 } 1179 else 1180 { 1181 lg2::error("Group {GROUP} does not exist", "GROUP", groupName); 1182 } 1183 1184 return false; 1185 } 1186 1187 void UserMgr::executeGroupCreation(const char* groupName) 1188 { 1189 executeCmd("/usr/sbin/groupadd", groupName); 1190 } 1191 1192 void UserMgr::executeGroupDeletion(const char* groupName) 1193 { 1194 executeCmd("/usr/sbin/groupdel", groupName); 1195 } 1196 1197 UserInfoMap UserMgr::getUserInfo(std::string userName) 1198 { 1199 UserInfoMap userInfo; 1200 // Check whether the given user is local user or not. 1201 if (isUserExist(userName)) 1202 { 1203 const auto& user = usersList[userName]; 1204 userInfo.emplace("UserPrivilege", user.get()->userPrivilege()); 1205 userInfo.emplace("UserGroups", user.get()->userGroups()); 1206 userInfo.emplace("UserEnabled", user.get()->userEnabled()); 1207 userInfo.emplace("UserLockedForFailedAttempt", 1208 user.get()->userLockedForFailedAttempt()); 1209 userInfo.emplace("UserPasswordExpired", 1210 user.get()->userPasswordExpired()); 1211 userInfo.emplace("RemoteUser", false); 1212 } 1213 else 1214 { 1215 auto primaryGid = getPrimaryGroup(userName); 1216 1217 DbusUserObj objects = getPrivilegeMapperObject(); 1218 1219 std::string ldapConfigPath; 1220 std::string userPrivilege; 1221 1222 try 1223 { 1224 for (const auto& [path, interfaces] : objects) 1225 { 1226 auto it = interfaces.find("xyz.openbmc_project.Object.Enable"); 1227 if (it != interfaces.end()) 1228 { 1229 auto propIt = it->second.find("Enabled"); 1230 if (propIt != it->second.end() && 1231 std::get<bool>(propIt->second)) 1232 { 1233 ldapConfigPath = path.str + '/'; 1234 break; 1235 } 1236 } 1237 } 1238 1239 if (ldapConfigPath.empty()) 1240 { 1241 return userInfo; 1242 } 1243 1244 for (const auto& [path, interfaces] : objects) 1245 { 1246 if (!path.str.starts_with(ldapConfigPath)) 1247 { 1248 continue; 1249 } 1250 1251 auto it = interfaces.find( 1252 "xyz.openbmc_project.User.PrivilegeMapperEntry"); 1253 if (it != interfaces.end()) 1254 { 1255 std::string privilege; 1256 std::string groupName; 1257 1258 for (const auto& [propName, propValue] : it->second) 1259 { 1260 if (propName == "GroupName") 1261 { 1262 groupName = std::get<std::string>(propValue); 1263 } 1264 else if (propName == "Privilege") 1265 { 1266 privilege = std::get<std::string>(propValue); 1267 } 1268 } 1269 1270 if (!groupName.empty() && !privilege.empty() && 1271 isGroupMember(userName, primaryGid, groupName)) 1272 { 1273 userPrivilege = privilege; 1274 break; 1275 } 1276 } 1277 if (!userPrivilege.empty()) 1278 { 1279 break; 1280 } 1281 } 1282 1283 if (!userPrivilege.empty()) 1284 { 1285 userInfo.emplace("UserPrivilege", userPrivilege); 1286 } 1287 else 1288 { 1289 lg2::warning("LDAP group privilege mapping does not exist, " 1290 "default \"priv-user\" is used"); 1291 userInfo.emplace("UserPrivilege", "priv-user"); 1292 } 1293 } 1294 catch (const std::bad_variant_access& e) 1295 { 1296 lg2::error("Error while accessing variant: {ERR}", "ERR", e); 1297 elog<InternalFailure>(); 1298 } 1299 userInfo.emplace("RemoteUser", true); 1300 } 1301 1302 return userInfo; 1303 } 1304 1305 void UserMgr::initializeAccountPolicy() 1306 { 1307 std::string valueStr; 1308 auto value = minPasswdLength; 1309 unsigned long tmp = 0; 1310 if (getPamModuleConfValue(pwQualityConfigFile, minPasswdLenProp, 1311 valueStr) != success) 1312 { 1313 AccountPolicyIface::minPasswordLength(minPasswdLength); 1314 } 1315 else 1316 { 1317 try 1318 { 1319 tmp = std::stoul(valueStr, nullptr); 1320 if (tmp > std::numeric_limits<decltype(value)>::max()) 1321 { 1322 throw std::out_of_range("Out of range"); 1323 } 1324 value = static_cast<decltype(value)>(tmp); 1325 } 1326 catch (const std::exception& e) 1327 { 1328 lg2::error("Exception for MinPasswordLength: {ERR}", "ERR", e); 1329 throw; 1330 } 1331 AccountPolicyIface::minPasswordLength(value); 1332 } 1333 valueStr.clear(); 1334 if (getPamModuleConfValue(pwHistoryConfigFile, remOldPasswdCount, 1335 valueStr) != success) 1336 { 1337 AccountPolicyIface::rememberOldPasswordTimes(0); 1338 } 1339 else 1340 { 1341 value = 0; 1342 try 1343 { 1344 tmp = std::stoul(valueStr, nullptr); 1345 if (tmp > std::numeric_limits<decltype(value)>::max()) 1346 { 1347 throw std::out_of_range("Out of range"); 1348 } 1349 value = static_cast<decltype(value)>(tmp); 1350 } 1351 catch (const std::exception& e) 1352 { 1353 lg2::error("Exception for RememberOldPasswordTimes: {ERR}", "ERR", 1354 e); 1355 throw; 1356 } 1357 AccountPolicyIface::rememberOldPasswordTimes(value); 1358 } 1359 valueStr.clear(); 1360 if (getPamModuleConfValue(faillockConfigFile, maxFailedAttempt, valueStr) != 1361 success) 1362 { 1363 AccountPolicyIface::maxLoginAttemptBeforeLockout(0); 1364 } 1365 else 1366 { 1367 uint16_t value16 = 0; 1368 try 1369 { 1370 tmp = std::stoul(valueStr, nullptr); 1371 if (tmp > std::numeric_limits<decltype(value16)>::max()) 1372 { 1373 throw std::out_of_range("Out of range"); 1374 } 1375 value16 = static_cast<decltype(value16)>(tmp); 1376 } 1377 catch (const std::exception& e) 1378 { 1379 lg2::error("Exception for MaxLoginAttemptBeforLockout: {ERR}", 1380 "ERR", e); 1381 throw; 1382 } 1383 AccountPolicyIface::maxLoginAttemptBeforeLockout(value16); 1384 } 1385 valueStr.clear(); 1386 if (getPamModuleConfValue(faillockConfigFile, unlockTimeout, valueStr) != 1387 success) 1388 { 1389 AccountPolicyIface::accountUnlockTimeout(0); 1390 } 1391 else 1392 { 1393 uint32_t value32 = 0; 1394 try 1395 { 1396 tmp = std::stoul(valueStr, nullptr); 1397 if (tmp > std::numeric_limits<decltype(value32)>::max()) 1398 { 1399 throw std::out_of_range("Out of range"); 1400 } 1401 value32 = static_cast<decltype(value32)>(tmp); 1402 } 1403 catch (const std::exception& e) 1404 { 1405 lg2::error("Exception for AccountUnlockTimeout: {ERR}", "ERR", e); 1406 throw; 1407 } 1408 AccountPolicyIface::accountUnlockTimeout(value32); 1409 } 1410 } 1411 1412 void UserMgr::initUserObjects(void) 1413 { 1414 // All user management lock has to be based on /etc/shadow 1415 // TODO phosphor-user-manager#10 phosphor::user::shadow::Lock lock{}; 1416 std::vector<std::string> userNameList; 1417 std::vector<std::string> sshGrpUsersList; 1418 UserSSHLists userSSHLists = getUserAndSshGrpList(); 1419 userNameList = std::move(userSSHLists.first); 1420 sshGrpUsersList = std::move(userSSHLists.second); 1421 1422 if (!userNameList.empty()) 1423 { 1424 std::map<std::string, std::vector<std::string>> groupLists; 1425 // We only track users that are in the |predefinedGroups| 1426 // The other groups don't contain real BMC users. 1427 for (const char* grp : predefinedGroups) 1428 { 1429 if (grp == grpSsh) 1430 { 1431 groupLists.emplace(grp, sshGrpUsersList); 1432 } 1433 else 1434 { 1435 std::vector<std::string> grpUsersList = getUsersInGroup(grp); 1436 groupLists.emplace(grp, grpUsersList); 1437 } 1438 } 1439 for (auto& grp : privMgr) 1440 { 1441 std::vector<std::string> grpUsersList = getUsersInGroup(grp); 1442 groupLists.emplace(grp, grpUsersList); 1443 } 1444 1445 for (auto& user : userNameList) 1446 { 1447 std::vector<std::string> userGroups; 1448 std::string userPriv; 1449 for (const auto& grp : groupLists) 1450 { 1451 std::vector<std::string> tempGrp = grp.second; 1452 if (std::find(tempGrp.begin(), tempGrp.end(), user) != 1453 tempGrp.end()) 1454 { 1455 if (std::find(privMgr.begin(), privMgr.end(), grp.first) != 1456 privMgr.end()) 1457 { 1458 userPriv = grp.first; 1459 } 1460 else 1461 { 1462 userGroups.emplace_back(grp.first); 1463 } 1464 } 1465 } 1466 // Add user objects to the Users path. 1467 sdbusplus::message::object_path tempObjPath(usersObjPath); 1468 tempObjPath /= user; 1469 std::string objPath(tempObjPath); 1470 std::sort(userGroups.begin(), userGroups.end()); 1471 usersList.emplace(user, std::make_unique<phosphor::user::Users>( 1472 bus, objPath.c_str(), userGroups, 1473 userPriv, isUserEnabled(user), *this)); 1474 } 1475 } 1476 } 1477 1478 UserMgr::UserMgr(sdbusplus::bus_t& bus, const char* path) : 1479 Ifaces(bus, path, Ifaces::action::defer_emit), bus(bus), path(path), 1480 faillockConfigFile(defaultFaillockConfigFile), 1481 pwHistoryConfigFile(defaultPWHistoryConfigFile), 1482 pwQualityConfigFile(defaultPWQualityConfigFile) 1483 { 1484 UserMgrIface::allPrivileges(privMgr); 1485 groupsMgr = readAllGroupsOnSystem(); 1486 std::sort(groupsMgr.begin(), groupsMgr.end()); 1487 UserMgrIface::allGroups(groupsMgr); 1488 initializeAccountPolicy(); 1489 initUserObjects(); 1490 1491 // emit the signal 1492 this->emit_object_added(); 1493 } 1494 1495 void UserMgr::executeUserAdd(const char* userName, const char* groups, 1496 bool sshRequested, bool enabled) 1497 { 1498 // set EXPIRE_DATE to 0 to disable user, PAM takes 0 as expire on 1499 // 1970-01-01, that's an implementation-defined behavior 1500 executeCmd("/usr/sbin/useradd", userName, "-G", groups, "-m", "-N", "-s", 1501 (sshRequested ? "/bin/sh" : "/sbin/nologin"), "-e", 1502 (enabled ? "" : "1970-01-01")); 1503 } 1504 1505 void UserMgr::executeUserDelete(const char* userName) 1506 { 1507 executeCmd("/usr/sbin/userdel", userName, "-r"); 1508 } 1509 1510 void UserMgr::executeUserClearFailRecords(const char* userName) 1511 { 1512 executeCmd("/usr/sbin/faillock", "--user", userName, "--reset"); 1513 } 1514 1515 void UserMgr::executeUserRename(const char* userName, const char* newUserName) 1516 { 1517 std::string newHomeDir = "/home/"; 1518 newHomeDir += newUserName; 1519 executeCmd("/usr/sbin/usermod", "-l", newUserName, userName, "-d", 1520 newHomeDir.c_str(), "-m"); 1521 } 1522 1523 void UserMgr::executeUserModify(const char* userName, const char* newGroups, 1524 bool sshRequested) 1525 { 1526 executeCmd("/usr/sbin/usermod", userName, "-G", newGroups, "-s", 1527 (sshRequested ? "/bin/sh" : "/sbin/nologin")); 1528 } 1529 1530 void UserMgr::executeUserModifyUserEnable(const char* userName, bool enabled) 1531 { 1532 // set EXPIRE_DATE to 0 to disable user, PAM takes 0 as expire on 1533 // 1970-01-01, that's an implementation-defined behavior 1534 executeCmd("/usr/sbin/usermod", userName, "-e", 1535 (enabled ? "" : "1970-01-01")); 1536 } 1537 1538 std::vector<std::string> UserMgr::getFailedAttempt(const char* userName) 1539 { 1540 return executeCmd("/usr/sbin/faillock", "--user", userName); 1541 } 1542 1543 } // namespace user 1544 } // namespace phosphor 1545