auth: replace spurious admin user in favour of root

A hybrid approach was previously employed that made it possible to use admin as a synonym for root, which was really confusing and a bit unclear judging by the actual code employed. Does admin own a home directory or not? Why does root work on the console, but not in the web interface?
opnsense · Dec 31, 2014 · 93397f8 · 93397f8
1 parent ee87372
commit 93397f8
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 63 deletions.
diff --git a/src/etc/config.xml b/src/etc/config.xml
@@ -172,7 +172,7 @@
 			<priv>page-all</priv>
 		</group>
 		<user>
-			<name>admin</name>
+			<name>root</name>
 			<descr><![CDATA[System Administrator]]></descr>
 			<scope>system</scope>
 			<groupname>admins</groupname>

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
@@ -1,18 +1,11 @@
 <?php
-/* $Id$ */
-/*
-	Copyright (C) 2010 Ermal Lu�i
-	All rights reserved.
 
+/*
+	Copyright (C) 2014 Deciso B.V.
+	Copyright (C) 2010 Ermal Luçi
 	Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com>
-	All rights reserved.
-
         Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
-        All rights reserved.
-
         Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
-        All rights reserved.
-
         Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
         All rights reserved.
 
@@ -36,10 +29,6 @@
         CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
         ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
         POSSIBILITY OF SUCH DAMAGE.
-
-		DISABLE_PHP_LINT_CHECKING
-		pfSense_BUILDER_BINARIES:	/usr/sbin/pw	/bin/cp
-		pfSense_MODULE:	auth
 */
 
 /*
@@ -311,45 +300,47 @@ function local_backed($username, $passwd) {
 	return false;
 }
 
-function local_sync_accounts() {
-	global $debug, $config;
+function local_sync_accounts()
+{
+	global $config;
+
 	conf_mount_rw();
 
 	/* remove local users to avoid uid conflicts */
-	$fd = popen("/usr/sbin/pw usershow -a", "r");
+	$fd = popen('/usr/sbin/pw usershow -a', 'r');
 	if ($fd) {
 		while (!feof($fd)) {
-			$line = explode(":",fgets($fd));
-			if (((!strncmp($line[0], "_", 1)) || ($line[2] < 2000) || ($line[2] > 65000)) && ($line[0] != "admin"))
+			$line = explode(':',fgets($fd));
+			if (((!strncmp($line[0], '_', 1)) || ($line[2] < 2000) || ($line[2] > 65000))) {
 				continue;
+			}
 			/*
 			 * If a crontab was created to user, pw userdel will be interactive and
 			 * can cause issues. Just remove crontab before run it when necessary
 			 */
 			unlink_if_exists("/var/cron/tabs/{$line[0]}");
 			$cmd = "/usr/sbin/pw userdel -n '{$line[0]}'";
-			if($debug)
-				log_error(sprintf(gettext("Running: %s"), $cmd));
 			mwexec($cmd);
 		}
 		pclose($fd);
 	}
 
 	/* remove local groups to avoid gid conflicts */
 	$gids = array();
-	$fd = popen("/usr/sbin/pw groupshow -a", "r");
+	$fd = popen('/usr/sbin/pw groupshow -a', 'r');
 	if ($fd) {
 		while (!feof($fd)) {
-			$line = explode(":",fgets($fd));
-			if (!strncmp($line[0], "_", 1))
+			$line = explode(':',fgets($fd));
+			if (!strncmp($line[0], '_', 1)) {
 				continue;
-			if ($line[2] < 2000)
+			}
+			if ($line[2] < 2000) {
 				continue;
-			if ($line[2] > 65000)
+			}
+			if ($line[2] > 65000) {
 				continue;
+			}
 			$cmd = "/usr/sbin/pw groupdel {$line[2]}";
-			if($debug)
-				log_error(sprintf(gettext("Running: %s"), $cmd));
 			mwexec($cmd);
 		}
 		pclose($fd);
@@ -410,7 +401,7 @@ function local_user_set(& $user) {
 		$lock_account = true;
 	}
 
-	/* Lock out disabled or expired users, unless it's root/admin. */
+	/* Lock out disabled or expired users, unless it's root */
 	if ((is_account_disabled($user_name) || is_account_expired($user_name)) && ($user_uid != 0)) {
 		$user_shell = "/sbin/nologin";
 		$lock_account = true;
@@ -480,16 +471,11 @@ function local_user_set(& $user) {
 	conf_mount_ro();
 }
 
-function local_user_del($user) {
-	global $debug;
-
+function local_user_del($user)
+{
 	/* remove all memberships */
 	local_user_set_groups($user);
 
-	/* Don't remove /root */
-	if ($user['uid'] != 0)
-		$rmhome = "-r";
-
 	/* read from pw db */
 	$fd = popen("/usr/sbin/pw usershow -n {$user['name']} 2>&1", "r");
 	$pwread = fgets($fd);
@@ -502,10 +488,8 @@ function local_user_del($user) {
 	}
 
 	/* delete from pw db */
-	$cmd = "/usr/sbin/pw userdel -n {$user['name']} {$rmhome}";
+	$cmd = "/usr/sbin/pw userdel -n {$user['name']} -r";
 
-	if($debug)
-		log_error(sprintf(gettext("Running: %s"), $cmd));
 	mwexec($cmd);
 
 	/* Delete user from groups needs a call to write_config() */

diff --git a/src/etc/inc/config.lib.inc b/src/etc/inc/config.lib.inc
@@ -490,13 +490,15 @@ function safe_write_file($file, $content, $force_binary) {
  *   null
  ******/
 /* save the system configuration */
-function write_config($desc="Unknown", $backup = true) {
+function write_config($desc = 'Unknown', $backup = true)
+{
 	global $config, $g;
 
 	if (!empty($_SERVER['REMOTE_ADDR'])) {
-		if (!session_id())
+		if (!session_id()) {
 			@session_start();
-		if (!empty($_SESSION['Username']) && ($_SESSION['Username'] != "admin")) {
+		}
+		if (!empty($_SESSION['Username']) && ($_SESSION['Username'] != 'root')) {
 			$user = getUserEntry($_SESSION['Username']);
 			if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) {
 				session_commit();
@@ -505,11 +507,13 @@ function write_config($desc="Unknown", $backup = true) {
 		}
 	}
 
-	if (!isset($argc))
+	if (!isset($argc)) {
 		session_commit();
+	}
 
-	if($backup)
+	if ($backup) {
 		backup_config();
+	}
 
 	$config['revision'] = make_config_revision_entry($desc);
 

diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc
@@ -35,7 +35,7 @@ register_shutdown_function('closelog');
 $g = array(
 	"base_packages" => "siproxd",
 	"event_address" => "unix:///var/run/check_reload_status",
-	"factory_shipped_username" => "admin",
+	"factory_shipped_username" => "root",
 	"factory_shipped_password" => "opnsense",
 	"upload_path" => "/root",
 	"dhcpd_chroot_path" => "/var/dhcpd",

diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc
@@ -179,42 +179,51 @@ function get_user_privdesc(& $user) {
 	return $privs;
 }
 
-function isAllowed($username, $page) {
+function isAllowed($username, $page)
+{
 	global $_SESSION;
 
-	if (!isset($username))
+	if (!isset($username)) {
 		return false;
+	}
 
-	/* admin/root access check */
+	/* root access check */
 	$user = getUserEntry($username);
-	if (isset($user))
-		if (isset($user['uid']))
-			if ($user['uid']==0)
+	if (isset($user)) {
+		if (isset($user['uid'])) {
+			if ($user['uid'] == 0) {
 				return true;
+			}
+		}
+	}
 
 	/* user privelege access check */
-	if (cmp_page_matches($page, $_SESSION['page-match']))
+	if (cmp_page_matches($page, $_SESSION['page-match'])) {
 		return true;
+	}
 
 	return false;
 }
 
-
-function isAllowedPage($page) {
+function isAllowedPage($page)
+{
 	global $_SESSION;
 
-
 	$username = $_SESSION['Username'];
 
-	if (!isset($username))
+	if (!isset($username)) {
 		return false;
+	}
 
-	/* admin/root access check */
+	/* root access check */
 	$user = getUserEntry($username);
-	if (isset($user))
-		if (isset($user['uid']))
-			if ($user['uid']==0)
+	if (isset($user)) {
+		if (isset($user['uid'])) {
+			if ($user['uid'] == 0) {
 				return true;
+			}
+		}
+	}
 
 	/* user privelege access check */
 	return cmp_page_matches($page, $_SESSION['page-match']);

diff --git a/src/etc/rc.initial.password b/src/etc/rc.initial.password
@@ -62,8 +62,8 @@ The User manager authentication server is set to "' . $config['system']['webgui'
 	}
 
 	$admin_user['name'] = $g['factory_shipped_username'];
-	$admin_user['priv'] = array("user-shell-access");
-	$admin_user['scope'] = "system";
+	$admin_user['priv'] = array('user-shell-access');
+	$admin_user['scope'] = 'system';
 
 	if (isset($admin_user['disabled'])) {
 		unset($admin_user['disabled']);