When deleting users in system_login.py that are no longer available via CLI we do a check if the user which is being deleted is the current user (https://github.com/vyos/vyos-1x/blob/442bf37dbccbcb9f47333543742fa7aa665bb417/src/conf_mode/system_login.py#L125-L131) calling commit - this is not allowed.
This is done by evaluating SUDO_USER environment variable.
When vyos-configd is in use, the value is always forced to vyos
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | FEATURE REQUEST | c-po | T6489 Add/Improve support for CLI config scripts that change the underlayin actual configuration and make them work with vyos-configd | ||
| Resolved | FEATURE REQUEST | jestabro | T6504 login: user vyos can not be deleted under vyos-configd |
My current understanding, and memory of its introduction, is that the settings os.environ[SUDO_*] were more than needed at the time, with a possible later use in mind: the only critical setting for vyos-configd as a dispatcher of config mode scripts is the preceding line: setgid(cfg_group.gid), allowing the config group access to generated files. Note that the environment variables are not currently used by conf-mode scripts, other than system_login.py, leading to the above bug.
Regarding ownership/permissions of the CStore hierarchy itself, on commit, that is handled by the originating config session: script execution is handed off to vyos-configd (if running) and upon return of a success message, the config session does the CStore/UnionFS updates --- so no further involvement from vyos-configd.
So we can just remove the environment settings; after running make testd smoketests, a PR will be opened.