diff options
| author | Dave Olson <olson@cumulusnetworks.com> | 2018-04-13 16:42:26 -0700 |
|---|---|---|
| committer | Dave Olson <olson@cumulusnetworks.com> | 2018-04-13 16:42:26 -0700 |
| commit | a300d135962a05f876d25ca57ddead873ab2173e (patch) | |
| tree | c18889e7c9be4a8480bd26dc7d5c3b7662312fe5 | |
| parent | bf538dfedd8ae77ff3a8cf75e7776983c0afd94a (diff) | |
| parent | 613f1949208809a116bd1b3737e39a1599bf7d43 (diff) | |
| download | libnss-mapuser-a300d135962a05f876d25ca57ddead873ab2173e.tar.gz libnss-mapuser-a300d135962a05f876d25ca57ddead873ab2173e.zip | |
Merge branch 'dev' into release/cl-stable
Conflicts:
debian/changelog
debian/libnss-mapuser.postinst
map_common.c
nss_mapuser.5
nss_mapuser.conf
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/libnss-mapuser.postinst | 7 | ||||
| -rw-r--r-- | debian/libnss-mapuser.symbols | 5 | ||||
| -rw-r--r-- | map_common.c | 53 | ||||
| -rw-r--r-- | nss_mapuser.5 | 3 | ||||
| -rw-r--r-- | nss_mapuser.conf | 2 |
6 files changed, 52 insertions, 20 deletions
diff --git a/debian/changelog b/debian/changelog index 190d66d..d0ea75f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,7 +8,7 @@ libnss-mapuser (1.1.0-cl3u1) RELEASED; urgency=low have radius_user and/or radius_priv_user, to give that that user account more privileges, similar to tacplus client privilege 15. - -- dev-support <dev-support@cumulusnetworks.com> Fri, 06 Apr 2018 15:46:56 -0700 + -- dev-support <dev-support@cumulusnetworks.com> Fri, 13 Apr 2018 16:19:08 -0700 libnss-mapuser (1.0.0-cl3u2) RELEASED; urgency=low diff --git a/debian/libnss-mapuser.postinst b/debian/libnss-mapuser.postinst index 13bf0d0..54c661b 100644 --- a/debian/libnss-mapuser.postinst +++ b/debian/libnss-mapuser.postinst @@ -24,10 +24,13 @@ case "$1" in /etc/nsswitch.conf fi addgroup --quiet $rgroup 2>&1 | grep -v 'already exists' + ourshell=/bin/bash # not radius_shell, has pkg ordering issues. adduser --quiet --firstuid 1000 --disabled-login --ingroup $rgroup \ - --gecos "radius user" radius_user 2>&1 | grep -v 'already exists' + --gecos "radius user" --shell $ourshell radius_user 2>&1 | + grep -v 'already exists' adduser --quiet --firstuid 1000 --disabled-login --ingroup $rgroup \ - --gecos "radius privileged user" radius_priv_user 2>&1 | grep -v 'already exists' + --gecos "radius privileged user" --shell $ourshell radius_priv_user 2>&1 | + grep -v 'already exists' # regular radius logins can run net show commands adduser --quiet radius_user netshow # privileged radius logins can run net config commands, as well as show diff --git a/debian/libnss-mapuser.symbols b/debian/libnss-mapuser.symbols index 2254c2e..c5a3ed0 100644 --- a/debian/libnss-mapuser.symbols +++ b/debian/libnss-mapuser.symbols @@ -1,4 +1,9 @@ libnss_mapname.so.2 libnss-mapuser #MINVER# + _nss_mapname_setgrent@Base 1.1.0-cl3u1 + _nss_mapname_endgrent@Base 1.1.0-cl3u1 + _nss_mapname_getgrent_r@Base 1.1.0-cl3u1 + _nss_mapname_getgrgid_r@Base 1.1.0-cl3u1 + _nss_mapname_getgrnam_r@Base 1.1.0 _nss_mapname_getpwnam_r@Base 1.0.0 libnss_mapuid.so.2 libnss-mapuser #MINVER# diff --git a/map_common.c b/map_common.c index 830d85a..b6fe3bc 100644 --- a/map_common.c +++ b/map_common.c @@ -26,6 +26,7 @@ #include "map_common.h" #include <sys/stat.h> #include <stddef.h> +#include <signal.h> #include <fcntl.h> #include <dirent.h> #include <ctype.h> @@ -293,7 +294,7 @@ get_pw_mapuser(const char *name, struct pwbuf *pb, uid_t mapuid, int privileged) for (ret = 1; ret && (ent = fgetpwent(pwfile));) { if (!ent->pw_name) continue; /* shouldn't happen */ - if (!strcmp(ent->pw_name, name) || + if (!strcmp(ent->pw_name, name) || /* added locally */ !strcmp(ent->pw_name, privileged ? mapped_priv_user : mappeduser) || ent->pw_uid == mapuid) { ret = @@ -320,7 +321,6 @@ static int chk_session_file(char *session, uid_t uid, struct pwbuf *pb) FILE *mapf; uid_t auid = 0; int ret = 1, privileged = 0;; - int gotinfo = 0; /* user, session, auid */ snprintf(sessfile, sizeof sessfile, "%s%s", dbdir, session); @@ -333,46 +333,65 @@ static int chk_session_file(char *session, uid_t uid, struct pwbuf *pb) return ret; } user[0] = '\0'; - while (gotinfo != 4 && fgets(rbuf, sizeof rbuf, mapf)) { - strtok(rbuf, " \t\n\r\f"); /* terminate buffer at first whitespace */ + while (fgets(rbuf, sizeof rbuf, mapf)) { + /* terminate buffer at first whitespace */ + strtok(rbuf, " \t\n\r\f"); if (!strncmp("user=", rbuf, 5)) { if (pb->name && strcmp(rbuf + 5, pb->name)) break; snprintf(user, sizeof user, "%s", rbuf + 5); - gotinfo++; + } else if (!strncmp("pid=", rbuf, 4)) { + char *ok; + unsigned pid = (unsigned) strtoul(rbuf + 4, &ok, 10); + if (ok != (rbuf + 4) && pid > 0 && kill(pid, 0) && + errno == ESRCH) { + /* ESRCH instead of any error because perms as + * non-root. Try to unlink, since we often + * run as root; report as DEBUG if we unlink, + * report as INFO if not */ + if (unlink(sessfile) == 0) + syslog(LOG_DEBUG, "session file %s" + " PID=%u no longer active," + " removed", sessfile, pid); + else + syslog(LOG_INFO, "session file %s" + " PID=%u no longer active, skip", + sessfile, pid); + auid = 0; /* force fail */ + break; + } } else if (!strncmp("auid=", rbuf, 5)) { char *ok; uid_t fuid = (uid_t) strtoul(rbuf + 5, &ok, 10); if (ok != (rbuf + 5)) { - gotinfo++; if (uid != -1 && fuid != uid) { - auid = fuid; - break; /* getpwuid, but uid/auid mismatch, nogo */ + /* getpwuid call but mismatch, nogo */ + break; } else auid = fuid; } } else if (!strcasecmp("privileged=yes", rbuf)) { privileged = 1; - gotinfo++; - } else if (!strcasecmp("privileged=no", rbuf)) - gotinfo++; - else if (!strncmp("session=", rbuf, 8)) { + } else if (!strcasecmp("privileged=no", rbuf)) { + privileged = 0; + } else if (!strncmp("session=", rbuf, 8)) { /* structural problem, so log warning */ if (strcmp(session, rbuf + 8)) { syslog(LOG_WARNING, - "%s: session field \"%s\" mismatch in %s", + "%s: session \"%s\" mismatch in %s", libname, rbuf, sessfile); - } else - gotinfo++; + auid = 0; /* force a skip */ + } } } fclose(mapf); - if (auid && user[0]) { /* otherwise not a match */ + if (auid && (uid == (uid_t)-1 || auid == uid) && user[0]) { if (!pb->name) pb->name = user; /* uid lookups */ ret = get_pw_mapuser(user, pb, auid, privileged); } + /* otherwise not a match */ return ret; } @@ -429,7 +448,7 @@ int find_mappingfile(struct pwbuf *pb, uid_t uid) int make_mapuser(struct pwbuf *pb, const char *name) { int ret; - ret = get_pw_mapuser(mappeduser, pb, (uid_t) - 1, 0); + ret = get_pw_mapuser(mappeduser, pb, (uid_t)-1, 0); return ret; } diff --git a/nss_mapuser.5 b/nss_mapuser.5 index 6e63138..92aff16 100644 --- a/nss_mapuser.5 +++ b/nss_mapuser.5 @@ -45,6 +45,9 @@ When a uid or name match is found, this account information is read from .I /etc/passwd and used as a template for the matching account. The default at installation is .BR radius_priv_user . +It must match the privileged account name in +.IR pam_radius_auth (5) +for correct operation. .TP .I mapped_user=NAME This is the local account used as a template for unprivileged logins diff --git a/nss_mapuser.conf b/nss_mapuser.conf index c5f2098..1ed70d1 100644 --- a/nss_mapuser.conf +++ b/nss_mapuser.conf @@ -35,4 +35,6 @@ exclude_users=root,daemon,nobody,cron,sshd,cumulus,quagga,frr,snmp,www-data,ntp, # Map all usernames to the radius_user account (use the uid, gid, shell, and # base of the home directory from the cumulus entry in /etc/passwd). mapped_user=radius_user +# if you change the account for mapped_priv_user, you must change it in +# /etc/pam_radius_auth.conf as well. mapped_priv_user=radius_priv_user |