diff options
| author | Dave Olson <olson@cumulusnetworks.com> | 2018-04-02 11:01:09 -0700 |
|---|---|---|
| committer | Dave Olson <olson@cumulusnetworks.com> | 2018-04-02 20:40:02 -0700 |
| commit | 1e5742369aedc8708d5dbe4411ffd5bf4b10537a (patch) | |
| tree | 2480dc22d6bd3e99084aa85e5679e06b71a33ea0 /debian | |
| parent | 556625e62b692b723cc6809d2374c3da9616dc3d (diff) | |
| download | libnss-mapuser-1e5742369aedc8708d5dbe4411ffd5bf4b10537a.tar.gz libnss-mapuser-1e5742369aedc8708d5dbe4411ffd5bf4b10537a.zip | |
Add VSA shell:priv-lvl support for privileged radius user logins
Ticket: CM-19457
Reviewed By: roopa
Testing Done: lots of variations of login, su, sudo, automated radius tests
Now we always read the map files. If session is set, we try that
file first, so that a user always sees their name, same as tacplus.
If that's the wrong file, read through all of the map files, look
for the correct match based on either name+session or auid+session,
depending on getpwnam or getpwuid entry point
Ignore same set of users as tacacs, including new radius_priv_user
account for the privileged RADIUS user.
create and delete the mapuser files from libpam-radius-auth now;
we need to have the mapping file written early enough for the pam
interfaces to get the correct info.
Using the pam_script is too limiting, and since we are creating the
database in libpam-radius-auth now, we'll delete it there as well
to keep things symmetric, so delete the script and the references to
the scripts
A significant part of this effort was adding getgrent, getgrgid, and
getgrnam support, so that the radius users are put into the netshow
(unprivileged) and netedit and sudo (privileged) groups at login.
A lot of restructuring went in as part of that, and cleaned up some
longstanding bugs, including return values for the getpw* routines.
Also cleaned up some whitespace issues.
Also renamed some globals (debug, min_uid, init_common()) that might
collide with other programs, so that when I build unstripped and
normal visibility shared libs, they won't collide with programs
calling the functions (saw this with "debug" and bgpd, for example).
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rw-r--r-- | debian/control | 4 | ||||
| -rw-r--r-- | debian/libnss-mapuser.postinst | 8 | ||||
| -rw-r--r-- | debian/mapuser | 6 | ||||
| -rwxr-xr-x | debian/rules | 6 |
5 files changed, 14 insertions, 14 deletions
diff --git a/debian/changelog b/debian/changelog index f93e11d..50032b5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,10 @@ libnss-mapuser (1.0.0-cl3u3) RELEASED; urgency=low * Closes CM-19866 - Fixed exclude_users not skipped, and added more system accounts to exclude_users: www-data,man, tacacs[0-9]*. + * New Enabled - When Vendor Specific Option containing shell:priv-lvl + is present, and the value is 15, map to user radius_priv_user, and + give that user account more privileges, similar to tacplus client + privilege 15. -- dev-support <dev-support@cumulusnetworks.com> Mon, 26 Feb 2018 09:51:44 -0800 diff --git a/debian/control b/debian/control index c383d86..d0ad69d 100644 --- a/debian/control +++ b/debian/control @@ -1,14 +1,14 @@ Source: libnss-mapuser Priority: optional Maintainer: dev-support <dev-support@cumulusnetworks.com> -Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.1), git +Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.1), libaudit-dev, git Section: libs Standards-Version: 3.9.6 Homepage: http://www.cumulusnetworks.com Package: libnss-mapuser Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, adduser +Depends: ${shlibs:Depends}, ${misc:Depends}, libaudit1, adduser Description: NSS modules to map any requested username to a local account Performs getpwname and getpwuid lookups via NSS for systems like RADIUS where it is not possible to do a username lookup without authentication diff --git a/debian/libnss-mapuser.postinst b/debian/libnss-mapuser.postinst index 2e9b04f..ee6a70d 100644 --- a/debian/libnss-mapuser.postinst +++ b/debian/libnss-mapuser.postinst @@ -19,11 +19,19 @@ case "$1" in -e '/^passwd:/s/\s\s*/&mapuid /' \ -e '/^passwd:.*#/s/#.*/ mapname &/' \ -e '/^passwd:[^#]*$/s/$/ mapname &/' \ + -e '/^group:.*#/s/#.*/ mapname &/' \ + -e '/^group:[^#]*$/s/: */& mapname /' \ /etc/nsswitch.conf fi addgroup --quiet $rgroup 2>&1 | grep -v 'already exists' adduser --quiet --firstuid 1000 --disabled-login --ingroup $rgroup \ --gecos "radius user" radius_user 2>&1 | grep -v 'already exists' + adduser --quiet --firstuid 1000 --disabled-login --ingroup $rgroup \ + --gecos "radius privileged user" radius_priv_user 2>&1 | grep -v 'already exists' + # regular radius logins can run net show commands + adduser --quiet radius_user netshow + # privileged radius logins can run net config commands, as well as show + adduser --quiet radius_priv_user netedit exit 0 ) ;; diff --git a/debian/mapuser b/debian/mapuser deleted file mode 100644 index 69d2137..0000000 --- a/debian/mapuser +++ /dev/null @@ -1,6 +0,0 @@ -Name: libnss-mapuser uses this to maintain the session uid => user mapping -Default: yes -Priority: 257 -Session-Type: Additional -Session: - optional pam_script.so dir=/usr/share/mapuser diff --git a/debian/rules b/debian/rules index ed7dbc0..cb1f417 100755 --- a/debian/rules +++ b/debian/rules @@ -16,9 +16,3 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all # No configuration needed override_dh_auto_configure: -override_dh_install: - dh_installdirs /usr/share/pam-configs /usr/share/mapuser - install -p -m 755 pam_script_ses* debian/libnss-mapuser/usr/share/mapuser - install -p -m 444 debian/mapuser \ - debian/libnss-mapuser/usr/share/pam-configs/ - dh_install |