diff options
| author | Dave Olson <olson@cumulusnetworks.com> | 2018-04-02 11:01:09 -0700 |
|---|---|---|
| committer | Dave Olson <olson@cumulusnetworks.com> | 2018-04-10 12:33:12 -0700 |
| commit | 5630f132b8898fa1ec3236a0ad796755127881c9 (patch) | |
| tree | 2480dc22d6bd3e99084aa85e5679e06b71a33ea0 /map_common.h | |
| parent | 7f2e226bde6e6cd5cc7b29f7385a8c14a9b8b66f (diff) | |
| download | libnss-mapuser-5630f132b8898fa1ec3236a0ad796755127881c9.tar.gz libnss-mapuser-5630f132b8898fa1ec3236a0ad796755127881c9.zip | |
Add VSA shell:priv-lvl support for privileged radius user logins
Ticket: CM-19457
Reviewed By: roopa
Testing Done: lots of variations of login, su, sudo, automated radius tests
Now we always read the map files. If session is set, we try that
file first, so that a user always sees their name, same as tacplus.
If that's the wrong file, read through all of the map files, look
for the correct match based on either name+session or auid+session,
depending on getpwnam or getpwuid entry point
Ignore same set of users as tacacs, including new radius_priv_user
account for the privileged RADIUS user.
create and delete the mapuser files from libpam-radius-auth now;
we need to have the mapping file written early enough for the pam
interfaces to get the correct info.
Using the pam_script is too limiting, and since we are creating the
database in libpam-radius-auth now, we'll delete it there as well
to keep things symmetric, so delete the script and the references to
the scripts
A significant part of this effort was adding getgrent, getgrgid, and
getgrnam support, so that the radius users are put into the netshow
(unprivileged) and netedit and sudo (privileged) groups at login.
A lot of restructuring went in as part of that, and cleaned up some
longstanding bugs, including return values for the getpw* routines.
Also cleaned up some whitespace issues.
Also renamed some globals (debug, min_uid, init_common()) that might
collide with other programs, so that when I build unstripped and
normal visibility shared libs, they won't collide with programs
calling the functions (saw this with "debug" and bgpd, for example).
Diffstat (limited to 'map_common.h')
| -rw-r--r-- | map_common.h | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/map_common.h b/map_common.h index b3401ea..e8e051d 100644 --- a/map_common.h +++ b/map_common.h @@ -49,10 +49,19 @@ struct pwbuf { extern char *exclude_users; extern char *mappeduser; extern char *mapped_priv_user; -extern uid_t min_uid; -extern int debug; +extern uid_t map_min_uid; +extern int map_debug; extern int nss_mapuser_config(int *errnop, const char *lname); -extern int pwcopy(char *buf, size_t len, struct passwd *srcpw, - struct passwd *destpw, const char *usename); -extern int get_pw_mapuser(const char *name, struct pwbuf *pb); +extern uint32_t get_sessionid(void); +extern int skip_program(void); +extern int find_mappingfile(struct pwbuf *pb, uid_t uid); +extern int find_mapped_name(struct pwbuf *pb, uid_t uid, uint32_t session); +extern int make_mapuser(struct pwbuf *pb, const char *name); +extern int map_init_common(int *errnop, const char *plugname); +extern char **fixup_gr_mem(const char *name, const char **gr_in, char *buf, + size_t * lp, int *err, unsigned privbits); +extern void cleanup_gr_mem(void); + +#define PRIV_MATCH 2 +#define UNPRIV_MATCH 1 |