Add VSA shell:priv-lvl support for privileged radius user logins

Ticket: CM-19457
Reviewed By: roopa
Testing Done: lots of variations of login, su, sudo, automated radius tests

Now we always read the map files.  If session is set, we try that
file first, so that a user always sees their name, same as tacplus.
If that's the wrong file, read through all of the map files, look
for the correct match based on either name+session or auid+session,
depending on getpwnam or getpwuid entry point

Ignore same set of users as tacacs, including new radius_priv_user
account for the privileged RADIUS user.

create and delete the mapuser files from libpam-radius-auth now;
we need to have the mapping file written early enough for the pam
interfaces to get the correct info.

Using the pam_script is too limiting, and since we are creating the
database in libpam-radius-auth now, we'll delete it there as well
to keep things symmetric, so delete the script and the references to
the scripts

A significant part of this effort was adding getgrent, getgrgid, and
getgrnam support, so that the radius users are put into the netshow
(unprivileged) and netedit and sudo (privileged) groups at login.

A lot of restructuring went in as part of that, and cleaned up some
longstanding bugs, including return values for the getpw* routines.
Also cleaned up some whitespace issues.

Also renamed some globals (debug, min_uid, init_common()) that might
collide with other programs, so that when I build unstripped and
normal visibility shared libs, they won't collide with programs
calling the functions (saw this with "debug" and bgpd, for example).

1 files changed, 64 insertions, 19 deletions

diff --git a/nss_mapuser.5 b/nss_mapuser.5
index 3e17aec..6e63138 100644
--- a/nss_mapuser.5
+++ b/nss_mapuser.5
@@ -1,21 +1,22 @@
 .TH nss_mapuser 5
-.\" Copyright 2017 Cumulus Networks, Inc.  All rights reserved.
+.\" Copyright 2017, 2018 Cumulus Networks, Inc.  All rights reserved.
 .SH NAME
 nss_mapuser.conf \- NSS mapuser configuration file
 .SH DESCRIPTION
-This is the configuration file for the NSS mapuser plugins.
+This is the configuration file for the NSS mapuser and mapuid plugins.
 See the
 .BR nss_mapuser (8)
-manpage for more general information on the plugin.
-This configuration file controls debug settings, the local account used
-for mapping users, and which usernames (accounts) and uids are skipped.
-.PP
+manpage for more general information on the plugins.
+.P
+This configuration file controls debug settings, the local accounts used for mapping
+users, and the list of usernames (accounts) and uids that are skipped (not looked up by
+this plugin).
 .TP
 .I debug=NUMBER
 Output lookup debugging information via syslog(3).
 .TP
 .I exclude_users=user1,user2...
-Usernames (accounts) comma separate list.  This is used by mapname NSS plugin getpwuid()
+Usernames (accounts) comma separate list.  This is used by the NSS mapuser plugin getpwuid()
 entry point.  The account to be looked up is checked against this list.   If a match is
 found, an immediate NOTFOUND status is returned.  This reduces overhead for the standard
 local user accounts.  The
@@ -23,19 +24,48 @@ local user accounts.  The
 and
 .I mapped_priv_user
 fields from the
-configuration file are always skipped, as are any names starting with 
+configuration file are always skipped, as are any names starting with
 .BR tacacs[0-9] .
 .TP
+.I min_uid=NUMBER
+UID's passed to the NSS mapuid plugin getpwuid() entry point that are below this value
+cause an immediate NOTFOUND status to be returned.  This reduces
+overhead for the standard local user accounts.
+.BR NOTE :
+The value must be less than the uid of the mapped account names below.
+.TP
+.I mapped_priv_user=NAME
+This is the local account used as a template for privileged logins
+(the RADIUS VSA
+.BR shell:priv-lvl=15 )
+was returned by the server.
+This must be a local account (found in
+.IR /etc/passwd ).
+When a uid or name match is found, this account information is read from
+.I /etc/passwd
+and used as a template for the matching account.  The default at installation is
+.BR radius_priv_user .
+.TP
 .I mapped_user=NAME
-This is the local account which mapping uses as a template.   It must be a local
-account (found in
+This is the local account used as a template for unprivileged logins
+(either no privilege attribute was returned by the server, or the privilege level is
+is in the range 0-14.   This must be a local account (found in
 .IR /etc/passwd ).
 When a uid or name match is found, this account information is read from
 .I /etc/passwd
-and used as a template for the matching account.  The
+and used as a template for the matching account.  The default at installation is
+.BR radius_user .
+.P
+For the
+.I map_user
+and
+.I map_priv_user
+accounts, the user information that is returned via the
+.BR getpwnam (3)
+group of account lookup routines has the
 .B pw_name
 field (user account name)
-is replaced with the original (login) name, and the original name is
+replaced with the original (login) name, and the original name is
 inserted at the beginning of the
 .B pw_gecos
 field.  The
@@ -43,8 +73,12 @@ field.  The
 (home directory)
 field replaces the last component of the directory path with the original login
 name.
-.IP
-When changing this field to a different name than the default, be sure the account exists in
+.P
+When changing the
+.I map_user
+or
+.I map_priv_user
+fields to a different account than the default, be sure the account exists in
 .IR /etc/passwd ,
 and that the account was created as disabled or locked (does not have a legal password, so
 the
@@ -54,11 +88,22 @@ account can not be used for logins.  When using
 to create these accounts, use the
 .B --disabled-login
 argument to disable login for the account.
-.TP
-.I min_uid=NUMBER
-UID's passed to the mapuid NSS plugin getpwuid() entry point that are below this value
-cause an immediate NOTFOUND status to be returned.  This reduces
-overhead for the standard local user accounts.
+.P
+At installation, the
+.I map_user
+user account
+.B radius_user
+is added to the
+.I netshow
+group so that the user can run NCLU
+.B net show
+commands.  Similarly, the
+.I map_priv_user
+user account
+.B radius_priv_user
+is added to the
+.I netedit
+group so that the user can run NCLU configuration commands.
 .SH "SEE ALSO"
 .BR adduser (8),
 .BR pam_radius_auth (8),