Add VSA shell:priv-lvl support for privileged radius user logins

Ticket: CM-19457
Reviewed By: roopa
Testing Done: lots of variations of login, su, sudo, automated radius tests

Now we always read the map files.  If session is set, we try that
file first, so that a user always sees their name, same as tacplus.
If that's the wrong file, read through all of the map files, look
for the correct match based on either name+session or auid+session,
depending on getpwnam or getpwuid entry point

Ignore same set of users as tacacs, including new radius_priv_user
account for the privileged RADIUS user.

create and delete the mapuser files from libpam-radius-auth now;
we need to have the mapping file written early enough for the pam
interfaces to get the correct info.

Using the pam_script is too limiting, and since we are creating the
database in libpam-radius-auth now, we'll delete it there as well
to keep things symmetric, so delete the script and the references to
the scripts

A significant part of this effort was adding getgrent, getgrgid, and
getgrnam support, so that the radius users are put into the netshow
(unprivileged) and netedit and sudo (privileged) groups at login.

A lot of restructuring went in as part of that, and cleaned up some
longstanding bugs, including return values for the getpw* routines.
Also cleaned up some whitespace issues.

Also renamed some globals (debug, min_uid, init_common()) that might
collide with other programs, so that when I build unstripped and
normal visibility shared libs, they won't collide with programs
calling the functions (saw this with "debug" and bgpd, for example).

1 files changed, 69 insertions, 18 deletions

diff --git a/nss_mapuser.8 b/nss_mapuser.8
index 1b258c5..73e0275 100644
--- a/nss_mapuser.8
+++ b/nss_mapuser.8
@@ -1,5 +1,5 @@
 .TH nss_mapuser 8
-.\" Copyright 2017 Cumulus Networks, Inc.  All rights reserved.
+.\" Copyright 2017, 2018 Cumulus Networks, Inc.  All rights reserved.
 .SH NAME
 libnss_mapname.so.2 \- NSS mapuser plugin
 .br
@@ -14,16 +14,50 @@ provide enough information to define a linux account (uid, gid, home directory).
 The traditional method was to add all RADIUS users to the local
 .I /etc/passwd
 file, or to enable them via other means such as LDAP.
+.P
 These plugins allow RADIUS users to login with no configuration other than the
 initial setup of the RADIUS client, and these plugins.
-.PP
+.P
 The plugins work by mapping user accounts to a named account in a configuration
 file, and using the named account as a template for the requested account.
-.PP
-The named account (default is
-.I radius_user)
+.P
+The named accounts
 must be present in
-.IR /etc/passwd .
+.IR /etc/passwd ,
+and the groups set up correctly in
+.IR /etc/group
+for these plugins to work correctly.
+.P
+The default accounts are
+.I radius_priv_user
+for privileged logins with
+the RADIUS VSA
+.BR shell:priv-lvl=15 )
+attribute, and
+.I radius_user
+for logins without that attribute, or with the privilege level 0-14.
+The accounts are created when the debian package is installed.
+.P
+The mapname plugin also supplies NSS functions for the group file, in
+order to map RADIUS logins into appropriate groups.   For this to work,
+the two RADIUS accounts above are added to the
+.BR sudo ,
+.BR netshow ,
+and
+.B netedit
+groups during the installation of the debian packge.  The privileged account
+is made a member of the
+.B sudo
+and
+.B netedit
+groups, while the unprivileged account is made a member of the
+.B netshow
+group.   This can be verified after logging in by using the
+.IR id (1),
+or
+.IR groups (1)
+command to list the groups of which you are a member.
+.P
 The
 .B pw_name
 field (user account name)
@@ -67,19 +101,31 @@ file with the same UID.
 There are two separate plugins,
 .B libnss_mapname
 for user account names
-.RI ( getpwnam() (3)),
+.RI ( getpwnam() (3)
+and
+.RI ( getpwnam_r() (3)),
+as well as
+.RI ( getgrnam() (3),
+.RI ( getpgram_r() (3)),
+and
+.RI ( getpgrent() (3)),
 and
 .B libnss_mapuid
 for uid
-.RI ( getpwuid() (3)),
-Two separate plugins are required.
-.PP
+.RI ( getpwuid() (3)
+and
+.RI ( getpwuid_r() (3)).
+.P
+Two separate plugins are required due to ordering requirements in
+.IR /etc/nsswitch.conf .
+.P
 The name lookup
 .B mapuser
 must be the last method used (last plugin on the
 .B passwd
 database), because it will always produce a successful lookup on
-any user account name, unless there are configuration or other errors.
+any user account name, unless the name has has been excluded, or if
+there are configuration or other errors.
 .PP
 The uid lookup
 .B mapuid
@@ -87,24 +133,29 @@ must be the first method used (first plugin on the
 .B passwd
 database), because the uid will always match a local account from
 .IR /etc/passwd ,
-any user account name, unless there are configuration or other errors.
+any user account name, unless limited by the minimum uid configuration, or
+if there are configuration or other errors.
 .PP
-The flat file database is created using the
-.B pam_script
-plugin.  In addition to creating and deleting files at session start and
-end, the open script will also create the home directory using
-.IR mkhomedir_helper .
+The flat file database used by these plugins is created and removed by the
+.B pam_radius_auth
+plugin from the libpam-radius-auth package.
+In addition to creating and deleting files at session start and end, the
+.B pam_radius_auth
+plugin will also create the home directory using the
+.I mkhomedir_helper
+program.
 .SH "SEE ALSO"
 .BR adduser (8),
 .BR mkhomedir_helper (8),
 .BR pam_radius_auth (8),
-.BR pam_script (8),
 .BR nss_mapuser (5),
 .BR nsswitch.conf (5),
 .BR getpwuid (3),
 .BR getpwnam (3),
 .BR getent (1).
 .SH FILES
+.I /etc/nsswitch.conf
+- configuration file for NSS plugins.  It is modified at package installation
 .I /etc/nss_mapuser.conf
 - mapuser NSS plugin configuration parameters.
 .br