summaryrefslogtreecommitdiff
path: root/pam_script_ses_close
diff options
context:
space:
mode:
authorDave Olson <olson@cumulusnetworks.com>2018-04-02 11:01:09 -0700
committerDave Olson <olson@cumulusnetworks.com>2018-04-10 12:33:12 -0700
commit5630f132b8898fa1ec3236a0ad796755127881c9 (patch)
tree2480dc22d6bd3e99084aa85e5679e06b71a33ea0 /pam_script_ses_close
parent7f2e226bde6e6cd5cc7b29f7385a8c14a9b8b66f (diff)
downloadlibnss-mapuser-5630f132b8898fa1ec3236a0ad796755127881c9.tar.gz
libnss-mapuser-5630f132b8898fa1ec3236a0ad796755127881c9.zip
Add VSA shell:priv-lvl support for privileged radius user logins
Ticket: CM-19457 Reviewed By: roopa Testing Done: lots of variations of login, su, sudo, automated radius tests Now we always read the map files. If session is set, we try that file first, so that a user always sees their name, same as tacplus. If that's the wrong file, read through all of the map files, look for the correct match based on either name+session or auid+session, depending on getpwnam or getpwuid entry point Ignore same set of users as tacacs, including new radius_priv_user account for the privileged RADIUS user. create and delete the mapuser files from libpam-radius-auth now; we need to have the mapping file written early enough for the pam interfaces to get the correct info. Using the pam_script is too limiting, and since we are creating the database in libpam-radius-auth now, we'll delete it there as well to keep things symmetric, so delete the script and the references to the scripts A significant part of this effort was adding getgrent, getgrgid, and getgrnam support, so that the radius users are put into the netshow (unprivileged) and netedit and sudo (privileged) groups at login. A lot of restructuring went in as part of that, and cleaned up some longstanding bugs, including return values for the getpw* routines. Also cleaned up some whitespace issues. Also renamed some globals (debug, min_uid, init_common()) that might collide with other programs, so that when I build unstripped and normal visibility shared libs, they won't collide with programs calling the functions (saw this with "debug" and bgpd, for example).
Diffstat (limited to 'pam_script_ses_close')
-rwxr-xr-xpam_script_ses_close85
1 files changed, 0 insertions, 85 deletions
diff --git a/pam_script_ses_close b/pam_script_ses_close
deleted file mode 100755
index 8340543..0000000
--- a/pam_script_ses_close
+++ /dev/null
@@ -1,85 +0,0 @@
-#! /bin/bash
-# Copyright 2017 Cumulus Networks, Inc. All rights reserved
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-
-# This script is invoked via pam_script.so for session close, to
-# clean up the mapping setup on session open. The info is used
-# in the libnss_mapuser getpwuid() entry point.
-
-# auid is currently unused, but must match the uid of the mapped_user
-# in the libnss_mapuser database for this to be valid
-
-# For this to work, pam_loginuid.so must be used, so both the
-# loginuid and the sessionid are unique values > 0
-
-dbdir=/run/mapuser
-mkdir -p $dbdir
-
-read sess < /proc/$$/sessionid
-read auid < /proc/$$/loginuid
-
-# never map root user, or when loginuid isn't set, or when
-# we aren't doing mapping (env variable not set)
-if [ "$auid" -eq 0 ]; then exit 0; fi
-
-# for debugging, if needed
-#DEBUG logger -t mapuser $0 user=$PAM_USER pid=$$ session="$sess" auid="$auid"
-
-if [ "$sess" -le 0 ] ; then
- logger -t $0 sessionid not set, no mapuser cleanup for \
- PID $$ user $PAM_USER
- exit 0 # never trigger an error
-fi
-
-file=$dbdir/$sess
-if [ -e $file ]; then
- IFS='=
-' read tag fauid <<< $(grep '^auid=' $file)
- IFS='=
-' read tag fsess <<< $(grep '^session=' $file)
- # If info doesn't match, report it, and don't clean up
- if [ "$auid" != "$fauid" -o "$sess" != "$fsess" ]; then
- logger -t $0 "Session $sess mismatch auid $auid,$fauid session $sess,$fsess"
- else
- uid=$(id -u)
- if [ "$uid" -ne 0 ]; then # shouldn't happen from pam_script
- logger -t $0 called with UID=$uid, no cleanup
- exit 0
- fi
- pids=( $(egrep -w $fsess /proc/[1-9]*/sessionid | \
- sed -e 's,/proc/,,' -e 's,/.*,,') )
- clean=1
- for pid in ${pids[*]}; do
- [ $pid -eq $$ ] && continue # skip ourselve
- read cmd 2>/dev/null < /proc/$pid/comm # ignore exited egrep, sed
- [ -z "$cmd" ] && continue # pid exited
- msg="$msg PID $pid comm=$cmd"
- case "$cmd" in
- sshd|sudo|login|su|telnetd) ;;
- *) clean=0 ; cleancmd="$cmd" ;;
- esac
- done
- #DEBUG logger -t $0 sess=$fsess clean=$clean cmd=$cleancmd has $msg active
- [ $clean -eq 1 ] && {
- #DEBUG logger -t $0 cleanup session $fsess
- rm -f $file
- }
- fi
-fi
-
-# always succeed, this should not cause sessions shutdown errors
-exit 0