diff options
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | map_common.c | 9 | ||||
| -rw-r--r-- | map_common.h | 1 | ||||
| -rw-r--r-- | nss_mapname.c | 39 | ||||
| -rw-r--r-- | nss_mapuser.5 | 8 | ||||
| -rw-r--r-- | nss_mapuser.conf | 5 | 
6 files changed, 67 insertions, 2 deletions
| diff --git a/debian/changelog b/debian/changelog index 7b60a63..f93e11d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libnss-mapuser (1.0.0-cl3u3) RELEASED; urgency=low + +  * Closes CM-19866 - Fixed exclude_users not skipped, and added +    more system accounts to exclude_users: www-data,man, tacacs[0-9]*. + + -- dev-support <dev-support@cumulusnetworks.com>  Mon, 26 Feb 2018 09:51:44 -0800 +  libnss-mapuser (1.0.0-cl3u2) RELEASED; urgency=low    * Added more system accounts to exclude_users: daemon, quagga, diff --git a/map_common.c b/map_common.c index 1c3bfa9..f7ee038 100644 --- a/map_common.c +++ b/map_common.c @@ -35,6 +35,7 @@ static const char config_file[] = "/etc/nss_mapuser.conf";   * in build, so local to the shared lib. */  char *exclude_users; /*  don't lookup these users */  char *mappeduser; +char *mapped_priv_user;  uid_t min_uid = DEF_MIN_UID;  int debug; @@ -54,6 +55,10 @@ reset_config(void)          (void)free(mappeduser);          mappeduser = NULL;      } +    if(mapped_priv_user) { +        (void)free(mapped_priv_user); +        mapped_priv_user = NULL; +    }      debug = 0;      min_uid = DEF_MIN_UID;  } @@ -117,6 +122,10 @@ nss_mapuser_config(int *errnop, const char *lname)              /*  the user we are mapping to */              mappeduser = strdup(lbuf+12);          } +        else if(!strncmp(lbuf, "mapped_priv_user=", 17)) { +            /*  the user we are mapping to */ +            mapped_priv_user = strdup(lbuf+17); +        }          else if(!strncmp(lbuf, "min_uid=", 8)) {              /*               * Don't lookup uids that are local, typically set to either diff --git a/map_common.h b/map_common.h index b4213a5..ff136d3 100644 --- a/map_common.h +++ b/map_common.h @@ -50,6 +50,7 @@ struct pwbuf {  /* configuration variables. */  extern char *exclude_users;  extern char *mappeduser; +extern char *mapped_priv_user;  extern uid_t min_uid;  extern int debug; diff --git a/nss_mapname.c b/nss_mapname.c index 9132f6e..f795cf5 100644 --- a/nss_mapname.c +++ b/nss_mapname.c @@ -37,6 +37,7 @@  #include "map_common.h" +#include <stdbool.h>  static const char *nssname = "nss_mapuser"; /* for syslogs */ @@ -62,6 +63,7 @@ enum nss_status _nss_mapname_getpwnam_r(const char *name, struct passwd *pw,  {      enum nss_status status = NSS_STATUS_NOTFOUND;      struct pwbuf pbuf; +    bool islocal = 0;      /*       * the useradd family will not add/mod/del users correctly with @@ -78,6 +80,43 @@ enum nss_status _nss_mapname_getpwnam_r(const char *name, struct passwd *pw,           return status;      } +    /* +     * Ignore any name starting with tacacs[0-9] in case a +     * tacplus client is installed.  Cleaner than listing +     * all 16 in the exclude_users list or implementing +     * some form of wildcard.  Also ignore our own mappeduser +     * and mapped_priv_user names if set. +     */ +    if ((mappeduser && !strcmp(mappeduser, name)) || +        (mapped_priv_user && !strcmp(mapped_priv_user, name))) +        islocal = 1; +    else if (!strncmp("tacacs", name, 6) && isdigit(name[6])) +        islocal = 1; +    else if (exclude_users) { +        char *user, *list; +        list = strdup(exclude_users); +        if (list) { +            static const char *delim = ", \t\n"; +            user = strtok(list, delim); +            list = NULL; +            while (user) { +                if(!strcmp(user, name)) { +                    islocal = 1; +                    break; +                } +                user = strtok(NULL, delim); +            } +            free(list); +        } +    } +    if (islocal) { +        if(debug > 1) +            syslog(LOG_DEBUG, "%s: skipped excluded user: %s", nssname, +                name); +        return 2; +    } + +      /* marshal the args for the lower level functions */      pbuf.name = (char *)name;      pbuf.pw = pw; diff --git a/nss_mapuser.5 b/nss_mapuser.5 index 2bbabad..3e17aec 100644 --- a/nss_mapuser.5 +++ b/nss_mapuser.5 @@ -18,7 +18,13 @@ Output lookup debugging information via syslog(3).  Usernames (accounts) comma separate list.  This is used by mapname NSS plugin getpwuid()  entry point.  The account to be looked up is checked against this list.   If a match is  found, an immediate NOTFOUND status is returned.  This reduces overhead for the standard -local user accounts. +local user accounts.  The +.I mapped_user +and +.I mapped_priv_user +fields from the +configuration file are always skipped, as are any names starting with  +.BR tacacs[0-9] .  .TP  .I mapped_user=NAME  This is the local account which mapping uses as a template.   It must be a local diff --git a/nss_mapuser.conf b/nss_mapuser.conf index 5adf5e8..2685ac0 100644 --- a/nss_mapuser.conf +++ b/nss_mapuser.conf @@ -27,7 +27,10 @@ min_uid=1001  # that during pathname completion, bash can do an NSS lookup on "*"  # To avoid server round trip delays, or worse, unreachable server delays  # on filename completion, we include "*" in the exclusion list. -exclude_users=root,daemon,cron,cumulus,quagga,frr,man,ntp,radius_user,sshd,snmp,nobody,* +# User names starting with "tacacs[0-9]" are also ignored, in case the +# tacplus client packages are installed.  User names matching  +# the mapped_user and mapped_priv_user configuration fields are also ignored. +exclude_users=root,daemon,nobody,cron,sshd,cumulus,quagga,frr,snmp,www-data,ntp,man,*  # Map all usernames to the radius_user account (use the uid, gid, shell, and  # base of the home directory from the cumulus entry in /etc/passwd). | 
