5 files changed, 14 insertions, 14 deletions

diff --git a/debian/changelog b/debian/changelog
index f93e11d..50032b5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,10 @@ libnss-mapuser (1.0.0-cl3u3) RELEASED; urgency=low
 
   * Closes CM-19866 - Fixed exclude_users not skipped, and added
     more system accounts to exclude_users: www-data,man, tacacs[0-9]*.
+  * New Enabled - When Vendor Specific Option containing shell:priv-lvl
+    is present, and the value is 15, map to user radius_priv_user, and
+    give that user account more privileges, similar to tacplus client
+    privilege 15.
 
  -- dev-support <dev-support@cumulusnetworks.com>  Mon, 26 Feb 2018 09:51:44 -0800
 
diff --git a/debian/control b/debian/control
index c383d86..d0ad69d 100644
--- a/debian/control
+++ b/debian/control
@@ -1,14 +1,14 @@
 Source: libnss-mapuser
 Priority: optional
 Maintainer: dev-support <dev-support@cumulusnetworks.com>
-Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.1), git
+Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.1), libaudit-dev, git
 Section: libs
 Standards-Version: 3.9.6
 Homepage: http://www.cumulusnetworks.com
 
 Package: libnss-mapuser
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, adduser
+Depends: ${shlibs:Depends}, ${misc:Depends}, libaudit1, adduser
 Description: NSS modules to map any requested username to a local account
  Performs getpwname and getpwuid lookups via NSS for systems like RADIUS
  where it is not possible to do a username lookup without authentication
diff --git a/debian/libnss-mapuser.postinst b/debian/libnss-mapuser.postinst
index 2e9b04f..ee6a70d 100644
--- a/debian/libnss-mapuser.postinst
+++ b/debian/libnss-mapuser.postinst
@@ -19,11 +19,19 @@ case "$1" in
 				-e '/^passwd:/s/\s\s*/&mapuid /' \
 				-e '/^passwd:.*#/s/#.*/ mapname &/' \
 				-e '/^passwd:[^#]*$/s/$/ mapname &/' \
+				-e '/^group:.*#/s/#.*/ mapname &/' \
+				-e '/^group:[^#]*$/s/: */& mapname /' \
 				/etc/nsswitch.conf
 		fi
 		addgroup --quiet $rgroup 2>&1 | grep -v 'already exists'
 		adduser --quiet --firstuid 1000 --disabled-login --ingroup $rgroup \
 		    --gecos "radius user" radius_user 2>&1 | grep -v 'already exists'
+		adduser --quiet --firstuid 1000 --disabled-login --ingroup $rgroup \
+		    --gecos "radius privileged user" radius_priv_user 2>&1 | grep -v 'already exists'
+		# regular radius logins can run net show commands
+		adduser --quiet radius_user netshow
+		# privileged radius logins can run net config commands, as well as show
+		adduser --quiet radius_priv_user netedit
 		exit 0
 		)
     ;;
diff --git a/debian/mapuser b/debian/mapuser
deleted file mode 100644
index 69d2137..0000000
--- a/debian/mapuser
+++ /dev/null
@@ -1,6 +0,0 @@
-Name: libnss-mapuser uses this to maintain the session uid => user mapping
-Default: yes
-Priority: 257
-Session-Type: Additional
-Session:
-	optional pam_script.so dir=/usr/share/mapuser
diff --git a/debian/rules b/debian/rules
index ed7dbc0..cb1f417 100755
--- a/debian/rules
+++ b/debian/rules
@@ -16,9 +16,3 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 # No configuration needed
 override_dh_auto_configure:
 
-override_dh_install:
-	dh_installdirs /usr/share/pam-configs /usr/share/mapuser
-	install -p -m 755 pam_script_ses* debian/libnss-mapuser/usr/share/mapuser
-	install -p -m 444 debian/mapuser \
-			debian/libnss-mapuser/usr/share/pam-configs/
-	dh_install