| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
|
|
Conflicts:
debian/changelog
debian/libnss-mapuser.postinst
map_common.c
nss_mapuser.5
nss_mapuser.conf
|
|
Ticket: CM-19457
Reviewed By: nobody
Testing Done: lots of logins, and login combinations
Validate that the mapuser database files are valid by using kill 0 on
the pids. If not valid, try to unlink, and if we do, report it as a
DEBUG. If we can't unlink (not root) report that we are skipping at INFO.
As part of that, don't count valid fields and read entire file.
Document in man page and config file that the mapped_priv_user account
is known to libpam-radius-auth as well, and must be updated in both
places if it changes.
Updated the public symbols (the getgr additions) from previous commit
Fixed some white space and line length issues.
|
|
Needed to add sed code to remove mapname from nsswitch.conf group
search line, similar to passwd line. Somehow forgot that when I
added the code to add it in postinst
I also somehow forgot to checkin the adduser line to add the
radius_priv_user to the sudo group, so fixed that too.
|
|
|
|
Ticket: CM-19457
Reviewed By: roopa
Testing Done: lots of variations of login, su, sudo, automated radius tests
Now we always read the map files. If session is set, we try that
file first, so that a user always sees their name, same as tacplus.
If that's the wrong file, read through all of the map files, look
for the correct match based on either name+session or auid+session,
depending on getpwnam or getpwuid entry point
Ignore same set of users as tacacs, including new radius_priv_user
account for the privileged RADIUS user.
create and delete the mapuser files from libpam-radius-auth now;
we need to have the mapping file written early enough for the pam
interfaces to get the correct info.
Using the pam_script is too limiting, and since we are creating the
database in libpam-radius-auth now, we'll delete it there as well
to keep things symmetric, so delete the script and the references to
the scripts
A significant part of this effort was adding getgrent, getgrgid, and
getgrnam support, so that the radius users are put into the netshow
(unprivileged) and netedit and sudo (privileged) groups at login.
A lot of restructuring went in as part of that, and cleaned up some
longstanding bugs, including return values for the getpw* routines.
Also cleaned up some whitespace issues.
Also renamed some globals (debug, min_uid, init_common()) that might
collide with other programs, so that when I build unstripped and
normal visibility shared libs, they won't collide with programs
calling the functions (saw this with "debug" and bgpd, for example).
|
|
There were no code changes, just the indent whitespace and formatting
changes.
|
|
Ticket: CM-19886
Reviewed By: nobody
Testing Done:
Somehow exclude_users wasn't implemented (or got deleted somewhere
along the line).
Make list match tacplus_client, except exclude our own mapped users
by matching config items, and also skip any user starting with
tacacs[0-9] inline instead of listing all 16 in exclude_users field
in config file.
Implemened for mapped_priv_user too, since that work is ongoing.
Listed change in debian/changelog
If debug is set to 2 or higher, print that the name lookup was skipped
due to exclusion.
|
|
Needed to add sed code to remove mapname from nsswitch.conf group
search line, similar to passwd line. Somehow forgot that when I
added the code to add it in postinst
I also somehow forgot to checkin the adduser line to add the
radius_priv_user to the sudo group, so fixed that too.
|
|
|
|
Ticket: CM-19457
Reviewed By: roopa
Testing Done: lots of variations of login, su, sudo, automated radius tests
Now we always read the map files. If session is set, we try that
file first, so that a user always sees their name, same as tacplus.
If that's the wrong file, read through all of the map files, look
for the correct match based on either name+session or auid+session,
depending on getpwnam or getpwuid entry point
Ignore same set of users as tacacs, including new radius_priv_user
account for the privileged RADIUS user.
create and delete the mapuser files from libpam-radius-auth now;
we need to have the mapping file written early enough for the pam
interfaces to get the correct info.
Using the pam_script is too limiting, and since we are creating the
database in libpam-radius-auth now, we'll delete it there as well
to keep things symmetric, so delete the script and the references to
the scripts
A significant part of this effort was adding getgrent, getgrgid, and
getgrnam support, so that the radius users are put into the netshow
(unprivileged) and netedit and sudo (privileged) groups at login.
A lot of restructuring went in as part of that, and cleaned up some
longstanding bugs, including return values for the getpw* routines.
Also cleaned up some whitespace issues.
Also renamed some globals (debug, min_uid, init_common()) that might
collide with other programs, so that when I build unstripped and
normal visibility shared libs, they won't collide with programs
calling the functions (saw this with "debug" and bgpd, for example).
|
|
There were no code changes, just the indent whitespace and formatting
changes.
|
|
Ticket: CM-19886
Reviewed By: nobody
Testing Done:
Somehow exclude_users wasn't implemented (or got deleted somewhere
along the line).
Make list match tacplus_client, except exclude our own mapped users
by matching config items, and also skip any user starting with
tacacs[0-9] inline instead of listing all 16 in exclude_users field
in config file.
Implemened for mapped_priv_user too, since that work is ongoing.
Listed change in debian/changelog
If debug is set to 2 or higher, print that the name lookup was skipped
due to exclusion.
|
|
|
|
Ticket: CM-19469
Reviewed By: nobody
Testing Done: ran with change.
Similar to the change for tacacs, but this already had snmp.
Added quagga as well, for users that haven't completed the
transition from quagga to frr.
Bumped changelog and documented
|
|
Ticket: CM-19469
Reviewed By: nobody
Testing Done: ran with change.
Similar to the change for tacacs, but this already had snmp.
Added quagga as well, for users that haven't completed the
transition from quagga to frr.
|
|
Ticket: CM-17450
Reviewed By: olson
Testing Done: ran programs with change
The useradd family will not work correctly with the mapuser/mapuid
functionality, and useradd provides no method to force creating
a user that already exists.
So check which program invoked us, using __progname (getprogname() could
also be used for non-glibc use), and return NOTFOUND immediately in that
case.
This is a major hack, but it's simple, and avoids a significant issue.
Unfortunately, the RADIUS protocol gives us no way to determine that
an account name is valid without also authenticating, and libnss plugins
do not have the ability to authenticate.
|
|
Ticket: CM-17450
Reviewed By: olson
Testing Done: ran programs with change
The useradd family will not work correctly with the mapuser/mapuid
functionality, and useradd provides no method to force creating
a user that already exists.
So check which program invoked us, using __progname (getprogname() could
also be used for non-glibc use), and return NOTFOUND immediately in that
case.
This is a major hack, but it's simple, and avoids a significant issue.
Unfortunately, the RADIUS protocol gives us no way to determine that
an account name is valid without also authenticating, and libnss plugins
do not have the ability to authenticate.
|
|
|
|
Ticket: CM-16909
Reviewed By: nobody
Testing Done: installed, upgraded, removed
We weren't removing the mapuser plugins in nsswitch.conf on package remove,
now we do.
Also cleaned up a bit and use \s instead of [ \t] for whitespace.
|
|
We need to remove the mapping file for the session when it is closing
and the close script is called via pam_script, but not remove it when
the close is called from ending an sudo session, etc.
Check which processes are in the current session, and if any of them
are not one of sshd, sudo, login, su, or telnetd, then don't do the
cleanup (normally it will be a shell).
Cleanup won't happen if the user leaves jobs running when they logout
(e.g., via setsid), but that's fairly benign. Even with very long
system uptimes, these are small files, and will not be a significant
issue. At some future point, we might add garbage collection for
any session files found in the dbdir.
|
|
|
|
|
|
|
|
The flat file was overwritten on su, sudo, etc. Fixed that.
The flat file was removed on exit from su, sudo, etc. I've
temporarily worked around that by not cleaning up. Need to do
a better job, but this will let testing continue.
|
|
Fixed trailing whitespace
Also fixed man page formatting issue
Added misc to debian/control
changelog modified to cumulus cl3u1
|
|
|
|
See README for details
|
