Add a new package radius-shell with a setcap radius_shell front end

Ticket: CM-19457
Reviewed By: nobody
Testing Done:  multiple logins, separately and simultaneously

Because we can't determine privilege level separately and up front with
the RADIUS protocol, unlike TACACS+, we wind up with all logins as the
same unprivileged radius uid.  But we can set the auid (accounting or
auditing uid) correctly, and a separate setcap radius_shell can be set as
the login shell, and can fixup the uid before running /bin/bash.

To set the auid correctly, we need to know the privileged radius user
account.  Added mapped_priv_user to the configuration file to handle
that.  mapped_priv_user has to match the account used by libnss-mapuser.
That's a bit ugly, but a common config file would be uglier.

The radius shell is in a new package, since it has binaries. The new
package is radius-shell.  In it's post actions, it changes the radius
users shell to radius_shell if they are present, and back to /bin/bash
on package removal.   It uses capabilities, tries to be very restrictive
in what it changes, and depends on being installed setcap cap_setuid

Make the existing libpam-radius-auth package depend on radius-shell, so
it will pull in the new package on upgrades.

Also fixed another issue with reparsing changed config file, have to
handle case where there were servers defined, but aren't any longer.

1 files changed, 3 insertions, 1 deletions

diff --git a/debian/rules b/debian/rules
index 52172f8..3039568 100755
--- a/debian/rules
+++ b/debian/rules
@@ -21,8 +21,10 @@ export CFLAGS
 # all the installing is here, not in Makefile.
 # The configuration file with the share secrets needs to be 600
 override_dh_install:
-	dh_install -v --sourcedir=.
+	dh_install -v --sourcedir=. --package=libpam-radius-auth
+	dh_install -v --sourcedir=.  --package=radius-shell
 	chmod 600 debian/*/${PAM_CONF_FILE}
+	chmod 750 debian/*/sbin/radius_shell
 
 override_dh_fixperms:
 	dh_fixperms --exclude ${PAM_CONF_FILE}