diff options
author | Dave Olson <olson@cumulusnetworks.com> | 2018-04-12 23:57:55 -0700 |
---|---|---|
committer | Dave Olson <olson@cumulusnetworks.com> | 2018-04-13 15:04:03 -0700 |
commit | acc77c4757775bb7689ba769465951a65523db75 (patch) | |
tree | ac797a2985f5c472f83f42b13acb3499553f5a15 /debian | |
parent | a0d0d2fb1b321d65425951fc70f5c42c2dcfda41 (diff) | |
download | libpam-radius-auth-acc77c4757775bb7689ba769465951a65523db75.tar.gz libpam-radius-auth-acc77c4757775bb7689ba769465951a65523db75.zip |
Add a new package radius-shell with a setcap radius_shell front end
Ticket: CM-19457
Reviewed By: nobody
Testing Done: multiple logins, separately and simultaneously
Because we can't determine privilege level separately and up front with
the RADIUS protocol, unlike TACACS+, we wind up with all logins as the
same unprivileged radius uid. But we can set the auid (accounting or
auditing uid) correctly, and a separate setcap radius_shell can be set as
the login shell, and can fixup the uid before running /bin/bash.
To set the auid correctly, we need to know the privileged radius user
account. Added mapped_priv_user to the configuration file to handle
that. mapped_priv_user has to match the account used by libnss-mapuser.
That's a bit ugly, but a common config file would be uglier.
The radius shell is in a new package, since it has binaries. The new
package is radius-shell. In it's post actions, it changes the radius
users shell to radius_shell if they are present, and back to /bin/bash
on package removal. It uses capabilities, tries to be very restrictive
in what it changes, and depends on being installed setcap cap_setuid
Make the existing libpam-radius-auth package depend on radius-shell, so
it will pull in the new package on upgrades.
Also fixed another issue with reparsing changed config file, have to
handle case where there were servers defined, but aren't any longer.
Diffstat (limited to 'debian')
-rw-r--r-- | debian/control | 13 | ||||
-rw-r--r-- | debian/radius-shell.install | 1 | ||||
-rw-r--r-- | debian/radius-shell.manpages | 1 | ||||
-rw-r--r-- | debian/radius-shell.postinst | 29 | ||||
-rw-r--r-- | debian/radius-shell.postrm | 23 | ||||
-rwxr-xr-x | debian/rules | 4 |
6 files changed, 68 insertions, 3 deletions
diff --git a/debian/control b/debian/control index b70c948..b8022db 100644 --- a/debian/control +++ b/debian/control @@ -3,13 +3,22 @@ Maintainer: dev-support <dev-support@cumulusnetworks.com> Section: libs Priority: extra Standards-Version: 3.9.6 -Build-Depends: libpam0g-dev | libpam-dev, debhelper (>= 9~), libaudit-dev +Build-Depends: libpam0g-dev | libpam-dev, debhelper (>= 9~), libaudit-dev, libcap-dev Package: libpam-radius-auth Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, libaudit1 +Depends: ${shlibs:Depends}, ${misc:Depends}, libaudit1, radius-shell Description: PAM RADIUS client authentication module This is the PAM to RADIUS authentication module. It allows any PAM-capable machine to become a RADIUS client for authentication and accounting requests. You will, however, need to supply your own RADIUS server to perform the actual authentication + +Package: radius-shell +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libaudit1, libcap2-bin, libcap2, libnss-mapuser +Description: Shell front-end used for radius users. + This provides a uid fixup program. Due to the limitations of the + RADIUS protocol, we can't tell whether a user is privileged until + after authentication. This packages provides a shell front-end that + sets the uid to the auid, if set and > 1000, and not already matching. diff --git a/debian/radius-shell.install b/debian/radius-shell.install new file mode 100644 index 0000000..7671d36 --- /dev/null +++ b/debian/radius-shell.install @@ -0,0 +1 @@ +radius_shell sbin diff --git a/debian/radius-shell.manpages b/debian/radius-shell.manpages new file mode 100644 index 0000000..bb1a970 --- /dev/null +++ b/debian/radius-shell.manpages @@ -0,0 +1 @@ +radius_shell.8 diff --git a/debian/radius-shell.postinst b/debian/radius-shell.postinst new file mode 100644 index 0000000..55ebd22 --- /dev/null +++ b/debian/radius-shell.postinst @@ -0,0 +1,29 @@ +#! /bin/sh + +set -e + +# we depend on libnss-mapuser, so that the radius group will have been +# created before this script runs. + +case "$1" in + configure) + radshell=/sbin/radius_shell + chmod 750 $radshell + chgrp radius_users $radshell + setcap cap_setuid+ep $radshell + # The users will have been created by the libnss-mapuser package + # and possibly by an older version, so change the shells here. + # This also prevents a loop in package install ordering dependencies + for usr in radius_user radius_priv_user; do + uent="$(getent -s compat passwd $usr 2>/dev/null)" || true + [ -z "$uent" ] && continue + case "$uent" in + *${radshell}*) ;; + *) chsh -s $radshell $usr ;; + esac + done + ;; +esac + +#DEBHELPER# + diff --git a/debian/radius-shell.postrm b/debian/radius-shell.postrm new file mode 100644 index 0000000..89ae97f --- /dev/null +++ b/debian/radius-shell.postrm @@ -0,0 +1,23 @@ +#! /bin/sh + +set -e + +# we depend on libnss-mapuser, so that the radius group will have been +# created before this script runs. + +case "$1" in + remove|purge) + # fixup the shell for the users we may have modified on installation, + # if still present, and using our shell + for usr in radius_user radius_priv_user; do + uent="$(getent -s compat passwd $usr 2>/dev/null)" || true + [ -z "$uent" ] && continue + case "$uent" in + *${radshell}*) chsh -s /bin/bash $usr ;; + esac + done + ;; +esac + +#DEBHELPER# + diff --git a/debian/rules b/debian/rules index 52172f8..3039568 100755 --- a/debian/rules +++ b/debian/rules @@ -21,8 +21,10 @@ export CFLAGS # all the installing is here, not in Makefile. # The configuration file with the share secrets needs to be 600 override_dh_install: - dh_install -v --sourcedir=. + dh_install -v --sourcedir=. --package=libpam-radius-auth + dh_install -v --sourcedir=. --package=radius-shell chmod 600 debian/*/${PAM_CONF_FILE} + chmod 750 debian/*/sbin/radius_shell override_dh_fixperms: dh_fixperms --exclude ${PAM_CONF_FILE} |