Add a new package radius-shell with a setcap radius_shell front end

Ticket: CM-19457
Reviewed By: nobody
Testing Done:  multiple logins, separately and simultaneously

Because we can't determine privilege level separately and up front with
the RADIUS protocol, unlike TACACS+, we wind up with all logins as the
same unprivileged radius uid.  But we can set the auid (accounting or
auditing uid) correctly, and a separate setcap radius_shell can be set as
the login shell, and can fixup the uid before running /bin/bash.

To set the auid correctly, we need to know the privileged radius user
account.  Added mapped_priv_user to the configuration file to handle
that.  mapped_priv_user has to match the account used by libnss-mapuser.
That's a bit ugly, but a common config file would be uglier.

The radius shell is in a new package, since it has binaries. The new
package is radius-shell.  In it's post actions, it changes the radius
users shell to radius_shell if they are present, and back to /bin/bash
on package removal.   It uses capabilities, tries to be very restrictive
in what it changes, and depends on being installed setcap cap_setuid

Make the existing libpam-radius-auth package depend on radius-shell, so
it will pull in the new package on upgrades.

Also fixed another issue with reparsing changed config file, have to
handle case where there were servers defined, but aren't any longer.

6 files changed, 68 insertions, 3 deletions

diff --git a/debian/control b/debian/control
index b70c948..b8022db 100644
--- a/debian/control
+++ b/debian/control
@@ -3,13 +3,22 @@ Maintainer: dev-support <dev-support@cumulusnetworks.com>
 Section: libs
 Priority: extra
 Standards-Version: 3.9.6
-Build-Depends: libpam0g-dev | libpam-dev, debhelper (>= 9~), libaudit-dev
+Build-Depends: libpam0g-dev | libpam-dev, debhelper (>= 9~), libaudit-dev, libcap-dev
 
 Package: libpam-radius-auth
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, libaudit1
+Depends: ${shlibs:Depends}, ${misc:Depends}, libaudit1, radius-shell
 Description: PAM RADIUS client authentication module
  This is the PAM to RADIUS authentication module. It allows any PAM-capable
  machine to become a RADIUS client for authentication and accounting
  requests. You will, however, need to supply your own RADIUS server to
  perform the actual authentication
+
+Package: radius-shell
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libaudit1, libcap2-bin, libcap2, libnss-mapuser
+Description: Shell front-end used for radius users.
+ This provides a uid fixup program.  Due to the limitations of the
+ RADIUS protocol, we can't tell whether a user is privileged until
+ after authentication.  This packages provides a shell front-end that
+ sets the uid to the auid, if set and > 1000, and not already matching.
diff --git a/debian/radius-shell.install b/debian/radius-shell.install
new file mode 100644
index 0000000..7671d36
--- /dev/null
+++ b/debian/radius-shell.install
@@ -0,0 +1 @@
+radius_shell sbin
diff --git a/debian/radius-shell.manpages b/debian/radius-shell.manpages
new file mode 100644
index 0000000..bb1a970
--- /dev/null
+++ b/debian/radius-shell.manpages
@@ -0,0 +1 @@
+radius_shell.8
diff --git a/debian/radius-shell.postinst b/debian/radius-shell.postinst
new file mode 100644
index 0000000..55ebd22
--- /dev/null
+++ b/debian/radius-shell.postinst
@@ -0,0 +1,29 @@
+#! /bin/sh
+
+set -e
+
+# we depend on libnss-mapuser, so that the radius group will have been
+# created before this script runs.
+
+case "$1" in
+    configure)
+        radshell=/sbin/radius_shell
+        chmod 750 $radshell
+        chgrp radius_users $radshell
+        setcap  cap_setuid+ep $radshell
+        # The users will have been created by the libnss-mapuser package
+        # and possibly by an older version, so change the shells here.
+        # This also prevents a loop in package install ordering dependencies
+        for usr in radius_user radius_priv_user; do
+            uent="$(getent -s compat passwd $usr 2>/dev/null)" || true
+            [ -z "$uent" ] && continue
+            case "$uent" in
+                *${radshell}*) ;;
+                *) chsh -s $radshell $usr ;;
+            esac
+        done
+        ;;
+esac
+
+#DEBHELPER#
+
diff --git a/debian/radius-shell.postrm b/debian/radius-shell.postrm
new file mode 100644
index 0000000..89ae97f
--- /dev/null
+++ b/debian/radius-shell.postrm
@@ -0,0 +1,23 @@
+#! /bin/sh
+
+set -e
+
+# we depend on libnss-mapuser, so that the radius group will have been
+# created before this script runs.
+
+case "$1" in
+    remove|purge)
+        # fixup the shell for the users we may have modified on installation,
+        # if still present, and using our shell
+        for usr in radius_user radius_priv_user; do
+            uent="$(getent -s compat passwd $usr 2>/dev/null)" || true
+            [ -z "$uent" ] && continue
+            case "$uent" in
+                *${radshell}*) chsh -s /bin/bash $usr ;;
+            esac
+        done
+        ;;
+esac
+
+#DEBHELPER#
+
diff --git a/debian/rules b/debian/rules
index 52172f8..3039568 100755
--- a/debian/rules
+++ b/debian/rules
@@ -21,8 +21,10 @@ export CFLAGS
 # all the installing is here, not in Makefile.
 # The configuration file with the share secrets needs to be 600
 override_dh_install:
-	dh_install -v --sourcedir=.
+	dh_install -v --sourcedir=. --package=libpam-radius-auth
+	dh_install -v --sourcedir=.  --package=radius-shell
 	chmod 600 debian/*/${PAM_CONF_FILE}
+	chmod 750 debian/*/sbin/radius_shell
 
 override_dh_fixperms:
 	dh_fixperms --exclude ${PAM_CONF_FILE}