diff options
| author | Dave Olson <olson@cumulusnetworks.com> | 2018-04-12 23:57:55 -0700 |
|---|---|---|
| committer | Dave Olson <olson@cumulusnetworks.com> | 2018-04-13 15:04:03 -0700 |
| commit | acc77c4757775bb7689ba769465951a65523db75 (patch) | |
| tree | ac797a2985f5c472f83f42b13acb3499553f5a15 /src/support.c | |
| parent | a0d0d2fb1b321d65425951fc70f5c42c2dcfda41 (diff) | |
| download | libpam-radius-auth-acc77c4757775bb7689ba769465951a65523db75.tar.gz libpam-radius-auth-acc77c4757775bb7689ba769465951a65523db75.zip | |
Add a new package radius-shell with a setcap radius_shell front end
Ticket: CM-19457
Reviewed By: nobody
Testing Done: multiple logins, separately and simultaneously
Because we can't determine privilege level separately and up front with
the RADIUS protocol, unlike TACACS+, we wind up with all logins as the
same unprivileged radius uid. But we can set the auid (accounting or
auditing uid) correctly, and a separate setcap radius_shell can be set as
the login shell, and can fixup the uid before running /bin/bash.
To set the auid correctly, we need to know the privileged radius user
account. Added mapped_priv_user to the configuration file to handle
that. mapped_priv_user has to match the account used by libnss-mapuser.
That's a bit ugly, but a common config file would be uglier.
The radius shell is in a new package, since it has binaries. The new
package is radius-shell. In it's post actions, it changes the radius
users shell to radius_shell if they are present, and back to /bin/bash
on package removal. It uses capabilities, tries to be very restrictive
in what it changes, and depends on being installed setcap cap_setuid
Make the existing libpam-radius-auth package depend on radius-shell, so
it will pull in the new package on upgrades.
Also fixed another issue with reparsing changed config file, have to
handle case where there were servers defined, but aren't any longer.
Diffstat (limited to 'src/support.c')
| -rw-r--r-- | src/support.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/support.c b/src/support.c index ed72f85..78c21f4 100644 --- a/src/support.c +++ b/src/support.c @@ -107,12 +107,12 @@ __write_mapfile(pam_handle_t * pamh, const char *user, uid_t uid, } - /* won't hurt if it already exists, no more overhead than stat() first */ + /* won't hurt if it already exists, same overhead as stat() first */ mkdir(mapdir, 0755); snprintf(tmpstr, sizeof tmpstr, "%s/%u", mapdir, session); /* - * Only create if it doesn't exist. It might exist if we are called from - * su or sudo after a login, for example + * Only create if it doesn't exist. It might exist if we are called + * from su or sudo after a login, for example */ f = fopen(tmpstr, "wx"); if (!f) { |