|
Ticket: CM-19457
Reviewed By: nobody
Testing Done: multiple logins, separately and simultaneously
Because we can't determine privilege level separately and up front with
the RADIUS protocol, unlike TACACS+, we wind up with all logins as the
same unprivileged radius uid. But we can set the auid (accounting or
auditing uid) correctly, and a separate setcap radius_shell can be set as
the login shell, and can fixup the uid before running /bin/bash.
To set the auid correctly, we need to know the privileged radius user
account. Added mapped_priv_user to the configuration file to handle
that. mapped_priv_user has to match the account used by libnss-mapuser.
That's a bit ugly, but a common config file would be uglier.
The radius shell is in a new package, since it has binaries. The new
package is radius-shell. In it's post actions, it changes the radius
users shell to radius_shell if they are present, and back to /bin/bash
on package removal. It uses capabilities, tries to be very restrictive
in what it changes, and depends on being installed setcap cap_setuid
Make the existing libpam-radius-auth package depend on radius-shell, so
it will pull in the new package on upgrades.
Also fixed another issue with reparsing changed config file, have to
handle case where there were servers defined, but aren't any longer.
|
