summaryrefslogtreecommitdiff
path: root/src/support.c
AgeCommit message (Collapse)Author
2018-04-13Add a new package radius-shell with a setcap radius_shell front endDave Olson
Ticket: CM-19457 Reviewed By: nobody Testing Done: multiple logins, separately and simultaneously Because we can't determine privilege level separately and up front with the RADIUS protocol, unlike TACACS+, we wind up with all logins as the same unprivileged radius uid. But we can set the auid (accounting or auditing uid) correctly, and a separate setcap radius_shell can be set as the login shell, and can fixup the uid before running /bin/bash. To set the auid correctly, we need to know the privileged radius user account. Added mapped_priv_user to the configuration file to handle that. mapped_priv_user has to match the account used by libnss-mapuser. That's a bit ugly, but a common config file would be uglier. The radius shell is in a new package, since it has binaries. The new package is radius-shell. In it's post actions, it changes the radius users shell to radius_shell if they are present, and back to /bin/bash on package removal. It uses capabilities, tries to be very restrictive in what it changes, and depends on being installed setcap cap_setuid Make the existing libpam-radius-auth package depend on radius-shell, so it will pull in the new package on upgrades. Also fixed another issue with reparsing changed config file, have to handle case where there were servers defined, but aren't any longer.
2018-04-02Add limited support for privileges (VSA shell:priv-lvl=15)Dave Olson
Ticket: CM-19457 Reviewed By: Testing Done: As with the tacplus client, we'll support priv-lvl=15 as a privileged user, able to run config commands and sudo (when used with libnss-mapuser). Added new code to decode VSA attributes, and search for shell:priv-lvl=#. A new config item is added "priv-lvl" in the configuration file to specify the minimum value to be considered privileged. The default is 15. Writing mapping session file in the plugin now, because it needs to be present for the final getpw* calls from ssh, login, etc. Dropped the homedir in the mapfile, we not ready to get it via NSS when we write the mapfile, and it wasn't ever used. Also added same pam condition as tacplus, don't invoke pam_radius_auth unless uid > 1000, to avoid overhead on system users and cumulus account, although that won't help as much as with tacplus, given the mappings. Also added copyrights to the pam header file Fixed a bunch of issues, which meant some significant restructuring. src_ip (as noted in some comments) really should have been in the server struct. Having done that, we don't need to open both v4 and v6 sockets, we only open the one we need after moving host2server() call into the initialization code. Only parse the pam_radius_auth.conf config file once (unless the PAM line specifies a different config file from previous pam mode, or the config file has changed). As part of that, do all the host name resolution up front, and store ip_acct for accounting port, as well as the previous ip for auth port. While doing that, set it up so initialization and the config file parsing are only done once in the common case. If the config file is specified on the pam command line, and it's different, then we'll re-open and re-initialize. That also means we normally only open the socket and bind once. Cleanup is now done via registering a pam_set_data() handler for the server list. Since the _pam_end() call may happen late, also ensure that all the sockets are marked close on exec. Fixed some white space and line length issues. Really should have been a separate commit, but... Document how port for accounting is derived, and changed it to use radacct if a named port was specified that isn't "radius" while warning about it.