From acc77c4757775bb7689ba769465951a65523db75 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Thu, 12 Apr 2018 23:57:55 -0700 Subject: Add a new package radius-shell with a setcap radius_shell front end Ticket: CM-19457 Reviewed By: nobody Testing Done: multiple logins, separately and simultaneously Because we can't determine privilege level separately and up front with the RADIUS protocol, unlike TACACS+, we wind up with all logins as the same unprivileged radius uid. But we can set the auid (accounting or auditing uid) correctly, and a separate setcap radius_shell can be set as the login shell, and can fixup the uid before running /bin/bash. To set the auid correctly, we need to know the privileged radius user account. Added mapped_priv_user to the configuration file to handle that. mapped_priv_user has to match the account used by libnss-mapuser. That's a bit ugly, but a common config file would be uglier. The radius shell is in a new package, since it has binaries. The new package is radius-shell. In it's post actions, it changes the radius users shell to radius_shell if they are present, and back to /bin/bash on package removal. It uses capabilities, tries to be very restrictive in what it changes, and depends on being installed setcap cap_setuid Make the existing libpam-radius-auth package depend on radius-shell, so it will pull in the new package on upgrades. Also fixed another issue with reparsing changed config file, have to handle case where there were servers defined, but aren't any longer. --- debian/radius-shell.install | 1 + 1 file changed, 1 insertion(+) create mode 100644 debian/radius-shell.install (limited to 'debian/radius-shell.install') diff --git a/debian/radius-shell.install b/debian/radius-shell.install new file mode 100644 index 0000000..7671d36 --- /dev/null +++ b/debian/radius-shell.install @@ -0,0 +1 @@ +radius_shell sbin -- cgit v1.2.3