From acc77c4757775bb7689ba769465951a65523db75 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Thu, 12 Apr 2018 23:57:55 -0700 Subject: Add a new package radius-shell with a setcap radius_shell front end Ticket: CM-19457 Reviewed By: nobody Testing Done: multiple logins, separately and simultaneously Because we can't determine privilege level separately and up front with the RADIUS protocol, unlike TACACS+, we wind up with all logins as the same unprivileged radius uid. But we can set the auid (accounting or auditing uid) correctly, and a separate setcap radius_shell can be set as the login shell, and can fixup the uid before running /bin/bash. To set the auid correctly, we need to know the privileged radius user account. Added mapped_priv_user to the configuration file to handle that. mapped_priv_user has to match the account used by libnss-mapuser. That's a bit ugly, but a common config file would be uglier. The radius shell is in a new package, since it has binaries. The new package is radius-shell. In it's post actions, it changes the radius users shell to radius_shell if they are present, and back to /bin/bash on package removal. It uses capabilities, tries to be very restrictive in what it changes, and depends on being installed setcap cap_setuid Make the existing libpam-radius-auth package depend on radius-shell, so it will pull in the new package on upgrades. Also fixed another issue with reparsing changed config file, have to handle case where there were servers defined, but aren't any longer. --- src/support.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/support.c') diff --git a/src/support.c b/src/support.c index ed72f85..78c21f4 100644 --- a/src/support.c +++ b/src/support.c @@ -107,12 +107,12 @@ __write_mapfile(pam_handle_t * pamh, const char *user, uid_t uid, } - /* won't hurt if it already exists, no more overhead than stat() first */ + /* won't hurt if it already exists, same overhead as stat() first */ mkdir(mapdir, 0755); snprintf(tmpstr, sizeof tmpstr, "%s/%u", mapdir, session); /* - * Only create if it doesn't exist. It might exist if we are called from - * su or sudo after a login, for example + * Only create if it doesn't exist. It might exist if we are called + * from su or sudo after a login, for example */ f = fopen(tmpstr, "wx"); if (!f) { -- cgit v1.2.3