Import sources from Cumulus Linux version 1.0.1-cl5.1.0u9HEADmaster

10 files changed, 101 insertions, 27 deletions

diff --git a/debian/changelog b/debian/changelog
index 2423348..a95bab3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+libtacplus-map (1.0.1-cl5.1.0u9) RELEASED; urgency=medium
+
+  * new build for 5.1.0 from original hash
+    b68ca01f1e769311831d91e47dbf372527d36764
+
+ -- root <root@3da22e72fb7c>  Tue, 22 Feb 2022 22:55:22 +0000
+
+libtacplus-map (1.0.1-cl4u1) RELEASED; urgency=medium
+
+   * First 4.0 release
+   * Added support for tacacs group lookups
+
+ -- dev-support <dev-support@cumulusnetworks.com>  Mon, 30 Sep 2019 16:50:42 -0700
+
 libtacplus-map (1.0.1-cl3u3) RELEASED; urgency=low
 
   * Fixed problem with local fallback authentication when all TACACS
diff --git a/debian/control b/debian/control
index 55c3b56..3e99781 100644
--- a/debian/control
+++ b/debian/control
@@ -3,8 +3,11 @@ Section: admin
 Priority: extra
 Maintainer: dev-support <dev-support@cumulusnetworks.com>
 Build-Depends: debhelper (>= 9), dh-autoreconf, autoconf-archive, libaudit-dev, git
-Standards-Version: 3.9.6
+Standards-Version: 3.9.8
 Homepage: http://www.cumulusnetworks.com
+XS-Build-Source: True
+XS-Cumulus-Valid-Arch: amd64 armel
+XBCS-Vcs-Hash: b68ca01f1e769311831d91e47dbf372527d36764
 
 Package: libtacplus-map1
 Architecture: any
@@ -12,6 +15,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, libaudit1
 Description: Library for mapping TACACS+ users without local /etc/passwd entries
  APIs to support local mapping, so that TACACS users do not need tacacs user
  accounts to /etc/passwd to supply home directory, uid, and gid.
+XBCS-Vcs-Hash: b68ca01f1e769311831d91e47dbf372527d36764
 
 Package: libtacplus-map-dev
 Section: libdevel
@@ -20,3 +24,5 @@ Depends: ${misc:Depends}, libtacplus-map1 (= ${binary:Version}), libc-dev
 Description: Development files for TACACS+ user-mapping library
  Header files and .so shared library link for APIs to support local TACACS
  mapping of accounts
+XBCS-Vcs-Hash: b68ca01f1e769311831d91e47dbf372527d36764
+
diff --git a/debian/copyright b/debian/copyright
index 814080f..5d90519 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -3,7 +3,7 @@ Upstream-Name: libsimple-tacacct
 Source: http://www.cumulusnetworks.com
 
 Files: *
-Copyright: 2015, 2016 Cumulus Networks, Inc.  All rights reserved.,
+Copyright: 2015, 2016, 2017, 2018, 2019 Cumulus Networks, Inc.  All rights reserved.,
            2010 Pawel Krawczyk <pawel.krawczyk@hush.com> and Jeroen Nijhof <jeroen@jeroennijhof.nl>
 License: GPL-2+
 
diff --git a/debian/libtacplus-map1.postinst b/debian/libtacplus-map1.postinst
index 1a45376..3526c8a 100644
--- a/debian/libtacplus-map1.postinst
+++ b/debian/libtacplus-map1.postinst
@@ -21,6 +21,8 @@ esac
 # The accounts are not enabled for local login, since they are
 # only used to provide uid/gid/homedir for the mapped TACACS+
 # logins (and lookups against them).
+# The tacacs15 user is also added to the sudo group, and nclu group netedit
+# rather than netshow (used for tacacs0-14).
 
 # --firstuid is used because the installed pam_tacplus configs and audit files are
 # for uid >1000.  Ideally, there should be a way to specify a minimum, but not
@@ -42,6 +44,7 @@ while [ $level -lt 16 ]; do
     level=$(( level+1 ))
     [ $level -eq 15 ] && nclu_grp=netedit
 done 2>&1 | grep -v 'already exists'
+adduser --quiet tacacs15 sudo 2>&1 | grep -v 'already exists'
 exit 0
 )
 
diff --git a/debian/libtacplus-map1.symbols b/debian/libtacplus-map1.symbols
index b8e23d5..adc8d24 100644
--- a/debian/libtacplus-map1.symbols
+++ b/debian/libtacplus-map1.symbols
@@ -7,4 +7,5 @@ libtacplus_map.so.1 libtacplus-map1 #MINVER#
  map_get_sessionid@Base 1.0.0
  set_auid_immutable@Base 1.0.0
  update_mapuser@Base 1.0.0
+ lookup_all_mapped@Base 1.0.1-cl4u1
 
diff --git a/debian/rules b/debian/rules
index b8959fb..5951990 100755
--- a/debian/rules
+++ b/debian/rules
@@ -8,9 +8,6 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 SHELL := sh -e
-CFLAGS = $(shell dpkg-buildflags --get CFLAGS)
-CFLAGS+=-g3 -Wno-format-truncation
-export CFLAGS
 
 %:
 	dh  $@ --with autoreconf
diff --git a/debian/source/format b/debian/source/format
index b9b0237..d3827e7 100644
--- a/debian/source/format
+++ b/debian/source/format
@@ -1,2 +1 @@
 1.0
-
diff --git a/map_tacplus_user.c b/map_tacplus_user.c
index 47ddf78..7911f29 100644
--- a/map_tacplus_user.c
+++ b/map_tacplus_user.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2015, 2016, Cumulus Networks, Inc.  All rights reserved.
+ * Copyright 2015,2016,2017,2018,2019 Cumulus Networks, Inc.  All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -110,6 +110,9 @@ static int is_mapmatch(struct tacacs_mapping *map, int which, const char *name,
  * If somebody kills, e.g., the session parent login or sshd, nothing is
  * left around to do the cleanup, and the entry could remain forever.
  * update_loguid() does this on every add and delete.
+ * Returns strdup'ed storage, and caller must free.
+ * If host is non-NULL, data placed there is also strdup'ed, and must be
+ * freed by caller.
  */
 char *lookup_logname(const char *mapname, uid_t auid, unsigned session,
     char **host, uint16_t *flags)
@@ -205,19 +208,21 @@ char *lookup_mapuid(uid_t uid, uid_t auid, unsigned session,
  * and returns the matching mapped name (e.g, tacacs0) if found,
  * otherwise returns the logname argument.  auid and session
  * will most commonly be -1 wildcards for this function.
+ * Returns strdup'ed storage, and caller must free
  */
 char *lookup_mapname(const char *logname, uid_t auid, unsigned session,
     char **host, uint16_t *flags)
 {
     struct tacacs_mapping map;
-    char *mappeduser = (char *)logname; /* if no match, return original */
+    char *mappeduser;
     int fd, cnt;
 
+    mappeduser = strdup(logname); /* if no match, return original */
     if (flags)
         *flags = 0; /* for early returns */
     fd = open(mapfile, O_RDONLY, 0600);
     if(fd == -1)
-        return (char *)logname; /* not using tacacs or might be earlier error */
+        return mappeduser; /* not using tacacs or might be earlier error */
 
     if(flock(fd, LOCK_SH))
         syslog(LOG_WARNING, "%s lock of tacacs client_map_file %s failed: %m, "
@@ -225,6 +230,8 @@ char *lookup_mapname(const char *logname, uid_t auid, unsigned session,
 
     while((cnt=read(fd, &map, sizeof map)) == sizeof map) {
         if(is_mapmatch(&map, MATCH_LOGIN, logname, auid, session)) {
+            if (mappeduser)
+                free(mappeduser);
             mappeduser = strndup(map.tac_mappedname, sizeof map.tac_mappedname);
             if(!mappeduser) {
                 syslog(LOG_WARNING,
@@ -331,10 +338,12 @@ invalid_session(int mapsess)
             char nmbuf[128]; /* always short path */
             char sess_str[16];
             int fd, cnt, sess=0;
-            snprintf(nmbuf, sizeof nmbuf, "/proc/%s/sessionid", dptr->d_name);
+            snprintf(nmbuf, sizeof nmbuf, "/proc/%.111s/sessionid", dptr->d_name);
             fd = open(nmbuf, O_RDONLY);
-            if(fd == -1)
-                syslog(LOG_DEBUG, "%s: %s open fails: %m", libname, nmbuf);
+            if(fd == -1) {
+                if(debug)
+                    syslog(LOG_DEBUG, "%s: %s open fails: %m", libname, nmbuf);
+            }
             else {
                 cnt = read(fd, sess_str, sizeof sess_str - 1);
                 close(fd);
@@ -687,3 +696,50 @@ char *get_user_to_auth(char *pamuser)
     origuser = lookup_logname(pamuser, auid, session, NULL, NULL);
     return origuser ? origuser : pamuser;
 }
+
+/*
+ * Given a mapname (tacacs0...15) return the comma separated list of all
+ * valid lognames in the map db that match that mapname.   Used when doing group
+ * lookups, to replace, e.g. tacacs15 in a group file entry with all users
+ * logged in mapped to tacacs15.
+ * Returned string is strdup'ed, and storage must be freed by caller.
+ * Returns NULL if no matches.
+ */
+char *
+lookup_all_mapped(const char *mapname)
+{
+    struct tacacs_mapping map;
+    int fd, cnt;
+    char *ret = NULL;
+    size_t retlen = 0;
+
+    fd = open(mapfile, O_RDONLY, 0600);
+    if(fd == -1) {
+        if (debug)
+            syslog(LOG_DEBUG, "%s: Can't open mapfile %s: %m", libname,
+                   mapfile);
+        return NULL;
+    }
+
+    while((cnt=read(fd, &map, sizeof map)) == sizeof map) {
+        size_t llen;
+        char *uniq;
+        if (!map.tac_logname[0] || strcmp(map.tac_mappedname, mapname))
+            continue;
+        llen = strlen(map.tac_logname);
+        if (ret) { /* skip if already in our returned string */
+            uniq = strstr(ret, map.tac_logname);
+            if (uniq && (uniq[llen] == '\0' || uniq[llen] == ',') &&
+                (uniq == ret || uniq[-1] == ',')) {
+                continue;
+            }
+        }
+        ret = realloc(ret, llen+retlen+1+(ret?1:0));
+        if (retlen)
+            ret[retlen++] = ',';
+        strncpy(ret+retlen, map.tac_logname, llen+1);
+        retlen += llen;
+    }
+    close(fd);
+    return ret;
+}
diff --git a/map_tacplus_user.h b/map_tacplus_user.h
index 9bc2dcb..65a48df 100644
--- a/map_tacplus_user.h
+++ b/map_tacplus_user.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2015, 2016, Cumulus Networks, Inc.  All rights reserved.
+ * Copyright 2015, 2016, 2017, 2019 Cumulus Networks, Inc.  All rights reserved.
  * All Rights Reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -27,7 +27,7 @@
 #include <pwd.h>
 #include <utmp.h>
 
-#define MAP_TACPLUS_FILE "/var/run/tacacs_client_map"
+#define MAP_TACPLUS_FILE "/run/tacacs_client_map"
 
 #define MAP_FILE_VERSION 2 /*  version two adds tac_mapflags (compatible) */
 
@@ -68,7 +68,7 @@ unsigned map_get_sessionid(void); /* return the sessionid for this session */
  * returns the name passed as first argument.  Passing name as NULL
  * requests match on auid and session only.
  *
- * If the returned pointer != first arg and non-NULL, caller should free it.
+ * The caller must free the returned string, if not NULL.
  *
  * This only works while a mapped user is logged in, and since the auid and
  * session are lookup keys, only for processes that are descendents
@@ -100,6 +100,16 @@ char *lookup_mapuid(uid_t uid, uid_t auid, unsigned session,
 char *lookup_mapname(const char *logname, uid_t auid, unsigned session,
     char **host, uint16_t *flags);
 
+/*
+ * Given a mapname (tacacs0...15) return the comma separated list of all
+ * valid lognames in the map db that match that mapname.   Used when doing
+ * group lookups, to replace, e.g. tacacs15 in a group file entry with all
+ * users logged in mapped to tacacs15.
+ * Returned string is strdup'ed, and storage must be freed by caller.
+ * Returns NULL if no matches.
+ */
+char *lookup_all_mapped(const char *mapname);
+
 /* This is not a public entry point, it's a helper routine for pam_tacplus */
 void __update_loguid(char *);
 
diff --git a/tacplus.sudo b/tacplus.sudo
index bc90883..9702f59 100644
--- a/tacplus.sudo
+++ b/tacplus.sudo
@@ -1,15 +1,3 @@
-# This file is part of the libtacplus-map package.
-# It allow tacacs privilege level 15 users (mapped to local user tacacs15)
-# to sudo without restrictions, so they can do all switch setup and
-# administration.  The tacacs15 user is added by the same package, and
-# is configured to be a disabled login
-tacacs15	ALL=(ALL:ALL) ALL
-
-# If you want to allow privileged tacacs users (level 15) to execute
-# sudo without a password, comment out the tacacs 15 line above, and
-# uncomment out the line below:
-# tacacs15	ALL=(ALL:ALL) NOPASSWD:NOEXEC: ALL
-
 # Allow any tacacs group login to run this set of commands.  this is just a
 # demonstration.
 # This example uses group tacacs, if you want all tacacs group users