summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog14
-rw-r--r--debian/control8
-rw-r--r--debian/copyright2
-rw-r--r--debian/libtacplus-map1.postinst3
-rw-r--r--debian/libtacplus-map1.symbols1
-rwxr-xr-xdebian/rules3
-rw-r--r--debian/source/format1
-rw-r--r--map_tacplus_user.c68
-rw-r--r--map_tacplus_user.h16
-rw-r--r--tacplus.sudo12
10 files changed, 101 insertions, 27 deletions
diff --git a/debian/changelog b/debian/changelog
index 2423348..a95bab3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+libtacplus-map (1.0.1-cl5.1.0u9) RELEASED; urgency=medium
+
+ * new build for 5.1.0 from original hash
+ b68ca01f1e769311831d91e47dbf372527d36764
+
+ -- root <root@3da22e72fb7c> Tue, 22 Feb 2022 22:55:22 +0000
+
+libtacplus-map (1.0.1-cl4u1) RELEASED; urgency=medium
+
+ * First 4.0 release
+ * Added support for tacacs group lookups
+
+ -- dev-support <dev-support@cumulusnetworks.com> Mon, 30 Sep 2019 16:50:42 -0700
+
libtacplus-map (1.0.1-cl3u3) RELEASED; urgency=low
* Fixed problem with local fallback authentication when all TACACS
diff --git a/debian/control b/debian/control
index 55c3b56..3e99781 100644
--- a/debian/control
+++ b/debian/control
@@ -3,8 +3,11 @@ Section: admin
Priority: extra
Maintainer: dev-support <dev-support@cumulusnetworks.com>
Build-Depends: debhelper (>= 9), dh-autoreconf, autoconf-archive, libaudit-dev, git
-Standards-Version: 3.9.6
+Standards-Version: 3.9.8
Homepage: http://www.cumulusnetworks.com
+XS-Build-Source: True
+XS-Cumulus-Valid-Arch: amd64 armel
+XBCS-Vcs-Hash: b68ca01f1e769311831d91e47dbf372527d36764
Package: libtacplus-map1
Architecture: any
@@ -12,6 +15,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, libaudit1
Description: Library for mapping TACACS+ users without local /etc/passwd entries
APIs to support local mapping, so that TACACS users do not need tacacs user
accounts to /etc/passwd to supply home directory, uid, and gid.
+XBCS-Vcs-Hash: b68ca01f1e769311831d91e47dbf372527d36764
Package: libtacplus-map-dev
Section: libdevel
@@ -20,3 +24,5 @@ Depends: ${misc:Depends}, libtacplus-map1 (= ${binary:Version}), libc-dev
Description: Development files for TACACS+ user-mapping library
Header files and .so shared library link for APIs to support local TACACS
mapping of accounts
+XBCS-Vcs-Hash: b68ca01f1e769311831d91e47dbf372527d36764
+
diff --git a/debian/copyright b/debian/copyright
index 814080f..5d90519 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -3,7 +3,7 @@ Upstream-Name: libsimple-tacacct
Source: http://www.cumulusnetworks.com
Files: *
-Copyright: 2015, 2016 Cumulus Networks, Inc. All rights reserved.,
+Copyright: 2015, 2016, 2017, 2018, 2019 Cumulus Networks, Inc. All rights reserved.,
2010 Pawel Krawczyk <pawel.krawczyk@hush.com> and Jeroen Nijhof <jeroen@jeroennijhof.nl>
License: GPL-2+
diff --git a/debian/libtacplus-map1.postinst b/debian/libtacplus-map1.postinst
index 1a45376..3526c8a 100644
--- a/debian/libtacplus-map1.postinst
+++ b/debian/libtacplus-map1.postinst
@@ -21,6 +21,8 @@ esac
# The accounts are not enabled for local login, since they are
# only used to provide uid/gid/homedir for the mapped TACACS+
# logins (and lookups against them).
+# The tacacs15 user is also added to the sudo group, and nclu group netedit
+# rather than netshow (used for tacacs0-14).
# --firstuid is used because the installed pam_tacplus configs and audit files are
# for uid >1000. Ideally, there should be a way to specify a minimum, but not
@@ -42,6 +44,7 @@ while [ $level -lt 16 ]; do
level=$(( level+1 ))
[ $level -eq 15 ] && nclu_grp=netedit
done 2>&1 | grep -v 'already exists'
+adduser --quiet tacacs15 sudo 2>&1 | grep -v 'already exists'
exit 0
)
diff --git a/debian/libtacplus-map1.symbols b/debian/libtacplus-map1.symbols
index b8e23d5..adc8d24 100644
--- a/debian/libtacplus-map1.symbols
+++ b/debian/libtacplus-map1.symbols
@@ -7,4 +7,5 @@ libtacplus_map.so.1 libtacplus-map1 #MINVER#
map_get_sessionid@Base 1.0.0
set_auid_immutable@Base 1.0.0
update_mapuser@Base 1.0.0
+ lookup_all_mapped@Base 1.0.1-cl4u1
diff --git a/debian/rules b/debian/rules
index b8959fb..5951990 100755
--- a/debian/rules
+++ b/debian/rules
@@ -8,9 +8,6 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
SHELL := sh -e
-CFLAGS = $(shell dpkg-buildflags --get CFLAGS)
-CFLAGS+=-g3 -Wno-format-truncation
-export CFLAGS
%:
dh $@ --with autoreconf
diff --git a/debian/source/format b/debian/source/format
index b9b0237..d3827e7 100644
--- a/debian/source/format
+++ b/debian/source/format
@@ -1,2 +1 @@
1.0
-
diff --git a/map_tacplus_user.c b/map_tacplus_user.c
index 47ddf78..7911f29 100644
--- a/map_tacplus_user.c
+++ b/map_tacplus_user.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2015, 2016, Cumulus Networks, Inc. All rights reserved.
+ * Copyright 2015,2016,2017,2018,2019 Cumulus Networks, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -110,6 +110,9 @@ static int is_mapmatch(struct tacacs_mapping *map, int which, const char *name,
* If somebody kills, e.g., the session parent login or sshd, nothing is
* left around to do the cleanup, and the entry could remain forever.
* update_loguid() does this on every add and delete.
+ * Returns strdup'ed storage, and caller must free.
+ * If host is non-NULL, data placed there is also strdup'ed, and must be
+ * freed by caller.
*/
char *lookup_logname(const char *mapname, uid_t auid, unsigned session,
char **host, uint16_t *flags)
@@ -205,19 +208,21 @@ char *lookup_mapuid(uid_t uid, uid_t auid, unsigned session,
* and returns the matching mapped name (e.g, tacacs0) if found,
* otherwise returns the logname argument. auid and session
* will most commonly be -1 wildcards for this function.
+ * Returns strdup'ed storage, and caller must free
*/
char *lookup_mapname(const char *logname, uid_t auid, unsigned session,
char **host, uint16_t *flags)
{
struct tacacs_mapping map;
- char *mappeduser = (char *)logname; /* if no match, return original */
+ char *mappeduser;
int fd, cnt;
+ mappeduser = strdup(logname); /* if no match, return original */
if (flags)
*flags = 0; /* for early returns */
fd = open(mapfile, O_RDONLY, 0600);
if(fd == -1)
- return (char *)logname; /* not using tacacs or might be earlier error */
+ return mappeduser; /* not using tacacs or might be earlier error */
if(flock(fd, LOCK_SH))
syslog(LOG_WARNING, "%s lock of tacacs client_map_file %s failed: %m, "
@@ -225,6 +230,8 @@ char *lookup_mapname(const char *logname, uid_t auid, unsigned session,
while((cnt=read(fd, &map, sizeof map)) == sizeof map) {
if(is_mapmatch(&map, MATCH_LOGIN, logname, auid, session)) {
+ if (mappeduser)
+ free(mappeduser);
mappeduser = strndup(map.tac_mappedname, sizeof map.tac_mappedname);
if(!mappeduser) {
syslog(LOG_WARNING,
@@ -331,10 +338,12 @@ invalid_session(int mapsess)
char nmbuf[128]; /* always short path */
char sess_str[16];
int fd, cnt, sess=0;
- snprintf(nmbuf, sizeof nmbuf, "/proc/%s/sessionid", dptr->d_name);
+ snprintf(nmbuf, sizeof nmbuf, "/proc/%.111s/sessionid", dptr->d_name);
fd = open(nmbuf, O_RDONLY);
- if(fd == -1)
- syslog(LOG_DEBUG, "%s: %s open fails: %m", libname, nmbuf);
+ if(fd == -1) {
+ if(debug)
+ syslog(LOG_DEBUG, "%s: %s open fails: %m", libname, nmbuf);
+ }
else {
cnt = read(fd, sess_str, sizeof sess_str - 1);
close(fd);
@@ -687,3 +696,50 @@ char *get_user_to_auth(char *pamuser)
origuser = lookup_logname(pamuser, auid, session, NULL, NULL);
return origuser ? origuser : pamuser;
}
+
+/*
+ * Given a mapname (tacacs0...15) return the comma separated list of all
+ * valid lognames in the map db that match that mapname. Used when doing group
+ * lookups, to replace, e.g. tacacs15 in a group file entry with all users
+ * logged in mapped to tacacs15.
+ * Returned string is strdup'ed, and storage must be freed by caller.
+ * Returns NULL if no matches.
+ */
+char *
+lookup_all_mapped(const char *mapname)
+{
+ struct tacacs_mapping map;
+ int fd, cnt;
+ char *ret = NULL;
+ size_t retlen = 0;
+
+ fd = open(mapfile, O_RDONLY, 0600);
+ if(fd == -1) {
+ if (debug)
+ syslog(LOG_DEBUG, "%s: Can't open mapfile %s: %m", libname,
+ mapfile);
+ return NULL;
+ }
+
+ while((cnt=read(fd, &map, sizeof map)) == sizeof map) {
+ size_t llen;
+ char *uniq;
+ if (!map.tac_logname[0] || strcmp(map.tac_mappedname, mapname))
+ continue;
+ llen = strlen(map.tac_logname);
+ if (ret) { /* skip if already in our returned string */
+ uniq = strstr(ret, map.tac_logname);
+ if (uniq && (uniq[llen] == '\0' || uniq[llen] == ',') &&
+ (uniq == ret || uniq[-1] == ',')) {
+ continue;
+ }
+ }
+ ret = realloc(ret, llen+retlen+1+(ret?1:0));
+ if (retlen)
+ ret[retlen++] = ',';
+ strncpy(ret+retlen, map.tac_logname, llen+1);
+ retlen += llen;
+ }
+ close(fd);
+ return ret;
+}
diff --git a/map_tacplus_user.h b/map_tacplus_user.h
index 9bc2dcb..65a48df 100644
--- a/map_tacplus_user.h
+++ b/map_tacplus_user.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2015, 2016, Cumulus Networks, Inc. All rights reserved.
+ * Copyright 2015, 2016, 2017, 2019 Cumulus Networks, Inc. All rights reserved.
* All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
@@ -27,7 +27,7 @@
#include <pwd.h>
#include <utmp.h>
-#define MAP_TACPLUS_FILE "/var/run/tacacs_client_map"
+#define MAP_TACPLUS_FILE "/run/tacacs_client_map"
#define MAP_FILE_VERSION 2 /* version two adds tac_mapflags (compatible) */
@@ -68,7 +68,7 @@ unsigned map_get_sessionid(void); /* return the sessionid for this session */
* returns the name passed as first argument. Passing name as NULL
* requests match on auid and session only.
*
- * If the returned pointer != first arg and non-NULL, caller should free it.
+ * The caller must free the returned string, if not NULL.
*
* This only works while a mapped user is logged in, and since the auid and
* session are lookup keys, only for processes that are descendents
@@ -100,6 +100,16 @@ char *lookup_mapuid(uid_t uid, uid_t auid, unsigned session,
char *lookup_mapname(const char *logname, uid_t auid, unsigned session,
char **host, uint16_t *flags);
+/*
+ * Given a mapname (tacacs0...15) return the comma separated list of all
+ * valid lognames in the map db that match that mapname. Used when doing
+ * group lookups, to replace, e.g. tacacs15 in a group file entry with all
+ * users logged in mapped to tacacs15.
+ * Returned string is strdup'ed, and storage must be freed by caller.
+ * Returns NULL if no matches.
+ */
+char *lookup_all_mapped(const char *mapname);
+
/* This is not a public entry point, it's a helper routine for pam_tacplus */
void __update_loguid(char *);
diff --git a/tacplus.sudo b/tacplus.sudo
index bc90883..9702f59 100644
--- a/tacplus.sudo
+++ b/tacplus.sudo
@@ -1,15 +1,3 @@
-# This file is part of the libtacplus-map package.
-# It allow tacacs privilege level 15 users (mapped to local user tacacs15)
-# to sudo without restrictions, so they can do all switch setup and
-# administration. The tacacs15 user is added by the same package, and
-# is configured to be a disabled login
-tacacs15 ALL=(ALL:ALL) ALL
-
-# If you want to allow privileged tacacs users (level 15) to execute
-# sudo without a password, comment out the tacacs 15 line above, and
-# uncomment out the line below:
-# tacacs15 ALL=(ALL:ALL) NOPASSWD:NOEXEC: ALL
-
# Allow any tacacs group login to run this set of commands. this is just a
# demonstration.
# This example uses group tacacs, if you want all tacacs group users