diff options
-rw-r--r-- | debian/changelog | 14 | ||||
-rw-r--r-- | debian/control | 8 | ||||
-rw-r--r-- | debian/copyright | 2 | ||||
-rw-r--r-- | debian/libtacplus-map1.postinst | 3 | ||||
-rw-r--r-- | debian/libtacplus-map1.symbols | 1 | ||||
-rwxr-xr-x | debian/rules | 3 | ||||
-rw-r--r-- | debian/source/format | 1 | ||||
-rw-r--r-- | map_tacplus_user.c | 68 | ||||
-rw-r--r-- | map_tacplus_user.h | 16 | ||||
-rw-r--r-- | tacplus.sudo | 12 |
10 files changed, 101 insertions, 27 deletions
diff --git a/debian/changelog b/debian/changelog index 2423348..a95bab3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +libtacplus-map (1.0.1-cl5.1.0u9) RELEASED; urgency=medium + + * new build for 5.1.0 from original hash + b68ca01f1e769311831d91e47dbf372527d36764 + + -- root <root@3da22e72fb7c> Tue, 22 Feb 2022 22:55:22 +0000 + +libtacplus-map (1.0.1-cl4u1) RELEASED; urgency=medium + + * First 4.0 release + * Added support for tacacs group lookups + + -- dev-support <dev-support@cumulusnetworks.com> Mon, 30 Sep 2019 16:50:42 -0700 + libtacplus-map (1.0.1-cl3u3) RELEASED; urgency=low * Fixed problem with local fallback authentication when all TACACS diff --git a/debian/control b/debian/control index 55c3b56..3e99781 100644 --- a/debian/control +++ b/debian/control @@ -3,8 +3,11 @@ Section: admin Priority: extra Maintainer: dev-support <dev-support@cumulusnetworks.com> Build-Depends: debhelper (>= 9), dh-autoreconf, autoconf-archive, libaudit-dev, git -Standards-Version: 3.9.6 +Standards-Version: 3.9.8 Homepage: http://www.cumulusnetworks.com +XS-Build-Source: True +XS-Cumulus-Valid-Arch: amd64 armel +XBCS-Vcs-Hash: b68ca01f1e769311831d91e47dbf372527d36764 Package: libtacplus-map1 Architecture: any @@ -12,6 +15,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, libaudit1 Description: Library for mapping TACACS+ users without local /etc/passwd entries APIs to support local mapping, so that TACACS users do not need tacacs user accounts to /etc/passwd to supply home directory, uid, and gid. +XBCS-Vcs-Hash: b68ca01f1e769311831d91e47dbf372527d36764 Package: libtacplus-map-dev Section: libdevel @@ -20,3 +24,5 @@ Depends: ${misc:Depends}, libtacplus-map1 (= ${binary:Version}), libc-dev Description: Development files for TACACS+ user-mapping library Header files and .so shared library link for APIs to support local TACACS mapping of accounts +XBCS-Vcs-Hash: b68ca01f1e769311831d91e47dbf372527d36764 + diff --git a/debian/copyright b/debian/copyright index 814080f..5d90519 100644 --- a/debian/copyright +++ b/debian/copyright @@ -3,7 +3,7 @@ Upstream-Name: libsimple-tacacct Source: http://www.cumulusnetworks.com Files: * -Copyright: 2015, 2016 Cumulus Networks, Inc. All rights reserved., +Copyright: 2015, 2016, 2017, 2018, 2019 Cumulus Networks, Inc. All rights reserved., 2010 Pawel Krawczyk <pawel.krawczyk@hush.com> and Jeroen Nijhof <jeroen@jeroennijhof.nl> License: GPL-2+ diff --git a/debian/libtacplus-map1.postinst b/debian/libtacplus-map1.postinst index 1a45376..3526c8a 100644 --- a/debian/libtacplus-map1.postinst +++ b/debian/libtacplus-map1.postinst @@ -21,6 +21,8 @@ esac # The accounts are not enabled for local login, since they are # only used to provide uid/gid/homedir for the mapped TACACS+ # logins (and lookups against them). +# The tacacs15 user is also added to the sudo group, and nclu group netedit +# rather than netshow (used for tacacs0-14). # --firstuid is used because the installed pam_tacplus configs and audit files are # for uid >1000. Ideally, there should be a way to specify a minimum, but not @@ -42,6 +44,7 @@ while [ $level -lt 16 ]; do level=$(( level+1 )) [ $level -eq 15 ] && nclu_grp=netedit done 2>&1 | grep -v 'already exists' +adduser --quiet tacacs15 sudo 2>&1 | grep -v 'already exists' exit 0 ) diff --git a/debian/libtacplus-map1.symbols b/debian/libtacplus-map1.symbols index b8e23d5..adc8d24 100644 --- a/debian/libtacplus-map1.symbols +++ b/debian/libtacplus-map1.symbols @@ -7,4 +7,5 @@ libtacplus_map.so.1 libtacplus-map1 #MINVER# map_get_sessionid@Base 1.0.0 set_auid_immutable@Base 1.0.0 update_mapuser@Base 1.0.0 + lookup_all_mapped@Base 1.0.1-cl4u1 diff --git a/debian/rules b/debian/rules index b8959fb..5951990 100755 --- a/debian/rules +++ b/debian/rules @@ -8,9 +8,6 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 SHELL := sh -e -CFLAGS = $(shell dpkg-buildflags --get CFLAGS) -CFLAGS+=-g3 -Wno-format-truncation -export CFLAGS %: dh $@ --with autoreconf diff --git a/debian/source/format b/debian/source/format index b9b0237..d3827e7 100644 --- a/debian/source/format +++ b/debian/source/format @@ -1,2 +1 @@ 1.0 - diff --git a/map_tacplus_user.c b/map_tacplus_user.c index 47ddf78..7911f29 100644 --- a/map_tacplus_user.c +++ b/map_tacplus_user.c @@ -1,5 +1,5 @@ /* - * Copyright 2015, 2016, Cumulus Networks, Inc. All rights reserved. + * Copyright 2015,2016,2017,2018,2019 Cumulus Networks, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -110,6 +110,9 @@ static int is_mapmatch(struct tacacs_mapping *map, int which, const char *name, * If somebody kills, e.g., the session parent login or sshd, nothing is * left around to do the cleanup, and the entry could remain forever. * update_loguid() does this on every add and delete. + * Returns strdup'ed storage, and caller must free. + * If host is non-NULL, data placed there is also strdup'ed, and must be + * freed by caller. */ char *lookup_logname(const char *mapname, uid_t auid, unsigned session, char **host, uint16_t *flags) @@ -205,19 +208,21 @@ char *lookup_mapuid(uid_t uid, uid_t auid, unsigned session, * and returns the matching mapped name (e.g, tacacs0) if found, * otherwise returns the logname argument. auid and session * will most commonly be -1 wildcards for this function. + * Returns strdup'ed storage, and caller must free */ char *lookup_mapname(const char *logname, uid_t auid, unsigned session, char **host, uint16_t *flags) { struct tacacs_mapping map; - char *mappeduser = (char *)logname; /* if no match, return original */ + char *mappeduser; int fd, cnt; + mappeduser = strdup(logname); /* if no match, return original */ if (flags) *flags = 0; /* for early returns */ fd = open(mapfile, O_RDONLY, 0600); if(fd == -1) - return (char *)logname; /* not using tacacs or might be earlier error */ + return mappeduser; /* not using tacacs or might be earlier error */ if(flock(fd, LOCK_SH)) syslog(LOG_WARNING, "%s lock of tacacs client_map_file %s failed: %m, " @@ -225,6 +230,8 @@ char *lookup_mapname(const char *logname, uid_t auid, unsigned session, while((cnt=read(fd, &map, sizeof map)) == sizeof map) { if(is_mapmatch(&map, MATCH_LOGIN, logname, auid, session)) { + if (mappeduser) + free(mappeduser); mappeduser = strndup(map.tac_mappedname, sizeof map.tac_mappedname); if(!mappeduser) { syslog(LOG_WARNING, @@ -331,10 +338,12 @@ invalid_session(int mapsess) char nmbuf[128]; /* always short path */ char sess_str[16]; int fd, cnt, sess=0; - snprintf(nmbuf, sizeof nmbuf, "/proc/%s/sessionid", dptr->d_name); + snprintf(nmbuf, sizeof nmbuf, "/proc/%.111s/sessionid", dptr->d_name); fd = open(nmbuf, O_RDONLY); - if(fd == -1) - syslog(LOG_DEBUG, "%s: %s open fails: %m", libname, nmbuf); + if(fd == -1) { + if(debug) + syslog(LOG_DEBUG, "%s: %s open fails: %m", libname, nmbuf); + } else { cnt = read(fd, sess_str, sizeof sess_str - 1); close(fd); @@ -687,3 +696,50 @@ char *get_user_to_auth(char *pamuser) origuser = lookup_logname(pamuser, auid, session, NULL, NULL); return origuser ? origuser : pamuser; } + +/* + * Given a mapname (tacacs0...15) return the comma separated list of all + * valid lognames in the map db that match that mapname. Used when doing group + * lookups, to replace, e.g. tacacs15 in a group file entry with all users + * logged in mapped to tacacs15. + * Returned string is strdup'ed, and storage must be freed by caller. + * Returns NULL if no matches. + */ +char * +lookup_all_mapped(const char *mapname) +{ + struct tacacs_mapping map; + int fd, cnt; + char *ret = NULL; + size_t retlen = 0; + + fd = open(mapfile, O_RDONLY, 0600); + if(fd == -1) { + if (debug) + syslog(LOG_DEBUG, "%s: Can't open mapfile %s: %m", libname, + mapfile); + return NULL; + } + + while((cnt=read(fd, &map, sizeof map)) == sizeof map) { + size_t llen; + char *uniq; + if (!map.tac_logname[0] || strcmp(map.tac_mappedname, mapname)) + continue; + llen = strlen(map.tac_logname); + if (ret) { /* skip if already in our returned string */ + uniq = strstr(ret, map.tac_logname); + if (uniq && (uniq[llen] == '\0' || uniq[llen] == ',') && + (uniq == ret || uniq[-1] == ',')) { + continue; + } + } + ret = realloc(ret, llen+retlen+1+(ret?1:0)); + if (retlen) + ret[retlen++] = ','; + strncpy(ret+retlen, map.tac_logname, llen+1); + retlen += llen; + } + close(fd); + return ret; +} diff --git a/map_tacplus_user.h b/map_tacplus_user.h index 9bc2dcb..65a48df 100644 --- a/map_tacplus_user.h +++ b/map_tacplus_user.h @@ -1,5 +1,5 @@ /* - * Copyright 2015, 2016, Cumulus Networks, Inc. All rights reserved. + * Copyright 2015, 2016, 2017, 2019 Cumulus Networks, Inc. All rights reserved. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -27,7 +27,7 @@ #include <pwd.h> #include <utmp.h> -#define MAP_TACPLUS_FILE "/var/run/tacacs_client_map" +#define MAP_TACPLUS_FILE "/run/tacacs_client_map" #define MAP_FILE_VERSION 2 /* version two adds tac_mapflags (compatible) */ @@ -68,7 +68,7 @@ unsigned map_get_sessionid(void); /* return the sessionid for this session */ * returns the name passed as first argument. Passing name as NULL * requests match on auid and session only. * - * If the returned pointer != first arg and non-NULL, caller should free it. + * The caller must free the returned string, if not NULL. * * This only works while a mapped user is logged in, and since the auid and * session are lookup keys, only for processes that are descendents @@ -100,6 +100,16 @@ char *lookup_mapuid(uid_t uid, uid_t auid, unsigned session, char *lookup_mapname(const char *logname, uid_t auid, unsigned session, char **host, uint16_t *flags); +/* + * Given a mapname (tacacs0...15) return the comma separated list of all + * valid lognames in the map db that match that mapname. Used when doing + * group lookups, to replace, e.g. tacacs15 in a group file entry with all + * users logged in mapped to tacacs15. + * Returned string is strdup'ed, and storage must be freed by caller. + * Returns NULL if no matches. + */ +char *lookup_all_mapped(const char *mapname); + /* This is not a public entry point, it's a helper routine for pam_tacplus */ void __update_loguid(char *); diff --git a/tacplus.sudo b/tacplus.sudo index bc90883..9702f59 100644 --- a/tacplus.sudo +++ b/tacplus.sudo @@ -1,15 +1,3 @@ -# This file is part of the libtacplus-map package. -# It allow tacacs privilege level 15 users (mapped to local user tacacs15) -# to sudo without restrictions, so they can do all switch setup and -# administration. The tacacs15 user is added by the same package, and -# is configured to be a disabled login -tacacs15 ALL=(ALL:ALL) ALL - -# If you want to allow privileged tacacs users (level 15) to execute -# sudo without a password, comment out the tacacs 15 line above, and -# uncomment out the line below: -# tacacs15 ALL=(ALL:ALL) NOPASSWD:NOEXEC: ALL - # Allow any tacacs group login to run this set of commands. this is just a # demonstration. # This example uses group tacacs, if you want all tacacs group users |