diff options
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/control | 14 | ||||
| -rwxr-xr-x | debian/rules | 11 | ||||
| -rw-r--r-- | debian/vyos-1x.postinst | 56 | ||||
| -rw-r--r-- | debian/vyos-1x.preinst | 1 |
4 files changed, 60 insertions, 22 deletions
diff --git a/debian/control b/debian/control index ec08968c9..dcce8036a 100644 --- a/debian/control +++ b/debian/control @@ -6,14 +6,8 @@ Build-Depends: debhelper (>= 9), dh-python, fakeroot, - gcc-multilib [amd64], - clang [amd64], + gcc, iproute2, - llvm [amd64], - libbpf-dev [amd64], - libelf-dev (>= 0.2) [amd64], - libpcap-dev [amd64], - build-essential, libvyosconfig0 (>= 0.0.7), libzmq3-dev, python3 (>= 3.10), @@ -32,6 +26,10 @@ Standards-Version: 3.9.6 Package: vyos-1x Architecture: amd64 arm64 +Pre-Depends: + libnss-tacplus (>= 1.0.4), + libpam-tacplus (>= 1.4.3), + libpam-radius-auth (>= 1.5.0) Depends: ${python3:Depends} (>= 3.10), aardvark-dns, @@ -84,13 +82,11 @@ Depends: lcdproc-extra-drivers, libatomic1, libauparse0, - libbpf1 [amd64], libcharon-extra-plugins (>=5.9), libcharon-extauth-plugins (>=5.9), libndp-tools, libnetfilter-conntrack3, libnfnetlink0, - libpam-radius-auth (>= 1.5.0), libqmi-utils, libstrongswan-extra-plugins (>=5.9), libstrongswan-standard-plugins (>=5.9), diff --git a/debian/rules b/debian/rules index 55e02fae6..e613f1e0a 100755 --- a/debian/rules +++ b/debian/rules @@ -28,10 +28,6 @@ override_dh_gencontrol: override_dh_auto_build: make all -ifeq ($(DEB_TARGET_ARCH),amd64) - # Only build XDP on amd64 systems - make vyxdp -endif override_dh_auto_install: dh_auto_install @@ -127,10 +123,3 @@ override_dh_auto_install: # Install udev script mkdir -p $(DIR)/usr/lib/udev cp src/helpers/vyos_net_name $(DIR)/usr/lib/udev - -ifeq ($(DEB_TARGET_ARCH),amd64) - # We only install XDP on amd64 systems - mkdir -p $(DIR)/$(VYOS_DATA_DIR)/xdp - cp -r src/xdp/xdp_prog_kern.o $(DIR)/$(VYOS_DATA_DIR)/xdp - find src/xdp -perm /a+x -exec cp {} $(DIR)/$(VYOS_SBIN_DIR) \; -endif diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 6653cd585..9822ce286 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -29,10 +29,60 @@ do sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file done +# Remove TACACS user added by base package - we use our own UID range and group +# assignments - see below +if grep -q '^tacacs' /etc/passwd; then + if [ $(id -u tacacs0) -ge 1000 ]; then + level=0 + vyos_group=vyattaop + while [ $level -lt 16 ]; do + userdel tacacs${level} || true + level=$(( level+1 )) + done 2>&1 + fi +fi + +# Add TACACS system users required for TACACS based system authentication +if ! grep -q '^tacacs' /etc/passwd; then + # Add the tacacs group and all 16 possible tacacs privilege-level users to + # the password file, home directories, etc. The accounts are not enabled + # for local login, since they are only used to provide uid/gid/homedir for + # the mapped TACACS+ logins (and lookups against them). The tacacs15 user + # is also added to the sudo group, and vyattacfg group rather than vyattaop + # (used for tacacs0-14). + level=0 + vyos_group=vyattaop + while [ $level -lt 16 ]; do + adduser --quiet --system --firstuid 900 --disabled-login --ingroup ${vyos_group} \ + --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \ + --shell /bin/vbash tacacs${level} + adduser --quiet tacacs${level} frrvty + adduser --quiet tacacs${level} adm + adduser --quiet tacacs${level} dip + adduser --quiet tacacs${level} users + adduser --quiet tacacs${level} aaa + if [ $level -lt 15 ]; then + adduser --quiet tacacs${level} vyattaop + adduser --quiet tacacs${level} operator + else + adduser --quiet tacacs${level} vyattacfg + adduser --quiet tacacs${level} sudo + adduser --quiet tacacs${level} disk + adduser --quiet tacacs${level} frr + fi + level=$(( level+1 )) + done 2>&1 | grep -v 'User tacacs${level} already exists' +fi + + +if ! grep -q '^aaa' /etc/group; then + addgroup --firstgid 1000 --quiet aaa +fi + # Add RADIUS operator user for RADIUS authenticated users to map to if ! grep -q '^radius_user' /etc/passwd; then adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattaop \ - --no-create-home --gecos "radius user" \ + --no-create-home --gecos "RADIUS mapped user at privilege level operator" \ --shell /sbin/radius_shell radius_user adduser --quiet radius_user frrvty adduser --quiet radius_user vyattaop @@ -40,12 +90,13 @@ if ! grep -q '^radius_user' /etc/passwd; then adduser --quiet radius_user adm adduser --quiet radius_user dip adduser --quiet radius_user users + adduser --quiet radius_user aaa fi # Add RADIUS admin user for RADIUS authenticated users to map to if ! grep -q '^radius_priv_user' /etc/passwd; then adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattacfg \ - --no-create-home --gecos "radius privileged user" \ + --no-create-home --gecos "RADIUS mapped user at privilege level admin" \ --shell /sbin/radius_shell radius_priv_user adduser --quiet radius_priv_user frrvty adduser --quiet radius_priv_user vyattacfg @@ -55,6 +106,7 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then adduser --quiet radius_priv_user disk adduser --quiet radius_priv_user users adduser --quiet radius_priv_user frr + adduser --quiet radius_priv_user aaa fi # add hostsd group for vyos-hostsd diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst index 949ffcbc4..bfbeb112c 100644 --- a/debian/vyos-1x.preinst +++ b/debian/vyos-1x.preinst @@ -3,6 +3,7 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/radius +dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile |