From 4ebbab2a3fed34db7ebe5c5a3e4e955e2ebed36b Mon Sep 17 00:00:00 2001
From: zsdc <taras@vyos.io>
Date: Wed, 13 Sep 2023 11:43:12 +0300
Subject: groups: T5577: Added `radius` and `tacacs` groups

We need separated groups for RADIUS and TACACS+ system users because they need
to be used in PAM rules independently.
---
 debian/vyos-1x.postinst | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index b43416152..35fc67af8 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -29,14 +29,9 @@ do
     sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
 done
 
-# We do not make use of a TACACS UNIX group - drop it
-if grep -q '^tacacs' /etc/group; then
-    delgroup tacacs
-fi
-
-# Both RADIUS and TACACS users belong to aaa group - this must be added first
-if ! grep -q '^aaa' /etc/group; then
-    addgroup --firstgid 1000 --quiet aaa
+# We need to have a group for RADIUS service users to use it inside PAM rules
+if ! grep -q '^radius' /etc/group; then
+    addgroup --firstgid 1000 --quiet radius
 fi
 
 # Remove TACACS user added by base package - we use our own UID range and group
@@ -64,7 +59,7 @@ if ! grep -q '^tacacs' /etc/passwd; then
     level=0
     vyos_group=vyattaop
     while [ $level -lt 16 ]; do
-        adduser --quiet --system --firstuid 900 --disabled-login --ingroup users \
+        adduser --quiet --system --firstuid 900 --disabled-login --ingroup tacacs \
             --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \
             --shell /bin/vbash tacacs${level}
         adduser --quiet tacacs${level} frrvty
@@ -87,7 +82,7 @@ fi
 
 # Add RADIUS operator user for RADIUS authenticated users to map to
 if ! grep -q '^radius_user' /etc/passwd; then
-    adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+    adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
         --no-create-home --gecos "RADIUS mapped user at privilege level operator" \
         --shell /sbin/radius_shell radius_user
     adduser --quiet radius_user frrvty
@@ -101,7 +96,7 @@ fi
 
 # Add RADIUS admin user for RADIUS authenticated users to map to
 if ! grep -q '^radius_priv_user' /etc/passwd; then
-    adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+    adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
         --no-create-home --gecos "RADIUS mapped user at privilege level admin" \
         --shell /sbin/radius_shell radius_priv_user
     adduser --quiet radius_priv_user frrvty
-- 
cgit v1.2.3