diff options
| author | paul <paul> | 2003-06-04 13:59:38 +0000 |
|---|---|---|
| committer | paul <paul> | 2003-06-04 13:59:38 +0000 |
| commit | edd7c245d3a77012abf801da00d5664ebaa5f749 (patch) | |
| tree | d4fada229d7980fb751f28c9a979aa88de1a0af0 /redhat | |
| parent | a159ed935b580ed99111a185734ddd9c973e7691 (diff) | |
2003-06-04 Paul Jakma <paul@dishone.st>
* Merge of zebra privileges
Diffstat (limited to 'redhat')
| -rw-r--r-- | redhat/zebra.pam | 18 | ||||
| -rw-r--r-- | redhat/zebra.spec.in | 51 |
2 files changed, 57 insertions, 12 deletions
diff --git a/redhat/zebra.pam b/redhat/zebra.pam index fb17f59e..1390edf4 100644 --- a/redhat/zebra.pam +++ b/redhat/zebra.pam @@ -1,10 +1,26 @@ #%PAM-1.0 # + +##### if running zebra as root: # Only allow root (and possibly wheel) to use this because enable access # is unrestricted. +# auth sufficient /lib/security/pam_rootok.so -auth sufficient /lib/security/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required /lib/security/pam_wheel.so use_uid +########################################################### + +# If using zebra privileges and with a seperate group for vty access, then +# access can be controlled via the vty access group, and pam can simply +# check for valid user/password +# +# only allow local users. +auth required /lib/security/pam_securetty.so +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_stack.so service=system-auth +password required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth +session optional /lib/security/pam_console.so diff --git a/redhat/zebra.spec.in b/redhat/zebra.spec.in index ce3a6fb4..85b3b318 100644 --- a/redhat/zebra.spec.in +++ b/redhat/zebra.spec.in @@ -1,4 +1,4 @@ -# conditionals +# configure options %define with_snmp 0 %define with_vtysh 1 %define with_ospf_te 1 @@ -11,6 +11,8 @@ %define with_ospfclient 1 %define with_ospfapi 1 %define with_multipath 64 +%define zebra_user zebra +%define vty_group zebravty # path defines %define _sysconfdir /etc/zebra @@ -22,12 +24,12 @@ %define _libexecdir %{_exec_prefix}/libexec/zebra %define _includedir %{_prefix}/include/zebra %define _libdir %{_exec_prefix}/%{_lib}/zebra -%define _localstatedir %{_prefix}/var/run +%define _localstatedir /var/run/zebra Summary: Routing daemon Name: zebra Version: @VERSION@ -Release: @CONFDATE@ +Release: @CONFDATE@01 License: GPL Group: System Environment/Daemons Source0: ftp://ftp.zebra.org/pub/zebra/%{name}-%{version}.tar.gz @@ -80,10 +82,7 @@ developing OSPF-API and zebra applications. %setup -q %build -./update-autotools %configure \ - --with-cflags="-O2" \ - --enable-netlink \ %if %with_ipv6 --enable-ipv6 \ %endif @@ -119,12 +118,17 @@ developing OSPF-API and zebra applications. --enable-ospfapi=no \ %endif %if %with_pam - --with-libpam + --with-libpam \ %endif - -pushd vtysh -make %{?_smp_mflags} rebuild -popd +%if %zebra_user + --enable-user=%zebra_user \ + --enable-group=%zebra_user \ +%endif +%if %vty_group + --enable-vty-group=%vty_group \ +%endif +--with-cflags="-O2" \ +--enable-netlink make %{?_smp_mflags} MAKEINFO="makeinfo --no-split" @@ -151,6 +155,18 @@ install %{zeb_rh_src}/ospfd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ospfd install %{zeb_rh_src}/ripd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ripd install -m644 %{zeb_rh_src}/zebra.pam $RPM_BUILD_ROOT/etc/pam.d/zebra install -m644 %{zeb_rh_src}/zebra.logrotate $RPM_BUILD_ROOT/etc/logrotate.d/zebra +install -d -m750 $RPM_BUILD_ROOT/var/run/zebra + +%pre +# add vty_group +%if %vty_group +groupadd -r %vty_group 2> /dev/null || : +%endif +# add zebra user and group +%if %zebra_user +/usr/sbin/useradd -M -r -s /bin/false -c "Zebra routing suite" \ + -d %_localstatedir %zebra_user 2> /dev/null || : +%endif %post # zebra_spec_add_service <service name> <port/proto> <comment> @@ -235,9 +251,19 @@ fi %doc doc/zebra.html %doc doc/mpls %doc ChangeLog INSTALL NEWS README REPORTING-BUGS SERVICES TODO +%if %zebra_user +%dir %attr(751,%zebra_user,%zebra_user) %{_sysconfdir} +%dir %attr(750,%zebra_user,%zebra_user) /var/log/zebra +%dir %attr(751,%zebra_user,%zebra_user) /var/run/zebra +%else %dir %attr(750,root,root) %{_sysconfdir} %dir %attr(750,root,root) /var/log/zebra %dir %attr(755,root,root) /usr/share/info +%dir %attr(750,root,root) /var/run/zebra +%endif +%if %vty_group +%attr(750,%zebra_user,%vty_group) %{_sysconfdir}/vtysh.conf.sample +%endif %{_infodir}/*info* %{_mandir}/man*/* %{_sbindir}/* @@ -262,6 +288,9 @@ fi %endif %changelog +* Tue Mar 20 2003 Paul Jakma <paul@dishone.st> +- zebra privileges support + * Mon Mar 18 2003 Paul Jakma <paul@dishone.st> - Fix mem leak in 'show thread cpu' - Ralph Keller's OSPF-API |