From edd7c245d3a77012abf801da00d5664ebaa5f749 Mon Sep 17 00:00:00 2001
From: paul <paul>
Date: Wed, 4 Jun 2003 13:59:38 +0000
Subject: 2003-06-04 Paul Jakma <paul@dishone.st>

	* Merge of zebra privileges
---
 redhat/zebra.pam     | 18 +++++++++++++++++-
 redhat/zebra.spec.in | 51 ++++++++++++++++++++++++++++++++++++++++-----------
 2 files changed, 57 insertions(+), 12 deletions(-)

(limited to 'redhat')

diff --git a/redhat/zebra.pam b/redhat/zebra.pam
index fb17f59e..1390edf4 100644
--- a/redhat/zebra.pam
+++ b/redhat/zebra.pam
@@ -1,10 +1,26 @@
 #%PAM-1.0
 #
+
+##### if running zebra as root:
 # Only allow root (and possibly wheel) to use this because enable access
 # is unrestricted.
+# auth       sufficient   /lib/security/pam_rootok.so
 
-auth       sufficient   /lib/security/pam_rootok.so
 # Uncomment the following line to implicitly trust users in the "wheel" group.
 #auth       sufficient   /lib/security/pam_wheel.so trust use_uid
 # Uncomment the following line to require a user to be in the "wheel" group.
 #auth       required     /lib/security/pam_wheel.so use_uid
+###########################################################
+
+# If using zebra privileges and with a seperate group for vty access, then
+# access can be controlled via the vty access group, and pam can simply
+# check for valid user/password
+#
+# only allow local users.
+auth       required     /lib/security/pam_securetty.so
+auth       required     /lib/security/pam_stack.so service=system-auth
+auth       required     /lib/security/pam_nologin.so
+account    required     /lib/security/pam_stack.so service=system-auth
+password   required     /lib/security/pam_stack.so service=system-auth
+session    required     /lib/security/pam_stack.so service=system-auth
+session    optional     /lib/security/pam_console.so
diff --git a/redhat/zebra.spec.in b/redhat/zebra.spec.in
index ce3a6fb4..85b3b318 100644
--- a/redhat/zebra.spec.in
+++ b/redhat/zebra.spec.in
@@ -1,4 +1,4 @@
-# conditionals
+# configure options
 %define 	with_snmp	0
 %define		with_vtysh	1
 %define		with_ospf_te	1
@@ -11,6 +11,8 @@
 %define		with_ospfclient 1
 %define		with_ospfapi	1
 %define		with_multipath	64
+%define		zebra_user	zebra
+%define		vty_group	zebravty
 
 # path defines
 %define		_sysconfdir	/etc/zebra
@@ -22,12 +24,12 @@
 %define		_libexecdir	%{_exec_prefix}/libexec/zebra
 %define		_includedir	%{_prefix}/include/zebra
 %define		_libdir		%{_exec_prefix}/%{_lib}/zebra
-%define		_localstatedir	%{_prefix}/var/run
+%define		_localstatedir	/var/run/zebra
 
 Summary: Routing daemon
 Name:		zebra
 Version:	@VERSION@
-Release:	@CONFDATE@
+Release:	@CONFDATE@01
 License:	GPL
 Group: System Environment/Daemons
 Source0:	ftp://ftp.zebra.org/pub/zebra/%{name}-%{version}.tar.gz
@@ -80,10 +82,7 @@ developing OSPF-API and zebra applications.
 %setup  -q
 
 %build
-./update-autotools
 %configure \
-	--with-cflags="-O2" \
-	--enable-netlink \
 %if %with_ipv6
 	--enable-ipv6 \
 %endif
@@ -119,12 +118,17 @@ developing OSPF-API and zebra applications.
 	--enable-ospfapi=no \
 %endif
 %if %with_pam
-	--with-libpam
+	--with-libpam \
 %endif
-
-pushd vtysh
-make %{?_smp_mflags} rebuild
-popd
+%if %zebra_user
+	--enable-user=%zebra_user \
+	--enable-group=%zebra_user \
+%endif
+%if %vty_group
+	--enable-vty-group=%vty_group \
+%endif
+--with-cflags="-O2" \
+--enable-netlink
 
 make %{?_smp_mflags} MAKEINFO="makeinfo --no-split"
 
@@ -151,6 +155,18 @@ install %{zeb_rh_src}/ospfd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ospfd
 install %{zeb_rh_src}/ripd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ripd
 install -m644 %{zeb_rh_src}/zebra.pam $RPM_BUILD_ROOT/etc/pam.d/zebra
 install -m644 %{zeb_rh_src}/zebra.logrotate $RPM_BUILD_ROOT/etc/logrotate.d/zebra
+install -d -m750  $RPM_BUILD_ROOT/var/run/zebra
+
+%pre
+# add vty_group
+%if %vty_group
+groupadd -r %vty_group 2> /dev/null || :
+%endif
+# add zebra user and group
+%if %zebra_user
+/usr/sbin/useradd -M -r -s /bin/false -c "Zebra routing suite" \
+ -d %_localstatedir %zebra_user 2> /dev/null || :
+%endif
 
 %post
 # zebra_spec_add_service <service name> <port/proto> <comment>
@@ -235,9 +251,19 @@ fi
 %doc doc/zebra.html
 %doc doc/mpls
 %doc ChangeLog INSTALL NEWS README REPORTING-BUGS SERVICES TODO
+%if %zebra_user
+%dir %attr(751,%zebra_user,%zebra_user) %{_sysconfdir}
+%dir %attr(750,%zebra_user,%zebra_user) /var/log/zebra 
+%dir %attr(751,%zebra_user,%zebra_user) /var/run/zebra
+%else
 %dir %attr(750,root,root) %{_sysconfdir}
 %dir %attr(750,root,root) /var/log/zebra
 %dir %attr(755,root,root) /usr/share/info
+%dir %attr(750,root,root) /var/run/zebra
+%endif
+%if %vty_group
+%attr(750,%zebra_user,%vty_group) %{_sysconfdir}/vtysh.conf.sample
+%endif
 %{_infodir}/*info*
 %{_mandir}/man*/*
 %{_sbindir}/*
@@ -262,6 +288,9 @@ fi
 %endif
 
 %changelog
+* Tue Mar 20 2003 Paul Jakma <paul@dishone.st>
+- zebra privileges support
+
 * Mon Mar 18 2003 Paul Jakma <paul@dishone.st>
 - Fix mem leak in 'show thread cpu'
 - Ralph Keller's OSPF-API
-- 
cgit v1.2.1