[tac_plus] Problem With tac_plus
Jason Gardiner
gardiner at purdigital.net
Mon Jan 22 18:44:24 UTC 2007
Hello,
I've run across a problem and I'm about to tear out my hair. I have
tac_plus setup for Ciscos, but it seems that every command issued after
"config t" is allowed, even when explicitly denied. Here is the config
user = xxxxx {
default service = deny
name = "xxxxxx"
login = des xxxxxx
ms-chap = cleartext yyyyyyy
service=exec { priv-lvl = 15 }
cmd = load-interval { deny .* }
cmd = show { permit "arp|config" }
cmd = write { permit "terminal" }
cmd = terminal { permit "length .*" }
cmd = configure { permit .* }
cmd = arp { permit ".*" }
cmd = ip { permit "route .* 255.255.255.255 .*" }
cmd = interface { deny .* }
cmd = no { deny "ip address" }
}
As it stands, the user can perform a 'show arp,' but a 'show clock'
returns with a "Command authorization failed" as expected.
However, if the user does a 'config t,' then he can still perform an
'interface loopback 112' even though it should be denied AFAICT.
Any insight that you can offer into this would be greatly appreciated.
--
Thanks,
Jason Gardiner
Purdigital Engineering
"You can swim all day in the Sea of Knowledge and
still come out completely dry. Most people do."
- Norton Juster
More information about the tac_plus
mailing list