[tac_plus] Re: Problem With tac_plus

john heasley heas at shrubbery.net
Tue Jan 23 16:04:50 UTC 2007


Mon, Jan 22, 2007 at 01:44:24PM -0500, Jason Gardiner:
> Hello,
> 
> I've run across a problem and I'm about to tear out my hair.  I have
> tac_plus setup for Ciscos, but it seems that every command issued after
> "config t" is allowed, even when explicitly denied.  Here is the config
> 
> user = xxxxx {
>     default service = deny
>     name = "xxxxxx"
>     login = des xxxxxx
>     ms-chap = cleartext yyyyyyy
>     service=exec { priv-lvl = 15 }
>         cmd = load-interval { deny .* }
>         cmd = show { permit "arp|config" }
>         cmd = write { permit "terminal" }
>         cmd = terminal { permit "length .*" }
>         cmd = configure { permit .* }
>         cmd = arp { permit ".*" }
>         cmd = ip { permit "route .* 255.255.255.255 .*" }
>         cmd = interface { deny .* }
>         cmd = no { deny "ip address" }
> }
> 
> 
> As it stands, the user can perform a 'show arp,' but a 'show clock'
> returns with a "Command authorization failed" as expected.
> 
> However, if the user does a 'config t,' then he can still perform an
> 'interface loopback 112' even though it should be denied AFAICT.
> 
> Any insight that you can offer into this would be greatly appreciated.
> 

never tried config-mode command authorization.  try authorization debugging
with -d 8.  perhaps there something is prepended to the command in config
mode or, for the interface xx question, there is no authorization for moving
among config 'levels".



More information about the tac_plus mailing list