[tac_plus] tac_plus problem with acl

georg.naggies at r-it.at georg.naggies at r-it.at
Wed Jul 4 07:31:04 UTC 2007 

Hello Andy!

I am sorry that I have to write to you for my small problem with tac_plus, 
but the documentation doesn't seem to fit the software and I can't figure 
it out otherwise
My problem is that access lists in tac_plus never deny access regardless 
of which hosts are permitted.

My config is:

    acl = 1 {
        deny = .*
        }
 
    user = demo {
         login = cleartext "test"
         service = exec {
         "acl" = 1
         priv-lvl = 1
         }
     }


And yet the request gets authorised:

Thu Jun 28 16:10:28 2007 [17928]: login query for 'demo' tty130 from 
10.14.1.201 accepted
Thu Jun 28 16:10:28 2007 [18061]: connect from 10.14.1.201 [10.14.1.201]
Thu Jun 28 16:10:28 2007 [18061]: Start authorization request
Thu Jun 28 16:10:28 2007 [18061]: do_author: user='demo'
Thu Jun 28 16:10:28 2007 [18061]: user 'demo' found
Thu Jun 28 16:10:28 2007 [18061]: exec authorization request for demo
Thu Jun 28 16:10:28 2007 [18061]: exec is explicitly permitted by line 31
Thu Jun 28 16:10:28 2007 [18061]: nas:service=shell (passed thru)
Thu Jun 28 16:10:28 2007 [18061]: nas:cmd* (passed thru)
Thu Jun 28 16:10:28 2007 [18061]: nas:absent, server:acl=1 -> add acl=1 
(k)
Thu Jun 28 16:10:28 2007 [18061]: nas:absent, server:priv-lvl=1 -> add 
priv-lvl=1 (k)
Thu Jun 28 16:10:28 2007 [18061]: added 2 args
Thu Jun 28 16:10:28 2007 [18061]: out_args[0] = service=shell input copy 
discarded
Thu Jun 28 16:10:28 2007 [18061]: out_args[1] = cmd* input copy discarded
Thu Jun 28 16:10:28 2007 [18061]: out_args[2] = acl=1 compacted to 
out_args[0]
Thu Jun 28 16:10:28 2007 [18061]: out_args[3] = priv-lvl=1 compacted to 
out_args[1]
Thu Jun 28 16:10:28 2007 [18061]: 2 output args
Thu Jun 28 16:10:28 2007 [18061]: authorization query for 'demo' tty130 
from 10.14.1.201 accepted


I think I am using outdated configuration syntax, but can't find 
documentation on the newer format.

Could you, if you find the time, drop me a hint on how to configure acls?

thanks
Georg



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20070704/5d959bd6/attachment.html

More information about the tac_plus mailing list