[tac_plus] Re: Installing tac_plus as a different user other than root??

Alan McKinnon alan.mckinnon at gmail.com
Fri Nov 27 08:37:30 UTC 2009


Strictly speaking, that applies to ancient systems not running the shadow 
suite - modern systems leave /etc/passwd world-readable and restrict 
/etc/shadow to root only:

Linux:
$ ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 2841 2009-10-23 00:29 /etc/passwd
-rw------- 1 root root 1398 2009-10-23 00:30 /etc/shadow

FreeBSD:
$ ls -al /etc/passwd /etc/master.passwd
-rw-------  1 root  wheel  5315 Oct 14 10:20 /etc/master.passwd
-rw-r--r--  1 root  wheel  4646 Oct 14 10:20 /etc/passwd

Solaris-9
$ ls -al /etc/passwd /etc/shadow
-r--------   1 root     sys         3692 Sep 22 17:05 /etc/passwd
-r--------   1 root     other       1138 Nov  2 15:00 /etc/shadow

All three those boxes run tac_plus. Note that Solaris-9 qualifies as ancient. 
Generally, once can adjust group memberships and setuid/setgid so that 
tac_plus can read the passwd hashes.

But in almost all cases, it's simpler and cleaner to just use pam - 


On Friday 27 November 2009 03:34:34 Andy Saykao wrote:
> Thanks for that piece of information Alan. Much appreciated.
> 
> As Alan has explained, here is a ps of my user tac-plus running the
>  program.
> 
> root at tacacs-1:/var/log# ps aux | grep tac
> tac-plus 10847  0.0  0.0   2316   544 pts/0    S    12:20   0:00
> /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg
> 
> Please be aware that if you want to run it as a different user other than
> root AND also want to login by using the user's password in /etc/passwd
>  then you will need to set GID to "shadow". This will allow you to read the
>  /etc/passwd file.
> 
> # grep shadow /etc/group
> shadow:x:42:
> 
> ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log
> --with-logfile=/var/log/tac_plus.log --with-userid=1001 --with-groupid=42
> 
> Now when the program starts up it will show the uid=1001 (tac-plus user)
>  and the gid=42 (GID shadow).
> 
> # /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg -t -g -d 128
> Reading config
> Version F4.0.4.19 Initialized 1
> tac_plus server F4.0.4.19 starting
> uid=1001 euid=1001 gid=42 egid=42 s=5
> 
> Thanks to this guy's useful post:
> 
> http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cis
> co-howtos-documents-and-notes/cisco-and-tacacs
> 
> Hope that helps newbies like me out there.
> 
> Cheers.
> 
> Andy
> 
> -----
> 
> On Wed, Nov 25, 2009 at 5:43 PM, Alan McKinnon 
<alan.mckinnon at gmail.com>wrote:
> > On Wednesday 25 November 2009 04:45:31 Andy Saykao wrote:
> > > Hi All,
> > >
> > > Is there a way to install the program as a different user other than
> >
> > root??
> >
> > > I'm installing this on Ubuntu Server 8.10.
> > >
> > > For example I've created a user called tac-plus with uid and gid of
> > > 1001.
> > >
> > > /etc/passwd:
> > > tac-plus:x:1001:1001:TACACS+ User,,,:/home/tac-plus:/bin/bash
> > >
> > > /etc/group:
> > > tac-plus:x:1001:
> > >
> > > I then configured it with the userid and groupid:
> > >
> > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log
> > > --with-logfile=/var/log/tac_plus.log --with-userid=1001
> >
> > --with-groupid=1001
> >
> > > But once the program was installed, the files and directories are all
> >
> > still
> >
> > > own by root?
> > >
> > > root at tacacs-1:/tac-plus# ls -la
> > > total 24
> > > drwxr-xr-x  6 root root 4096 2009-11-25 12:14 .
> > > drwxr-xr-x 21 root root 4096 2009-11-25 12:14 ..
> > > drwxr-xr-x  2 root root 4096 2009-11-25 12:14 bin
> > > drwxr-xr-x  2 root root 4096 2009-11-25 12:14 include
> > > drwxr-xr-x  2 root root 4096 2009-11-25 12:14 lib
> > > drwxr-xr-x  4 root root 4096 2009-11-25 12:14 share
> > >
> > > Any ideas how to install it as a different user?
> >
> > It is already correctly installed. The tac-plus user simply needs to read
> > and
> > execute the files, not own them or write to them.
> >
> > Check other daemons that drop privileges at runtime, those files are
> > normally
> > owned by root as well as root is the only user that can write to system
> > areas.
> >
> > tac-plus just needs to be able to write it's pid file
> >
> > --
> > alan dot mckinnon at gmail dot com
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> 

-- 
alan dot mckinnon at gmail dot com


More information about the tac_plus mailing list