[tac_plus] Re: Installing tac_plus as a different user other than root??
Andy Saykao
asaykao at gmail.com
Sun Nov 29 21:35:52 UTC 2009
Hi Alan,
1/ So in other words I should be able to run tac_plus using the ID/GID of
the tac_plus user I created because /etc/passwd should be world-readable? I
intially tried compiling with just the ID/GID of the tac_plus user but was
unable to authenticate using /etc/passwd - hence why I compiled it a second
time using the GID of the shadow group and was then able to authenticate
using /etc/passwd (not sure if this is good or bad but I just followed
somebody else's guide).
Sorry if I'm a bit naive on the unix file permission stuff, but here's the
permissions on the Ubuntu box I'm testing with.
# ls -la /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 1130 2009-11-27 12:48 /etc/passwd
-rw-r----- 1 root shadow 835 2009-11-27 12:48 /etc/shadow
2/ How do I get tac_plus to authenticate using PAM? I've googled around and
re-checked the mailing list but not much to go on. I've got a few PAM
modules installed and can see that there's a /etc/pam.conf file and
/etc/pam.d/ folder.
Cheers.
Andy
On Fri, Nov 27, 2009 at 7:37 PM, Alan McKinnon <alan.mckinnon at gmail.com>wrote:
> Strictly speaking, that applies to ancient systems not running the shadow
> suite - modern systems leave /etc/passwd world-readable and restrict
> /etc/shadow to root only:
>
> Linux:
> $ ls -al /etc/passwd /etc/shadow
> -rw-r--r-- 1 root root 2841 2009-10-23 00:29 /etc/passwd
> -rw------- 1 root root 1398 2009-10-23 00:30 /etc/shadow
>
> FreeBSD:
> $ ls -al /etc/passwd /etc/master.passwd
> -rw------- 1 root wheel 5315 Oct 14 10:20 /etc/master.passwd
> -rw-r--r-- 1 root wheel 4646 Oct 14 10:20 /etc/passwd
>
> Solaris-9
> $ ls -al /etc/passwd /etc/shadow
> -r-------- 1 root sys 3692 Sep 22 17:05 /etc/passwd
> -r-------- 1 root other 1138 Nov 2 15:00 /etc/shadow
>
> All three those boxes run tac_plus. Note that Solaris-9 qualifies as
> ancient.
> Generally, once can adjust group memberships and setuid/setgid so that
> tac_plus can read the passwd hashes.
>
> But in almost all cases, it's simpler and cleaner to just use pam -
>
>
> On Friday 27 November 2009 03:34:34 Andy Saykao wrote:
> > Thanks for that piece of information Alan. Much appreciated.
> >
> > As Alan has explained, here is a ps of my user tac-plus running the
> > program.
> >
> > root at tacacs-1:/var/log# ps aux | grep tac
> > tac-plus 10847 0.0 0.0 2316 544 pts/0 S 12:20 0:00
> > /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg
> >
> > Please be aware that if you want to run it as a different user other than
> > root AND also want to login by using the user's password in /etc/passwd
> > then you will need to set GID to "shadow". This will allow you to read
> the
> > /etc/passwd file.
> >
> > # grep shadow /etc/group
> > shadow:x:42:
> >
> > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log
> > --with-logfile=/var/log/tac_plus.log --with-userid=1001 --with-groupid=42
> >
> > Now when the program starts up it will show the uid=1001 (tac-plus user)
> > and the gid=42 (GID shadow).
> >
> > # /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg -t -g -d 128
> > Reading config
> > Version F4.0.4.19 Initialized 1
> > tac_plus server F4.0.4.19 starting
> > uid=1001 euid=1001 gid=42 egid=42 s=5
> >
> > Thanks to this guy's useful post:
> >
> >
> http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cis
> > co-howtos-documents-and-notes/cisco-and-tacacs
> >
> > Hope that helps newbies like me out there.
> >
> > Cheers.
> >
> > Andy
> >
> > -----
> >
> > On Wed, Nov 25, 2009 at 5:43 PM, Alan McKinnon
> <alan.mckinnon at gmail.com>wrote:
> > > On Wednesday 25 November 2009 04:45:31 Andy Saykao wrote:
> > > > Hi All,
> > > >
> > > > Is there a way to install the program as a different user other than
> > >
> > > root??
> > >
> > > > I'm installing this on Ubuntu Server 8.10.
> > > >
> > > > For example I've created a user called tac-plus with uid and gid of
> > > > 1001.
> > > >
> > > > /etc/passwd:
> > > > tac-plus:x:1001:1001:TACACS+ User,,,:/home/tac-plus:/bin/bash
> > > >
> > > > /etc/group:
> > > > tac-plus:x:1001:
> > > >
> > > > I then configured it with the userid and groupid:
> > > >
> > > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log
> > > > --with-logfile=/var/log/tac_plus.log --with-userid=1001
> > >
> > > --with-groupid=1001
> > >
> > > > But once the program was installed, the files and directories are all
> > >
> > > still
> > >
> > > > own by root?
> > > >
> > > > root at tacacs-1:/tac-plus# ls -la
> > > > total 24
> > > > drwxr-xr-x 6 root root 4096 2009-11-25 12:14 .
> > > > drwxr-xr-x 21 root root 4096 2009-11-25 12:14 ..
> > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 bin
> > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 include
> > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 lib
> > > > drwxr-xr-x 4 root root 4096 2009-11-25 12:14 share
> > > >
> > > > Any ideas how to install it as a different user?
> > >
> > > It is already correctly installed. The tac-plus user simply needs to
> read
> > > and
> > > execute the files, not own them or write to them.
> > >
> > > Check other daemons that drop privileges at runtime, those files are
> > > normally
> > > owned by root as well as root is the only user that can write to system
> > > areas.
> > >
> > > tac-plus just needs to be able to write it's pid file
> > >
> > > --
> > > alan dot mckinnon at gmail dot com
> > > _______________________________________________
> > > tac_plus mailing list
> > > tac_plus at shrubbery.net
> > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> >
>
> --
> alan dot mckinnon at gmail dot com
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091130/4bf65a0d/attachment.html
More information about the tac_plus
mailing list