[tac_plus] Re: Installing tac_plus as a different user other than root??
Alan McKinnon
alan.mckinnon at gmail.com
Sun Nov 29 22:03:33 UTC 2009
Hi Andy,
You need to get yourself a decent guid on Unix permissions and file ownership.
It's not hard to grasp (it's actually the simplest thing that could possibly
work) and there are many resources on the internet. Without this knowledge,
configuring Unix daemons becomes a Herculean task.
So you have Ubuntu, that explains things. It also explains why tac_plus needs
to be a member of the shadow group. Your problem is not the /etc/password file
- that is always world-readable on Linux so that anything can see what
accounts exist. The problem is the /etc/shadow file which contains the
password hashes and can only be read by the root user and the shadow group
(look at the permissions).
Your setup will work as you have attested but I find this way of doing things
odd. You will not be using tac_plus to auth users wanting access to the Ubuntu
box itself, so why have you given them local accounts on the tacacs server?
Unless you have taken steps to disable their shell (make the shell /bin/false
or such), they can probably log into the tacacs server itself. This may be
what you want, you in the real world usually isn't. It's far easier to simply
define your tacacs users in the tac_plus.conf file itself and keep the users
off the server.
As to PAM - this is a software layer that sits between your applications and
the user accounts. In a nutshell, apps can be built with support for PAM and
when running, they query PAM to find out if certain access is allowed. PAM
answers yes or no depending on the rules you set up. It's a fine idea in
principle but the practise is way more complex, and it is exceptionally easy
to get it very wrong. PAM requires thorough knowledge of the entire subject,
not because PAM is poor quality, but because the subject of authentication
itself is *hard* (much like quantum physics is hard :-) )
I don't believe there's such a thing as an easy step by step guide to
configuring PAM. Contrary to what I said earlier you should probably leave
this alone till you've had time to study it thoroughly.
On Sunday 29 November 2009 23:35:52 Andy Saykao wrote:
> Hi Alan,
>
> 1/ So in other words I should be able to run tac_plus using the ID/GID of
> the tac_plus user I created because /etc/passwd should be world-readable? I
> intially tried compiling with just the ID/GID of the tac_plus user but was
> unable to authenticate using /etc/passwd - hence why I compiled it a second
> time using the GID of the shadow group and was then able to authenticate
> using /etc/passwd (not sure if this is good or bad but I just followed
> somebody else's guide).
>
> Sorry if I'm a bit naive on the unix file permission stuff, but here's the
> permissions on the Ubuntu box I'm testing with.
>
> # ls -la /etc/passwd /etc/shadow
> -rw-r--r-- 1 root root 1130 2009-11-27 12:48 /etc/passwd
> -rw-r----- 1 root shadow 835 2009-11-27 12:48 /etc/shadow
>
> 2/ How do I get tac_plus to authenticate using PAM? I've googled around and
> re-checked the mailing list but not much to go on. I've got a few PAM
> modules installed and can see that there's a /etc/pam.conf file and
> /etc/pam.d/ folder.
>
> Cheers.
>
> Andy
>
> On Fri, Nov 27, 2009 at 7:37 PM, Alan McKinnon
<alan.mckinnon at gmail.com>wrote:
> > Strictly speaking, that applies to ancient systems not running the shadow
> > suite - modern systems leave /etc/passwd world-readable and restrict
> > /etc/shadow to root only:
> >
> > Linux:
> > $ ls -al /etc/passwd /etc/shadow
> > -rw-r--r-- 1 root root 2841 2009-10-23 00:29 /etc/passwd
> > -rw------- 1 root root 1398 2009-10-23 00:30 /etc/shadow
> >
> > FreeBSD:
> > $ ls -al /etc/passwd /etc/master.passwd
> > -rw------- 1 root wheel 5315 Oct 14 10:20 /etc/master.passwd
> > -rw-r--r-- 1 root wheel 4646 Oct 14 10:20 /etc/passwd
> >
> > Solaris-9
> > $ ls -al /etc/passwd /etc/shadow
> > -r-------- 1 root sys 3692 Sep 22 17:05 /etc/passwd
> > -r-------- 1 root other 1138 Nov 2 15:00 /etc/shadow
> >
> > All three those boxes run tac_plus. Note that Solaris-9 qualifies as
> > ancient.
> > Generally, once can adjust group memberships and setuid/setgid so that
> > tac_plus can read the passwd hashes.
> >
> > But in almost all cases, it's simpler and cleaner to just use pam -
> >
> > On Friday 27 November 2009 03:34:34 Andy Saykao wrote:
> > > Thanks for that piece of information Alan. Much appreciated.
> > >
> > > As Alan has explained, here is a ps of my user tac-plus running the
> > > program.
> > >
> > > root at tacacs-1:/var/log# ps aux | grep tac
> > > tac-plus 10847 0.0 0.0 2316 544 pts/0 S 12:20 0:00
> > > /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg
> > >
> > > Please be aware that if you want to run it as a different user other
> > > than root AND also want to login by using the user's password in
> > > /etc/passwd then you will need to set GID to "shadow". This will allow
> > > you to read
> >
> > the
> >
> > > /etc/passwd file.
> > >
> > > # grep shadow /etc/group
> > > shadow:x:42:
> > >
> > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log
> > > --with-logfile=/var/log/tac_plus.log --with-userid=1001
> > > --with-groupid=42
> > >
> > > Now when the program starts up it will show the uid=1001 (tac-plus
> > > user) and the gid=42 (GID shadow).
> > >
> > > # /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg -t -g -d 128
> > > Reading config
> > > Version F4.0.4.19 Initialized 1
> > > tac_plus server F4.0.4.19 starting
> > > uid=1001 euid=1001 gid=42 egid=42 s=5
> > >
> > > Thanks to this guy's useful post:
> >
> > http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-c
> >is
> >
> > > co-howtos-documents-and-notes/cisco-and-tacacs
> > >
> > > Hope that helps newbies like me out there.
> > >
> > > Cheers.
> > >
> > > Andy
> > >
> > > -----
> > >
> > > On Wed, Nov 25, 2009 at 5:43 PM, Alan McKinnon
> >
> > <alan.mckinnon at gmail.com>wrote:
> > > > On Wednesday 25 November 2009 04:45:31 Andy Saykao wrote:
> > > > > Hi All,
> > > > >
> > > > > Is there a way to install the program as a different user other
> > > > > than
> > > >
> > > > root??
> > > >
> > > > > I'm installing this on Ubuntu Server 8.10.
> > > > >
> > > > > For example I've created a user called tac-plus with uid and gid of
> > > > > 1001.
> > > > >
> > > > > /etc/passwd:
> > > > > tac-plus:x:1001:1001:TACACS+ User,,,:/home/tac-plus:/bin/bash
> > > > >
> > > > > /etc/group:
> > > > > tac-plus:x:1001:
> > > > >
> > > > > I then configured it with the userid and groupid:
> > > > >
> > > > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log
> > > > > --with-logfile=/var/log/tac_plus.log --with-userid=1001
> > > >
> > > > --with-groupid=1001
> > > >
> > > > > But once the program was installed, the files and directories are
> > > > > all
> > > >
> > > > still
> > > >
> > > > > own by root?
> > > > >
> > > > > root at tacacs-1:/tac-plus# ls -la
> > > > > total 24
> > > > > drwxr-xr-x 6 root root 4096 2009-11-25 12:14 .
> > > > > drwxr-xr-x 21 root root 4096 2009-11-25 12:14 ..
> > > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 bin
> > > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 include
> > > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 lib
> > > > > drwxr-xr-x 4 root root 4096 2009-11-25 12:14 share
> > > > >
> > > > > Any ideas how to install it as a different user?
> > > >
> > > > It is already correctly installed. The tac-plus user simply needs to
> >
> > read
> >
> > > > and
> > > > execute the files, not own them or write to them.
> > > >
> > > > Check other daemons that drop privileges at runtime, those files are
> > > > normally
> > > > owned by root as well as root is the only user that can write to
> > > > system areas.
> > > >
> > > > tac-plus just needs to be able to write it's pid file
> > > >
> > > > --
> > > > alan dot mckinnon at gmail dot com
> > > > _______________________________________________
> > > > tac_plus mailing list
> > > > tac_plus at shrubbery.net
> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> >
> > --
> > alan dot mckinnon at gmail dot com
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
--
alan dot mckinnon at gmail dot com
More information about the tac_plus
mailing list