[tac_plus] Problems getting tac_plus work with PAM auth on NetBSD

john heasley heas at shrubbery.net
Tue Dec 6 19:34:54 UTC 2011 

Fri, Nov 25, 2011 at 12:28:47PM +0200, Alan McKinnon:
> On Fri, 25 Nov 2011 10:42:22 +0100
> Fredrik Pettai <pettai at nordu.net> wrote:
> 
> > On Nov 24, 2011, at 18:14 , john heasley wrote:
> > > Thu, Nov 24, 2011 at 04:11:25PM +0100, Fredrik Pettai:
> > > 
> > >> Does the tac_plus server have insufficient credentials running as
> > >> a non-root user to perform pam lookups?
> > > 
> > > i'm not sure that it does; it would need to be able to
> > > read /etc/master.passwd.
> > 
> > The problem was that the dropped root privileges. After recompiling
> > without this option, it works fine.
> > 
> > Another thing with dropping the root privileges, is that the daemon
> > can't reload the configuration after receiving SIGUSR1 if it runs
> > with dropped root privileges and the configuration file ownership
> > isn't correct. You won't notice this while tac_plus is starting, as
> > it has root privileges while reading the configuration file first,
> > and drops those later. 
> 
> A similar issue crops us with the daemon's log file. If logrotate
> creates a new file and doesn't chown/chmod it correctly, the daemon
> silently stops working. Also, if the log file doesn't exist, tac_plus
> creates it as root then drops privileges, effectively preventing itself
> from working.
> 

ack.  added verbage.

> > Maybe you can add something like this to the
> > tac_plus.8 man page:
> > 
> > --- tac_plus.8.in.orig  2011-11-25 10:18:14.000000000 +0100
> > +++ tac_plus.8.in       2011-11-25 10:26:28.000000000 +0100
> > @@ -235,8 +235,9 @@
> >  If the daemon is receives a SIGHUP or SIGUSR1, it will reinitialize
> > itself and re-read its configuration file.
> >  .sp
> > -Note: if an error is encountered in the configuration file, the
> > daemon -will die.
> > +Note: if an error is encountered in the configuration file or the
> > running +tac_plus daemon hasn't sufficient rights to read it (if root
> > privileges +are dropped), the daemon will die.
> >  .\"
> >  .SH "LOG MESSAGES"
> >  .B tac_plus
> > 
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> 
> 
> 
> -- 
> Alan McKinnnon
> alan.mckinnon at gmail.com
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list