[tac_plus] Problems getting tac_plus work with PAM auth on NetBSD

Alan McKinnon alan.mckinnon at gmail.com
Fri Nov 25 10:28:47 UTC 2011 

On Fri, 25 Nov 2011 10:42:22 +0100
Fredrik Pettai <pettai at nordu.net> wrote:

> On Nov 24, 2011, at 18:14 , john heasley wrote:
> > Thu, Nov 24, 2011 at 04:11:25PM +0100, Fredrik Pettai:
> > 
> >> Does the tac_plus server have insufficient credentials running as
> >> a non-root user to perform pam lookups?
> > 
> > i'm not sure that it does; it would need to be able to
> > read /etc/master.passwd.
> 
> The problem was that the dropped root privileges. After recompiling
> without this option, it works fine.
> 
> Another thing with dropping the root privileges, is that the daemon
> can't reload the configuration after receiving SIGUSR1 if it runs
> with dropped root privileges and the configuration file ownership
> isn't correct. You won't notice this while tac_plus is starting, as
> it has root privileges while reading the configuration file first,
> and drops those later. 

A similar issue crops us with the daemon's log file. If logrotate
creates a new file and doesn't chown/chmod it correctly, the daemon
silently stops working. Also, if the log file doesn't exist, tac_plus
creates it as root then drops privileges, effectively preventing itself
from working.



> Maybe you can add something like this to the
> tac_plus.8 man page:
> 
> --- tac_plus.8.in.orig  2011-11-25 10:18:14.000000000 +0100
> +++ tac_plus.8.in       2011-11-25 10:26:28.000000000 +0100
> @@ -235,8 +235,9 @@
>  If the daemon is receives a SIGHUP or SIGUSR1, it will reinitialize
> itself and re-read its configuration file.
>  .sp
> -Note: if an error is encountered in the configuration file, the
> daemon -will die.
> +Note: if an error is encountered in the configuration file or the
> running +tac_plus daemon hasn't sufficient rights to read it (if root
> privileges +are dropped), the daemon will die.
>  .\"
>  .SH "LOG MESSAGES"
>  .B tac_plus
> 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus



-- 
Alan McKinnnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list