[tac_plus] Problems getting tac_plus work with PAM auth on NetBSD
Alan McKinnon
alan.mckinnon at gmail.com
Fri Nov 25 10:28:47 UTC 2011
On Fri, 25 Nov 2011 10:42:22 +0100
Fredrik Pettai <pettai at nordu.net> wrote:
> On Nov 24, 2011, at 18:14 , john heasley wrote:
> > Thu, Nov 24, 2011 at 04:11:25PM +0100, Fredrik Pettai:
> >
> >> Does the tac_plus server have insufficient credentials running as
> >> a non-root user to perform pam lookups?
> >
> > i'm not sure that it does; it would need to be able to
> > read /etc/master.passwd.
>
> The problem was that the dropped root privileges. After recompiling
> without this option, it works fine.
>
> Another thing with dropping the root privileges, is that the daemon
> can't reload the configuration after receiving SIGUSR1 if it runs
> with dropped root privileges and the configuration file ownership
> isn't correct. You won't notice this while tac_plus is starting, as
> it has root privileges while reading the configuration file first,
> and drops those later.
A similar issue crops us with the daemon's log file. If logrotate
creates a new file and doesn't chown/chmod it correctly, the daemon
silently stops working. Also, if the log file doesn't exist, tac_plus
creates it as root then drops privileges, effectively preventing itself
from working.
> Maybe you can add something like this to the
> tac_plus.8 man page:
>
> --- tac_plus.8.in.orig 2011-11-25 10:18:14.000000000 +0100
> +++ tac_plus.8.in 2011-11-25 10:26:28.000000000 +0100
> @@ -235,8 +235,9 @@
> If the daemon is receives a SIGHUP or SIGUSR1, it will reinitialize
> itself and re-read its configuration file.
> .sp
> -Note: if an error is encountered in the configuration file, the
> daemon -will die.
> +Note: if an error is encountered in the configuration file or the
> running +tac_plus daemon hasn't sufficient rights to read it (if root
> privileges +are dropped), the daemon will die.
> .\"
> .SH "LOG MESSAGES"
> .B tac_plus
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
--
Alan McKinnnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list