[tac_plus] Problems getting tac_plus work with PAM auth on NetBSD
Fredrik Pettai
pettai at nordu.net
Fri Nov 25 12:39:40 UTC 2011
On Nov 25, 2011, at 11:28 , Alan McKinnon wrote:
> On Fri, 25 Nov 2011 10:42:22 +0100
> Fredrik Pettai <pettai at nordu.net> wrote:
>> On Nov 24, 2011, at 18:14 , john heasley wrote:
>>> Thu, Nov 24, 2011 at 04:11:25PM +0100, Fredrik Pettai:
>>>
>>>> Does the tac_plus server have insufficient credentials running as
>>>> a non-root user to perform pam lookups?
>>>
>>> i'm not sure that it does; it would need to be able to
>>> read /etc/master.passwd.
>>
>> The problem was that the dropped root privileges. After recompiling
>> without this option, it works fine.
>>
>> Another thing with dropping the root privileges, is that the daemon
>> can't reload the configuration after receiving SIGUSR1 if it runs
>> with dropped root privileges and the configuration file ownership
>> isn't correct. You won't notice this while tac_plus is starting, as
>> it has root privileges while reading the configuration file first,
>> and drops those later.
>
> A similar issue crops us with the daemon's log file. If logrotate
> creates a new file and doesn't chown/chmod it correctly, the daemon
> silently stops working. Also, if the log file doesn't exist, tac_plus
> creates it as root then drops privileges, effectively preventing itself
> from working.
Ok, we never tripped on that one since we use syslog for logging.
Re,
/P
More information about the tac_plus
mailing list