[tac_plus] tacacs+-F5.0.0a1 ACL regexec() return value fix
Alan McKinnon
alan.mckinnon at gmail.com
Thu Feb 23 21:48:12 UTC 2012
On Thu, 23 Feb 2012 18:05:43 +0100 (CET)
Matej Sustr <matej at sustr.sk> wrote:
> Hello,
>
> I was fighting with getting our newly installed tacacs+-F5.0.0a1 to
> work with acls, to allow some users to log in only to some devices.
> After debugging and looking at the source code I have noticed the
> regex is not matching correctly. I am sending a patch that fixes the
> incorrect behavior.
>
> Okay I have now noticed at your FTP site that there's a new version
> of F4.0.4.23 which should fix this for the F4-versions.
>
> Which version do you recommend to use in a production environment?
> Are you planning to add support for privilege dropping (running as
> non-root user) and chrooting?
version name tacacs+-F5.0.0a1 tells me "alpha code" in neon lights, so
I stick with 4.0.4.18 - it was deployed a while ago and nothing in the
Changelogs since is anything I need.
tac_plus already supports priv dropping, run ./configure --help to see
the options syntax to enable. It works, but with a caveat:
non-existing log files are touched by the root user before dropping
privs, and usually the tacacs user can't write to them. So if your log
files don't exist, tac_plus starts just fine and refuses to work. That
can be most annoying so ensure your log rotator touches and chmods new
files.
I've never seen anything about chroot support, but I'm curious, why
would you want it? If you run tac_plus on Linux, a chroot as a security
device is rather pointless
--
Alan McKinnnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list