[tac_plus] tacacs+-F5.0.0a1 ACL regexec() return value fix
Daniel Schmidt
daniel.schmidt at wyo.gov
Thu Feb 23 22:10:12 UTC 2012
F4.0.4.19 has been rock solid for me, with afl patch.
-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
Sent: Thursday, February 23, 2012 2:48 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] tacacs+-F5.0.0a1 ACL regexec() return value fix
On Thu, 23 Feb 2012 18:05:43 +0100 (CET) Matej Sustr <matej at sustr.sk>
wrote:
> Hello,
>
> I was fighting with getting our newly installed tacacs+-F5.0.0a1 to
> work with acls, to allow some users to log in only to some devices.
> After debugging and looking at the source code I have noticed the
> regex is not matching correctly. I am sending a patch that fixes the
> incorrect behavior.
>
> Okay I have now noticed at your FTP site that there's a new version of
> F4.0.4.23 which should fix this for the F4-versions.
>
> Which version do you recommend to use in a production environment?
> Are you planning to add support for privilege dropping (running as
> non-root user) and chrooting?
version name tacacs+-F5.0.0a1 tells me "alpha code" in neon lights, so I
stick with 4.0.4.18 - it was deployed a while ago and nothing in the
Changelogs since is anything I need.
tac_plus already supports priv dropping, run ./configure --help to see the
options syntax to enable. It works, but with a caveat:
non-existing log files are touched by the root user before dropping privs,
and usually the tacacs user can't write to them. So if your log files
don't exist, tac_plus starts just fine and refuses to work. That can be
most annoying so ensure your log rotator touches and chmods new files.
I've never seen anything about chroot support, but I'm curious, why would
you want it? If you run tac_plus on Linux, a chroot as a security device
is rather pointless
--
Alan McKinnnon
alan.mckinnon at gmail.com
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
More information about the tac_plus
mailing list