[tac_plus] tacacs+-F5.0.0a1 ACL regexec() return value fix

heasley heas at shrubbery.net
Fri Feb 24 00:43:36 UTC 2012


Thu, Feb 23, 2012 at 11:48:12PM +0200, Alan McKinnon:
> On Thu, 23 Feb 2012 18:05:43 +0100 (CET)
> Matej Sustr <matej at sustr.sk> wrote:
> 
> > Hello,
> > 
> > I was fighting with getting our newly installed tacacs+-F5.0.0a1 to
> > work with acls, to allow some users to log in only to some devices.
> > After debugging and looking at the source code I have noticed the
> > regex is not matching correctly. I am sending a patch that fixes the
> > incorrect behavior.
> > 
> > Okay I have now noticed at your FTP site that there's a new version
> > of F4.0.4.23 which should fix this for the F4-versions.
> > 
> > Which version do you recommend to use in a production environment?
> > Are you planning to add support for privilege dropping (running as 
> > non-root user) and chrooting?
> 
>  
> version name tacacs+-F5.0.0a1 tells me "alpha code" in neon lights, so
> I stick with 4.0.4.18 - it was deployed a while ago and nothing in the
> Changelogs since is anything I need.

very alpha.  its the start of a yacc parser for the config + threading.

> tac_plus already supports priv dropping, run ./configure --help to see
> the options syntax to enable. It works, but with a caveat:
> non-existing log files are touched by the root user before dropping
> privs, and usually the tacacs user can't write to them. So if your log
> files don't exist, tac_plus starts just fine and refuses to work. That
> can be most annoying so ensure your log rotator touches and chmods new
> files.
> 
> I've never seen anything about chroot support, but I'm curious, why
> would you want it? If you run tac_plus on Linux, a chroot as a security
> device is rather pointless

just use a wrapper script to chroot.


More information about the tac_plus mailing list