[tac_plus] tac_plus acl match on everything

heasley heas at shrubbery.net
Fri Jan 20 22:50:57 UTC 2012 

Thu, Jan 19, 2012 at 08:58:36PM +0100, Andreas Jacobi:
> Hi,
> 
> I have a tac_plus installation on a Slackware server. Everything works fine
> except my acls.
> It seems that whatever I type in an acl, it will match.
> 
> For example an acl with the regexp test will match any of my network
> equipments source IP addresses. I tested it with a deny acl and here is the
> debug output (ip is replaced with a fake but you get the idea):
> ip 11.111.11.1 matched deny regex test of acl filter test-acl
> 
> The acl config:
> acl = test-acl {
>            deny = test
>            allow = .*
> }
> 
> I then apply the acl to a group.
> group = test-group {
>              acl = test-acl
> }
> 
> 
> tac_plus version F4.0.4.20
> 
> What am I missing here?

A bug; sorry.  Here's a patch.

Index: do_author.c
===================================================================
--- do_author.c	(revision 3467)
+++ do_author.c	(working copy)
@@ -21,6 +21,13 @@
 
 #include "tac_plus.h"
 #include <regex.h>
+#ifndef REG_OK
+# ifdef REG_NOERROR
+#  define REG_OK REG_NOERROR
+# else
+#  define REG_OK 0
+# endif
+#endif
 
 static int arg_ok(char *);
 static char *assemble_args(struct author_data *);
@@ -512,7 +519,6 @@
     /* The command exists. The default if nothing matches is DENY */
     data->status = AUTHOR_STATUS_FAIL;
     data->num_out_args = 0;
-
     for (node = node->value1; node && args; node = node->next) {
 	match = regexec((regex_t *)node->value1, args, 0, NULL, 0);
 
@@ -525,7 +531,7 @@
 
 	if (match == REG_NOMATCH)
 	    continue;
-	if (match) {
+	if (match != REG_OK) {
 	    regerror(match, (regex_t *)node->value1, buf, 256);
 	    report(LOG_INFO, "regexec error: %s on line %d: %s",
 		   (char *)node->value, node->line, buf);
Index: config.c
===================================================================
--- config.c	(revision 3467)
+++ config.c	(working copy)
@@ -21,6 +21,13 @@
 
 #include "tac_plus.h"
 #include <regex.h>
+#ifndef REG_OK
+# ifdef REG_NOERROR
+#  define REG_OK REG_NOERROR
+# else
+#  define REG_OK 0
+# endif
+#endif
 
 /*
    <config>		:=	<decl>*
@@ -2037,7 +2044,7 @@
 
     next = acl->nodes;
     while (next) {
-	if (regexec((regex_t *)next->value1, ip, 0, NULL, 0)) {
+	if (regexec((regex_t *)next->value1, ip, 0, NULL, 0) != REG_OK) {
 	    if (debug & DEBUG_AUTHEN_FLAG)
 		report(LOG_DEBUG, "ip %s matched %s regex %s of acl filter %s",
 			ip, next->type == S_deny ? "deny" : "permit",

More information about the tac_plus mailing list