[tac_plus] tacacs+ F5.0.0a patches

Robert Drake rdrake at direcpath.com
Sat Dec 27 03:29:03 UTC 2014 

I'm attaching patches to fix a couple of minor bugs with compiling, and 
to add support for CLI options for setuid/setgid so that people can drop 
privileges at runtime instead of compile time.  This is important for me 
because the OS I'm using distributes binary versions of most packages, 
so the normal method of installing a package is for the user to be 
created at install time.  The uid couldn't be determined in advance 
unless they had some form of uid reservation policy for their internal 
use and did a good job of sticking to it.

In any case, this is how most binaries seem to handle dropping 
privileges.  bind or snmpd being examples.  An alternative or additional 
option would be to place the user configuration in tac_plus.conf, which 
might be a bit harder to document.

Thanks,
Robert
-------------- next part --------------
From 13b49714d14649f3d19b90a0dd5898ffa5572566 Mon Sep 17 00:00:00 2001
From: Robert Drake <rdrake at direcpath.com>
Date: Fri, 26 Dec 2014 21:04:29 -0500
Subject: [PATCH 2/5] can be built without MAXSESS being defined

---
 maxsessint.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/maxsessint.c b/maxsessint.c
index b874f17..b8b3bd8 100644
--- a/maxsessint.c
+++ b/maxsessint.c
@@ -45,6 +45,7 @@ is_async(char *portname)
     return(0);
 }
 
+#ifdef MAXSESS
 /*
  * See if this user can have more sessions.
  */
@@ -103,3 +104,4 @@ maxsess_check_count(char *user, struct author_data *data)
     }
     return(0);
 }
+#endif /* MAXSESS */
-- 
1.9.1

-------------- next part --------------
From 906749c3e4dba2c576dc54943f6e4a4eb6936c47 Mon Sep 17 00:00:00 2001
From: Robert Drake <rdrake at direcpath.com>
Date: Fri, 26 Dec 2014 20:54:42 -0500
Subject: [PATCH 3/5] changes to make setuid and setgid runtime

---
 tac_plus.8.in |  8 +++++++-
 tac_plus.c    | 35 ++++++++++++++++++++++++++++++++++-
 2 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/tac_plus.8.in b/tac_plus.8.in
index 5210b19..62ad6ed 100644
--- a/tac_plus.8.in
+++ b/tac_plus.8.in
@@ -142,7 +142,7 @@ used in log messages, libwrap (tcp_wrappers) checks, and for matching host
 clauses of the configuration file.  Also see
 .BR tac_plus.conf (5).
 .\"
-.TP 
+.TP
 .B \-P
 Parse the configuration file, echo it to standard output while
 parsing, and then exit.
@@ -159,6 +159,12 @@ for incoming tcp connections.  Note: this changes the name of the
 pid file created by the daemon.
 .\"
 .TP
+.B \-U <setuid username>
+Specify the username that we will try to use to setuid() the process to.
+.TP
+.B \-Q <setgid groupname>
+Specify the groupname that we will try to use to setgid() the process to.
+.TP
 .B \-S
 Enables or allows client single-connection mode, where-by the client will
 create one connection and interleave queries.
diff --git a/tac_plus.c b/tac_plus.c
index cdf0ad6..bf4564c 100644
--- a/tac_plus.c
+++ b/tac_plus.c
@@ -28,6 +28,8 @@
 #include <poll.h>
 #include <sys/wait.h>
 #include <signal.h>
+#include <pwd.h>
+#include <grp.h>
 
 #ifdef LIBWRAP
 # include <tcpd.h>
@@ -56,6 +58,8 @@ int opt_S;			/* enable single-connection */
 int wtmpfd;			/* for wtmp file logging */
 char *wtmpfile = NULL;
 char *bind_address = NULL;
+char *setuid_user = NULL;
+char *setgid_group = NULL;
 
 struct timeval started_at;
 
@@ -261,7 +265,7 @@ main(int argc, char **argv)
 	tac_exit(1);
     }
 
-    while ((c = getopt(argc, argv, "B:C:d:hiPp:tGgvSsLl:w:u:")) != EOF)
+    while ((c = getopt(argc, argv, "B:C:d:hiPp:tGgvSsLl:w:u:U:Q:")) != EOF)
 	switch (c) {
 	case 'B':		/* bind() address*/
 	    bind_address = optarg;
@@ -316,6 +320,12 @@ main(int argc, char **argv)
 	case 'u':
 	    wtmpfile = tac_strdup(optarg);
 	    break;
+    case 'U':
+        setuid_user = tac_strdup(optarg);
+        break;
+    case 'Q':
+        setgid_group = tac_strdup(optarg);
+        break;
 
 	default:
 	    fprintf(stderr, "%s: bad switch %c\n", progname, c);
@@ -512,6 +522,27 @@ main(int argc, char **argv)
 	    childpid = 0;
 	}
     }
+
+    if (setuid_user) {
+        struct passwd *pw;
+        if ((pw = getpwnam(setuid_user)) == NULL) {
+            report(LOG_ERR, "Cannot set userid to %s.  getpwname(setuid_user) failed.\n");
+        }
+        if (setuid(pw->pw_uid))
+        report(LOG_ERR, "Cannot set user id to %d %s",
+               pw->pw_uid, strerror(errno));
+    }
+
+    if (setgid_group) {
+        struct group *gr;
+        if ((gr = getgrnam(setgid_group)) == NULL) {
+            report(LOG_ERR, "Cannot set groupid to %s.  getgrnme(setgid_group) failed.\n");
+        }
+        if (setgid(gr->gr_gid))
+        report(LOG_ERR, "Cannot set group id to %d %s",
+               gr->gr_gid, strerror(errno));
+    }
+
 #ifdef TACPLUS_GROUPID
     if (setgid(TACPLUS_GROUPID))
 	report(LOG_ERR, "Cannot set group id to %d %s",
@@ -745,6 +776,8 @@ usage(void)
 		" [-l <logfile>]"
 		" [-p <port>]"
 		" [-u <wtmpfile>]"
+        " [-U <setuid username>]"
+        " [-Q <setgid groupname>]"
 #ifdef MAXSESS
 		" [-w <whologfile>]"
 #endif
-- 
1.9.1

-------------- next part --------------
From 66360ec7b178bff9c3e48fdebcad540e1c8e206a Mon Sep 17 00:00:00 2001
From: Robert Drake <rdrake at direcpath.com>
Date: Fri, 26 Dec 2014 22:18:22 -0500
Subject: [PATCH 4/5] users_guide not in clean or distclean

---
 Makefile.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile.in b/Makefile.in
index 133dadd..3b84b8a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -57,7 +57,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
  configure.lineno config.status.lineno
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
 CONFIG_HEADER = config.h
-CONFIG_CLEAN_FILES = version.h pathsl.h tac_plus.8 tac_plus.conf.5
+CONFIG_CLEAN_FILES = version.h pathsl.h tac_plus.8 tac_plus.conf.5 users_guide
 CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
-- 
1.9.1

-------------- next part --------------
From 956c89521d36f4938de509907f99d85111ccff68 Mon Sep 17 00:00:00 2001
From: Robert Drake <rdrake at direcpath.com>
Date: Fri, 26 Dec 2014 22:09:38 -0500
Subject: [PATCH 5/5] updated Changes with what I changed

---
 CHANGES | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGES b/CHANGES
index 7487c19..27880c6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -408,3 +408,8 @@ F5.0.0a
 	- use the fdes code for ARAP_DES and MSCHAP_DES
 	- increase NAC address array size.  affects the format of the tacacs
 	  wholog file (TACPLUS_WHOLOGFILE); existing file should be removed.
+
+F5.0.0a2
+    - fixes so code will compile without MAXSESS defined
+    - added -U and -Q flags to allow runtime setuid/setgid change to drop
+      privilages - from Robert Drake
-- 
1.9.1

More information about the tac_plus mailing list