Bugtraq mailing list archives
Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc
From: Devrim SERAL <devrim.seral () gantek com>
Date: Fri, 01 Feb 2002 13:00:41 +0200
"Kevin A. Nassery" wrote:
Software: tac_plus version F4.0.4.alpha, compiled on Solaris 8 sparc. Abstract: tac_plus version F4.0.4.alpha, an example Tacacs+ daemon released (but not supported) by Cisco isn't careful with it's permissions when creating accounting files. Vulneribility: Any file defined with and accounting directive, in a tac_plus config file, is create with file permissions set at 666. Allowing any system account to modify its contents. When appending to the file, if it's not there initially, it is created. When it is created it is done so with file permissions set at 666. A simple work arround is to create a file, at the path set in the config file, and manually set the permission to 600. The tac_plus daemon will continue to append to the file, without setting the permissions back to 666. I just wanted to make sure this was out there for people who are rotating logs, and just letting the daemon create new files.
Hi, Our patched version of tacacs+ doesn't affect this type of problem. And i remember its fixed 1.5 years ago. The project based on Cisco's free tacacs+ F4.0.3. And we aim to add more feature like db authentication , more security ,more flexible config files and also more ability.. This project doesn't supported by Cisco but thanks them for provide us tacacs+ source code. You can find our patched and enhenced version of tacacs+ from : http://www.gazi.edu.tr/tacacs Note that i have tested code primarily on Linux , Solaris and FreeBSD And it might be work on other unixes.. devrim
Current thread:
- Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc Devrim SERAL (Feb 01)