Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc

[Jarno Huuskonen <Jarno.Huuskonen () uku fi>]

On Wed, Jan 30, Kevin A. Nassery wrote:
> Software: tac_plus version F4.0.4.alpha, compiled
>       on Solaris 8 sparc.
>
> Abstract:
> tac_plus version F4.0.4.alpha, an example Tacacs+ daemon released
> (but not supported) by Cisco isn't careful with it's permissions when
> creating accounting files.
>
> Vulneribility:
> Any file defined with and accounting directive, in a tac_plus
> config file, is create with file permissions set at 666.

tac_plus sets umask to 000 (tac_plus.c:L400) so it creates the pid file
with mode 666 as well (so don't blindly kill `cat /etc/tac_plus.pid`).

If you write the logs/accounting files in /var/tmp or /tmp (or in any
other dir where users can create symlinks) then tac_plus will follow
symlinks when creating the files (fopen / open w/out O_EXCL). So write
logs into a safe directory where users can't play tricks with symlinks.

Also if you use TAC_PLUS_GROUPID and TAC_PLUS_USERID then tac_plus will
change uid/gid but never drops any supplemental groups.

There's a modified tac_plus available from:
http://www.gazi.edu.tr/tacacs/index.php this version seems to have fixed
the original cisco bugs and adds more useful functionality like
tcp_wrappers, ldap, mysql, pam etc.

-Jarno

-- 
Jarno Huuskonen <Jarno.Huuskonen () uku fi>