Bugtraq mailing list archives
Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc
From: Jarno Huuskonen <Jarno.Huuskonen () uku fi>
Date: Thu, 31 Jan 2002 21:01:00 +0200
On Wed, Jan 30, Kevin A. Nassery wrote:
Software: tac_plus version F4.0.4.alpha, compiled on Solaris 8 sparc. Abstract: tac_plus version F4.0.4.alpha, an example Tacacs+ daemon released (but not supported) by Cisco isn't careful with it's permissions when creating accounting files. Vulneribility: Any file defined with and accounting directive, in a tac_plus config file, is create with file permissions set at 666.
tac_plus sets umask to 000 (tac_plus.c:L400) so it creates the pid file with mode 666 as well (so don't blindly kill `cat /etc/tac_plus.pid`). If you write the logs/accounting files in /var/tmp or /tmp (or in any other dir where users can create symlinks) then tac_plus will follow symlinks when creating the files (fopen / open w/out O_EXCL). So write logs into a safe directory where users can't play tricks with symlinks. Also if you use TAC_PLUS_GROUPID and TAC_PLUS_USERID then tac_plus will change uid/gid but never drops any supplemental groups. There's a modified tac_plus available from: http://www.gazi.edu.tr/tacacs/index.php this version seems to have fixed the original cisco bugs and adds more useful functionality like tcp_wrappers, ldap, mysql, pam etc. -Jarno -- Jarno Huuskonen <Jarno.Huuskonen () uku fi>
Current thread:
- tac_plus version F4.0.4.alpha on at least Solaris 8 sparc Kevin A. Nassery (Jan 31)
- Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc ellipse (Jan 31)
- Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc Jarno Huuskonen (Jan 31)