[24054] in bugtraq
Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc
daemon@ATHENA.MIT.EDU (Jarno Huuskonen)
Thu Jan 31 15:24:16 2002
Date: Thu, 31 Jan 2002 21:01:00 +0200
From: Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
To: bugtraq@securityfocus.com
Message-ID: <20020131190059.GA141618@messi.uku.fi>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.32.0201301728230.24102-100000@stan.ksni.net>
On Wed, Jan 30, Kevin A. Nassery wrote:
> Software: tac_plus version F4.0.4.alpha, compiled
> on Solaris 8 sparc.
>
> Abstract:
> tac_plus version F4.0.4.alpha, an example Tacacs+ daemon released
> (but not supported) by Cisco isn't careful with it's permissions when
> creating accounting files.
>
> Vulneribility:
> Any file defined with and accounting directive, in a tac_plus
> config file, is create with file permissions set at 666.
tac_plus sets umask to 000 (tac_plus.c:L400) so it creates the pid file
with mode 666 as well (so don't blindly kill `cat /etc/tac_plus.pid`).
If you write the logs/accounting files in /var/tmp or /tmp (or in any
other dir where users can create symlinks) then tac_plus will follow
symlinks when creating the files (fopen / open w/out O_EXCL). So write
logs into a safe directory where users can't play tricks with symlinks.
Also if you use TAC_PLUS_GROUPID and TAC_PLUS_USERID then tac_plus will
change uid/gid but never drops any supplemental groups.
There's a modified tac_plus available from:
http://www.gazi.edu.tr/tacacs/index.php this version seems to have fixed
the original cisco bugs and adds more useful functionality like
tcp_wrappers, ldap, mysql, pam etc.
-Jarno
--
Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
