On Wed, Jan 30, Kevin A. Nassery wrote: > Software: tac_plus version F4.0.4.alpha, compiled > on Solaris 8 sparc. > > Abstract: > tac_plus version F4.0.4.alpha, an example Tacacs+ daemon released > (but not supported) by Cisco isn't careful with it's permissions when > creating accounting files. > > Vulneribility: > Any file defined with and accounting directive, in a tac_plus > config file, is create with file permissions set at 666. tac_plus sets umask to 000 (tac_plus.c:L400) so it creates the pid file with mode 666 as well (so don't blindly kill `cat /etc/tac_plus.pid`). If you write the logs/accounting files in /var/tmp or /tmp (or in any other dir where users can create symlinks) then tac_plus will follow symlinks when creating the files (fopen / open w/out O_EXCL). So write logs into a safe directory where users can't play tricks with symlinks. Also if you use TAC_PLUS_GROUPID and TAC_PLUS_USERID then tac_plus will change uid/gid but never drops any supplemental groups. There's a modified tac_plus available from: http://www.gazi.edu.tr/tacacs/index.php this version seems to have fixed the original cisco bugs and adds more useful functionality like tcp_wrappers, ldap, mysql, pam etc. -Jarno -- Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
