Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc

[Devrim SERAL <devrim.seral () gantek com>]

"Kevin A. Nassery" wrote:
> Software: tac_plus version F4.0.4.alpha, compiled
>         on Solaris 8 sparc.
>
> Abstract:
> tac_plus version F4.0.4.alpha, an example Tacacs+ daemon released
> (but not supported) by Cisco isn't careful with it's permissions when
> creating accounting files.
>
> Vulneribility:
> Any file defined with and accounting directive, in a tac_plus
> config file, is create with file permissions set at 666.
>
> Allowing any system account to modify its contents.
>
> When appending to the file, if it's not there initially, it is created.
> When it is created it is done so with file permissions set at 666.
> A simple work arround is to create a file, at the path set in the
> config file, and manually set the permission to 600.  The tac_plus
> daemon will continue to append to the file, without setting the
> permissions back to 666.  I just wanted to make sure this was out there
> for people who are rotating logs, and just letting the daemon create
> new files.

Hi, 
Our patched version of tacacs+ doesn't affect this type of problem. 
And i remember its fixed 1.5 years ago. 

The project based on Cisco's free tacacs+ F4.0.3.  And we aim to add
more 
feature like db authentication ,  more security ,more flexible config
files and also
more ability..  This project doesn't supported by Cisco but thanks them
for
provide us tacacs+ source code. 

You can find our patched and enhenced version of tacacs+ from :
http://www.gazi.edu.tr/tacacs

Note that i have tested code  primarily  on Linux , Solaris and FreeBSD
And it might be work on other unixes..

devrim