git: 50fa622e205d - main - net/tac_plus4: Be explicit about the runtime user

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Joe Marcus Clarke <marcus_at_FreeBSD.org>
Date: Mon, 26 Aug 2024 13:19:40 UTC
The branch main has been updated by marcus:

URL: https://cgit.FreeBSD.org/ports/commit/?id=50fa622e205ddf49a05f975e5d55b1486d4a5cb8

commit 50fa622e205ddf49a05f975e5d55b1486d4a5cb8
Author:     Joe Marcus Clarke <marcus@FreeBSD.org>
AuthorDate: 2024-08-26 13:17:33 +0000
Commit:     Joe Marcus Clarke <marcus@FreeBSD.org>
CommitDate: 2024-08-26 13:17:33 +0000

    net/tac_plus4: Be explicit about the runtime user
    
    It occurred to me that the tacacs user is set only at build time.  So,
    if someone assigned a different uid to their runtime tacacs user, the
    daemon would, by default, run under uid 559. So, add a default
    "-U tacacs" to the flags.
    
    While here, fix a typo in the man page.
---
 net/tac_plus4/Makefile                    |  7 ++++---
 net/tac_plus4/files/patch-choose_authen.c | 12 +++++-------
 net/tac_plus4/files/patch-tac__plus.8.in  | 14 ++++++++++++++
 net/tac_plus4/files/patch-users_guide.in  |  7 ++++---
 net/tac_plus4/files/tac_plus.in           |  2 +-
 5 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/net/tac_plus4/Makefile b/net/tac_plus4/Makefile
index cbc35c024f21..cf74514cde9d 100644
--- a/net/tac_plus4/Makefile
+++ b/net/tac_plus4/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	tac_plus
 PORTVERSION=	F4.0.4.28
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net security
 MASTER_SITES=	ftp://ftp.shrubbery.net/pub/${PORTNAME}/
 DISTNAME=	tacacs-${PORTVERSION}
@@ -14,9 +14,10 @@ GNU_CONFIGURE_MANPREFIX=	${PREFIX}/share
 USES=		bison cpe perl5 libtool
 USE_PERL5=	build
 USE_RC_SUBR=	tac_plus
+SUB_LIST=	TACACS_USER=${USERS}
 USE_LDCONFIG=	yes
-CONFIGURE_ARGS=	--with-groupid=$$(/usr/bin/id -g tacacs 2>/dev/null || echo '559') \
-		--with-userid=$$(/usr/bin/id -u tacacs 2>/dev/null || echo '559')
+CONFIGURE_ARGS=	--with-groupid=$$(/usr/bin/id -g ${GROUPS} 2>/dev/null || echo '559') \
+		--with-userid=$$(/usr/bin/id -u ${USERS} 2>/dev/null || echo '559')
 
 CPE_VENDOR=	cisco
 
diff --git a/net/tac_plus4/files/patch-choose_authen.c b/net/tac_plus4/files/patch-choose_authen.c
index ccfe7badd3ab..da3b778ac85e 100644
--- a/net/tac_plus4/files/patch-choose_authen.c
+++ b/net/tac_plus4/files/patch-choose_authen.c
@@ -1,6 +1,6 @@
 --- choose_authen.c.orig	2012-04-16 21:42:55 UTC
 +++ choose_authen.c
-@@ -130,12 +130,29 @@ choose_login(struct authen_data *data, s
+@@ -130,10 +130,27 @@ choose_login(struct authen_data *data, struct authen_t
  #else /* SKEY */
  	    report(LOG_ERR,
  		   "%s %s: user %s s/key support has not been compiled in",
@@ -10,8 +10,8 @@
 +		   name ? name : "<unknown>");
  	    return(CHOOSE_FAILED);
  #endif	/* SKEY */
- 	}
- 
++	}
++
 +	if (cfg_passwd && STREQ(cfg_passwd, "opie")) {
 +	    if (debug & DEBUG_PASSWD_FLAG)
 +		report(LOG_DEBUG, "%s %s: user %s requires opie",
@@ -27,8 +27,6 @@
 +			name ? name : "<unknown>");
 +		return(CHOOSE_FAILED);
 +#endif /* OPIE */
-+	}
-+
+ 	}
+ 
  	/* Does this user require aceclnt */
- 	cfg_passwd = cfg_get_login_secret(name, TAC_PLUS_RECURSE);
- 	if (cfg_passwd && STREQ(cfg_passwd, "aceclnt")) {
diff --git a/net/tac_plus4/files/patch-tac__plus.8.in b/net/tac_plus4/files/patch-tac__plus.8.in
new file mode 100644
index 000000000000..585a4e8e9972
--- /dev/null
+++ b/net/tac_plus4/files/patch-tac__plus.8.in
@@ -0,0 +1,14 @@
+--- tac_plus.8.in.orig	2024-08-26 12:52:38 UTC
++++ tac_plus.8.in
+@@ -206,8 +206,10 @@ in addition to logging to syslogd. Useful for debuggin
+ /dev/console 
+ in addition to logging to syslogd. Useful for debugging.
+ .\"
+-.TP \-U <setuid username>
++.TP
++.B \-U <setuid username>
+ Specify the username or UID to
++.B
+ .IR setuid(2).
+ If the daemon was compiled with a specific UID, this option overrides that
+ value.
diff --git a/net/tac_plus4/files/patch-users_guide.in b/net/tac_plus4/files/patch-users_guide.in
index 8c839cf8669d..6f4b5ae9fecd 100644
--- a/net/tac_plus4/files/patch-users_guide.in
+++ b/net/tac_plus4/files/patch-users_guide.in
@@ -1,17 +1,18 @@
 --- users_guide.in.orig	2011-05-27 22:11:57 UTC
 +++ users_guide.in
-@@ -164,7 +164,10 @@ for S/KEY in the Makefile.  I got my S/K
+@@ -164,8 +164,11 @@ suggest you try a web search for s/key source code.
  crimelab.com but now it appears the only source is ftp.bellcore.com. I
  suggest you try a web search for s/key source code.
  
 -Note: S/KEY is a trademark of Bell Communications Research (Bellcore).
 +To use OPIE, you must have built tac_plus with the -DWITH_OPIE flag.
-+
+ 
 +Note: S/KEY and OPIE are a trademark of Bell Communications Research 
 +(Bellcore).
- 
++
  Should you need them, there are routines for accessing password files
  (getpwnam,setpwent,endpwent,setpwfile) in pw.c.
+ 
 @@ -414,7 +417,16 @@ be authenticated via s/key, as follows:
        login = skey
      }
diff --git a/net/tac_plus4/files/tac_plus.in b/net/tac_plus4/files/tac_plus.in
index eb92cb03126c..d4c8743216f8 100644
--- a/net/tac_plus4/files/tac_plus.in
+++ b/net/tac_plus4/files/tac_plus.in
@@ -24,7 +24,7 @@ rcvar=tac_plus_enable
 command="%%PREFIX%%/sbin/tac_plus"
 pidfile="/var/run/${name}.pid"
 tac_plus_enable=${tac_plus_enable:-"NO"}
-tac_plus_flags=${tac_plus_flags:-}
+tac_plus_flags=${tac_plus_flags:-"-U %%TACACS_USER%%"}
 tac_plus_profiles=${tac_plus_profiles:-}
 tac_plus_configfile=${tac_plus_configfile:-"%%PREFIX%%/etc/tac_plus.conf"}