Skip to content

Commit

Permalink
[tacacs]: skip accessing tacacs servers for local non-tacacs users (s…
Browse files Browse the repository at this point in the history
…onic-net#2843)

* Switch the nss look up order as "compat" followed by "tacplus".
This helps use the legacy passwd file for user info and go to tacacs only if not found.
This means, we never contact tacacs for local users like "admin".
This isolates local users from any issues with tacacs servers.
W/o this fix, the sudo commands by local users could take <count of servers> * <tacacs timeout> seconds, if the tacacs servers are unreachable.

* Skip tacacs server access for local non-tacacs users.
Revert the order of 'compat tacplus' to original 'tacplus compat' as tacplus
access is required for all tacacs users, who also get created locally.
  • Loading branch information
renukamanavalan authored and lguohan committed May 9, 2019
1 parent 9efcf17 commit a357693
Show file tree
Hide file tree
Showing 3 changed files with 83 additions and 1 deletion.
2 changes: 1 addition & 1 deletion files/image_config/hostcfgd/tacplus_nss.conf.j2
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
onfiguration for libnss-tacplus
# Configuration for libnss-tacplus

# debug - If you want to open debug log, set it on
# Default: off
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
From 228d743b907be6346731cacc9c5d2bc78ce6a4e8 Mon Sep 17 00:00:00 2001
From: Renuka Manavalan <remanava@microsoft.com>
Date: Mon, 6 May 2019 04:23:26 +0000
Subject: [PATCH 4/4] Skip accessing tacacs servers for local non-tacacs users.

---
nss_tacplus.c | 44 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 43 insertions(+), 1 deletion(-)

diff --git a/nss_tacplus.c b/nss_tacplus.c
index aac5246..f2a86e1 100644
--- a/nss_tacplus.c
+++ b/nss_tacplus.c
@@ -487,7 +487,7 @@ static int create_or_modify_local_user(const char *name, int level, bool existin
/*
* Lookup user in /etc/passwd, and fill up passwd info if found.
*/
-static int lookup_pw_local(char* username, struct pwbuf *pb, bool *found)
+static int lookup_pw_local(const char* username, struct pwbuf *pb, bool *found)
{
FILE *fp;
struct passwd *pw = NULL;
@@ -517,6 +517,45 @@ static int lookup_pw_local(char* username, struct pwbuf *pb, bool *found)
return ret;
}

+/*
+ * Return true, if user has entry in /etc/passwd and his gecos
+ * does not match with expected gecos for any tacacs user of any
+ * privilege level.
+ */
+static bool is_non_tacacs_user(const char *name)
+{
+ char buf[1024];
+ struct passwd pw;
+ int err = 0;
+ struct pwbuf pwbuf;
+ bool found = false;
+ bool ret = false;
+
+ pwbuf.buf = buf;
+ pwbuf.pw = &pw;
+ pwbuf.errnop = &err;
+ pwbuf.buflen = sizeof(buf);
+
+ lookup_pw_local(name, &pwbuf, &found);
+
+ if (found && (err == 0)) {
+ int i = MIN_TACACS_USER_PRIV;
+ const useradd_info_t *pinfo = &useradd_grp_list[i];
+
+ for(; (i <= MAX_TACACS_USER_PRIV); ++i, ++pinfo) {
+ if ((pinfo->info != NULL) &&
+ (strcmp(pinfo->info, pwbuf.pw->pw_gecos) == 0)) {
+ break;
+ }
+ }
+ if (i > MAX_TACACS_USER_PRIV) {
+ /* gecos did not match with gecos of any tacacs user info */
+ ret = true;
+ }
+ }
+ return ret;
+}
+
/*
* Lookup local user passwd info for TACACS+ user. If not found, local user will
* be created by user mapping strategy.
@@ -768,6 +807,9 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
syslog(LOG_WARNING, "%s: no tacacs server in config for nss_tacplus",
nssname);
}
+ else if(is_non_tacacs_user(name)) {
+ /* It is non-tacacs user, so bail out */
+ }
else {
/* marshal the args for the lower level functions */
pbuf.name = (char *)name;
--
2.17.1

1 change: 1 addition & 0 deletions src/tacacs/nss/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
git am ../0001-Modify-user-map-profile.patch
git am ../0002-Enable-modifying-local-user-permission.patch
git am ../0003-management-vrf-support.patch
git am ../0004-Skip-accessing-tacacs-servers-for-local-non-tacacs-u.patch

dpkg-buildpackage -rfakeroot -b -us -uc
popd
Expand Down

0 comments on commit a357693

Please sign in to comment.