Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SONiC design doc: TACACS+ improvement #813
Add SONiC design doc: TACACS+ improvement #813
Changes from 2 commits
89fef3e
5e3fc17
d1805c6
f3c8020
bf1e468
e060412
8ce6293
39e1376
ecc6f3e
ef48e3d
241e35d
dc8e5e0
e06e901
e8da9bc
4cf0581
1bec8fc
4d1660c
15bd52c
92ea017
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why rbash is a must for command authorization?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason is because for command authorization, we create a symbol link for every command we want enable authorization.
Without rbash user can run any command, include those command we not create symbol link.
Then they can bypass the authorization very easy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Disable for RO users are understandable. Is it possible to keep RW users capability at the same time of AAA? #Closed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In that case, we need consider some other solution. I will check other solution in POC and update this document.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I check some other solution and they are based on shell function hook, those solution have a common limitation: user can bypass restriction by ingest new shell hook.
Then after check the rbash restriction, I think we have 2 solution:
Patch bash to allow redirection in restrict mode, and accept most other restriction because those are necessary for use tacplus-auth: those restriction we accept will make both RO/RW user can't access commands not in our white list, and make user can't switch to other shell.
Patch bash, so bash can do Authorization before execute any user command.
With this solution, there is no any restriction in router machine side, in TACACS server side we just need disable user switch to other shell.
I will try a POC for solution 2, it's seems will be a minor change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The POC for solution 2 is ready, which will authorize any user 'disk' command, so if solution 2 is acceptable, will update the document.
For 'disk' command, in bash, if a command is a file stored in disk, it's a disk command. built-in command and bash function are not disk command, executable file and script are disk command.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What are the alternatives for user to achieve similar goal? #Closed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By patch bash, we can allow user use redirect, will remove this from document.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you have a link to the patch? I am wondering if redirect could be configurable. For example, RW users could use redirect as normal, but RO users are banned to use redirect.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a very simple code change, remove following code in redir.c line:836
So for RW allow and RO disable, we can:
create a variable isReadonlyUser
When bash startup, check current user group and set this variable.
If any behavior we want to disable for RO only we can change code like this:
#if defined (RESTRICTED_SHELL)
if (restricted && isReadonlyUser && (WRITE_REDIRECT (ri)))
{
free (redirectee_word);
return (RESTRICTED_REDIRECT);
}
#endif /* RESTRICTED_SHELL */