Write error message to syslog when add user failed or connect to TACACS server failed. (#16240)
Write error message to syslog when add user failed or connect to TACACS server failed. #### Why I did it With these messages, we can downgrade TACACS server with issue to lower priority. ##### Work item tracking - Microsoft ADO: 24667696 #### How I did it Write error message to syslog when add user failed or connect to TACACS server failed. #### How to verify it Pass all UT. Manually verify error message generated. ### Description for the changelog Write error message to syslog when add user failed or connect to TACACS server failed.
This commit is contained in:
parent
78415800a5
commit
b0be5824f8
@ -18,9 +18,9 @@ Subject: [PATCH] Modify user map profile
|
||||
debian/changelog | 11 +
|
||||
debian/control | 11 +-
|
||||
debian/libnss-tacplus.symbols | 1 -
|
||||
nss_tacplus.c | 1018 +++++++++++++++------------------
|
||||
nss_tacplus.c | 1015 +++++++++++++++------------------
|
||||
tacplus_nss.conf | 91 ++-
|
||||
8 files changed, 527 insertions(+), 613 deletions(-)
|
||||
8 files changed, 525 insertions(+), 612 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 293951e..b33c455 100644
|
||||
@ -1083,7 +1083,7 @@ index 79e62b9..ecfa0b0 100644
|
||||
tac_add_attrib(attr, "service", tac_service);
|
||||
if(tac_protocol[0])
|
||||
tac_add_attrib(attr, "protocol", tac_protocol);
|
||||
@@ -598,34 +659,9 @@ lookup_tacacs_user(struct pwbuf *pb)
|
||||
@@ -598,52 +659,25 @@ lookup_tacacs_user(struct pwbuf *pb)
|
||||
{
|
||||
struct areply arep;
|
||||
int ret = 1, done = 0;
|
||||
@ -1119,11 +1119,17 @@ index 79e62b9..ecfa0b0 100644
|
||||
for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
|
||||
arep.msg = NULL;
|
||||
arep.attr = NULL;
|
||||
@@ -636,14 +672,13 @@ lookup_tacacs_user(struct pwbuf *pb)
|
||||
syslog(LOG_WARNING, "%s: failed to connect TACACS+ server %s,"
|
||||
" ret=%d: %m", nssname, tac_srv[srvr].addr ?
|
||||
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
|
||||
arep.status = TAC_PLUS_AUTHOR_STATUS_ERROR; /* if author_send fails */
|
||||
tac_fd = connect_tacacs(&attr, srvr);
|
||||
if (tac_fd < 0) {
|
||||
- if(debug)
|
||||
- syslog(LOG_WARNING, "%s: failed to connect TACACS+ server %s,"
|
||||
- " ret=%d: %m", nssname, tac_srv[srvr].addr ?
|
||||
- tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
|
||||
- tac_free_attrib(&attr);
|
||||
+ syslog(LOG_ERR, "%s: failed to connect TACACS+ server %s,"
|
||||
+ " ret=%d: %m", nssname, tac_srv[srvr].addr ?
|
||||
+ tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
|
||||
continue;
|
||||
}
|
||||
- ret = tac_author_send(tac_fd, pb->name, "", tac_rhost, attr);
|
||||
@ -1137,7 +1143,7 @@ index 79e62b9..ecfa0b0 100644
|
||||
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", ret,
|
||||
pb->name);
|
||||
}
|
||||
@@ -668,14 +703,11 @@ lookup_tacacs_user(struct pwbuf *pb)
|
||||
@@ -668,14 +702,11 @@ lookup_tacacs_user(struct pwbuf *pb)
|
||||
if(arep.status == AUTHOR_STATUS_PASS_ADD ||
|
||||
arep.status == AUTHOR_STATUS_PASS_REPL) {
|
||||
ret = got_tacacs_user(arep.attr, pb);
|
||||
@ -1154,7 +1160,7 @@ index 79e62b9..ecfa0b0 100644
|
||||
done = 1; /* break out of loop after arep cleanup */
|
||||
}
|
||||
else {
|
||||
@@ -685,6 +717,10 @@ lookup_tacacs_user(struct pwbuf *pb)
|
||||
@@ -685,6 +716,10 @@ lookup_tacacs_user(struct pwbuf *pb)
|
||||
" invalid (%d)", nssname,
|
||||
tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name,
|
||||
arep.status);
|
||||
@ -1165,7 +1171,7 @@ index 79e62b9..ecfa0b0 100644
|
||||
}
|
||||
if(arep.msg)
|
||||
free(arep.msg);
|
||||
@@ -692,30 +728,12 @@ lookup_tacacs_user(struct pwbuf *pb)
|
||||
@@ -692,30 +727,12 @@ lookup_tacacs_user(struct pwbuf *pb)
|
||||
tac_free_attrib(&arep.attr);
|
||||
}
|
||||
|
||||
@ -1198,7 +1204,7 @@ index 79e62b9..ecfa0b0 100644
|
||||
*
|
||||
* We try the lookup to the tacacs server first. If we can't make a
|
||||
* connection to the server for some reason, we also try looking up
|
||||
@@ -730,20 +748,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
|
||||
@@ -730,20 +747,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
|
||||
int result;
|
||||
struct pwbuf pbuf;
|
||||
|
||||
@ -1233,7 +1239,7 @@ index 79e62b9..ecfa0b0 100644
|
||||
/* marshal the args for the lower level functions */
|
||||
pbuf.name = (char *)name;
|
||||
pbuf.pw = pw;
|
||||
@@ -751,126 +774,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
|
||||
@@ -751,126 +773,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
|
||||
pbuf.buflen = buflen;
|
||||
pbuf.errnop = errnop;
|
||||
|
||||
@ -1468,4 +1474,3 @@ index bb4eb1e..7cb756f 100644
|
||||
+# many_to_one=y
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
@ -113,8 +113,8 @@ index 2de00a6..048745a 100644
|
||||
|
||||
for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
|
||||
arep.msg = NULL;
|
||||
@@ -748,7 +823,7 @@ lookup_tacacs_user(struct pwbuf *pb)
|
||||
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
|
||||
@@ -747,7 +822,7 @@ lookup_tacacs_user(struct pwbuf *pb)
|
||||
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
|
||||
continue;
|
||||
}
|
||||
- ret = tac_author_send(tac_fd, pb->name, "", "", attr);
|
||||
|
@ -4,11 +4,11 @@ Date: Mon, 26 Jun 2023 09:18:44 -0700
|
||||
Subject: [PATCH] Replace popen shell execution with safer execle
|
||||
|
||||
---
|
||||
nss_tacplus.c | 63 ++++++++++++++++++++++++++++++++++++++++++---------
|
||||
1 file changed, 52 insertions(+), 11 deletions(-)
|
||||
nss_tacplus.c | 54 ++++++++++++++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 47 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/nss_tacplus.c b/nss_tacplus.c
|
||||
index cd73870..7574374 100644
|
||||
index 50e560d..33e3e8c 100644
|
||||
--- a/nss_tacplus.c
|
||||
+++ b/nss_tacplus.c
|
||||
@@ -34,6 +34,8 @@
|
||||
@ -72,7 +72,7 @@ index cd73870..7574374 100644
|
||||
fp = fopen(user_conf, "ab+");
|
||||
if(!fp) {
|
||||
syslog(LOG_ERR, "%s: %s fopen failed", nssname, user_conf);
|
||||
@@ -495,18 +535,19 @@ static int create_or_modify_local_user(const char *name, int level, bool existin
|
||||
@@ -495,18 +535,18 @@ static int create_or_modify_local_user(const char *name, int level, bool existin
|
||||
while(lvl >= MIN_TACACS_USER_PRIV) {
|
||||
user = &useradd_grp_list[lvl];
|
||||
if(user->info && user->secondary_grp && user->shell) {
|
||||
@ -83,21 +83,16 @@ index cd73870..7574374 100644
|
||||
- if(!fp || -1 == pclose(fp)) {
|
||||
- syslog(LOG_ERR, "%s: %s popen failed errno=%d %s",
|
||||
- nssname, command, errno, strerror(errno));
|
||||
- delete_conf_line(name);
|
||||
- return -1;
|
||||
- }
|
||||
- if(debug)
|
||||
+ char sgid[10] = {0};
|
||||
+ char home[64] = {0};
|
||||
+ snprintf(sgid, 10, "%d", user->gid);
|
||||
+ snprintf(home, 63, "/home/%s", name);
|
||||
+ if(0 != user_mod_add(command, name, sgid, user->secondary_grp, user->info, home, user->shell)) {
|
||||
+ if(debug)
|
||||
+ syslog(LOG_ERR, "%s: %s %s failed", nssname, command, name);
|
||||
+ delete_conf_line(name);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if(debug)
|
||||
+ syslog(LOG_ERR, "%s: %s %s failed", nssname, command, name);
|
||||
delete_conf_line(name);
|
||||
return -1;
|
||||
}
|
||||
if(debug)
|
||||
syslog(LOG_DEBUG, "%s: %s %s success", nssname, command, name);
|
||||
+
|
||||
delete_conf_line(name);
|
||||
|
Loading…
Reference in New Issue
Block a user