Write error message to syslog when add user failed or connect to TACACS server failed. (#16240)

Write error message to syslog when add user failed or connect to TACACS server failed.

#### Why I did it
With these messages, we can downgrade TACACS server with issue to lower priority.

##### Work item tracking
- Microsoft ADO: 24667696

#### How I did it
Write error message to syslog when add user failed or connect to TACACS server failed.

#### How to verify it
Pass all UT.
Manually verify error message generated.

### Description for the changelog
Write error message to syslog when add user failed or connect to TACACS server failed.
This commit is contained in:
Hua Liu 2023-09-12 06:35:54 +08:00 committed by GitHub
parent 78415800a5
commit b0be5824f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 29 deletions

View File

@ -18,9 +18,9 @@ Subject: [PATCH] Modify user map profile
debian/changelog | 11 +
debian/control | 11 +-
debian/libnss-tacplus.symbols | 1 -
nss_tacplus.c | 1018 +++++++++++++++------------------
nss_tacplus.c | 1015 +++++++++++++++------------------
tacplus_nss.conf | 91 ++-
8 files changed, 527 insertions(+), 613 deletions(-)
8 files changed, 525 insertions(+), 612 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 293951e..b33c455 100644
@ -1083,7 +1083,7 @@ index 79e62b9..ecfa0b0 100644
tac_add_attrib(attr, "service", tac_service);
if(tac_protocol[0])
tac_add_attrib(attr, "protocol", tac_protocol);
@@ -598,34 +659,9 @@ lookup_tacacs_user(struct pwbuf *pb)
@@ -598,52 +659,25 @@ lookup_tacacs_user(struct pwbuf *pb)
{
struct areply arep;
int ret = 1, done = 0;
@ -1119,11 +1119,17 @@ index 79e62b9..ecfa0b0 100644
for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
arep.msg = NULL;
arep.attr = NULL;
@@ -636,14 +672,13 @@ lookup_tacacs_user(struct pwbuf *pb)
syslog(LOG_WARNING, "%s: failed to connect TACACS+ server %s,"
" ret=%d: %m", nssname, tac_srv[srvr].addr ?
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
arep.status = TAC_PLUS_AUTHOR_STATUS_ERROR; /* if author_send fails */
tac_fd = connect_tacacs(&attr, srvr);
if (tac_fd < 0) {
- if(debug)
- syslog(LOG_WARNING, "%s: failed to connect TACACS+ server %s,"
- " ret=%d: %m", nssname, tac_srv[srvr].addr ?
- tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
- tac_free_attrib(&attr);
+ syslog(LOG_ERR, "%s: failed to connect TACACS+ server %s,"
+ " ret=%d: %m", nssname, tac_srv[srvr].addr ?
+ tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
continue;
}
- ret = tac_author_send(tac_fd, pb->name, "", tac_rhost, attr);
@ -1137,7 +1143,7 @@ index 79e62b9..ecfa0b0 100644
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", ret,
pb->name);
}
@@ -668,14 +703,11 @@ lookup_tacacs_user(struct pwbuf *pb)
@@ -668,14 +702,11 @@ lookup_tacacs_user(struct pwbuf *pb)
if(arep.status == AUTHOR_STATUS_PASS_ADD ||
arep.status == AUTHOR_STATUS_PASS_REPL) {
ret = got_tacacs_user(arep.attr, pb);
@ -1154,7 +1160,7 @@ index 79e62b9..ecfa0b0 100644
done = 1; /* break out of loop after arep cleanup */
}
else {
@@ -685,6 +717,10 @@ lookup_tacacs_user(struct pwbuf *pb)
@@ -685,6 +716,10 @@ lookup_tacacs_user(struct pwbuf *pb)
" invalid (%d)", nssname,
tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name,
arep.status);
@ -1165,7 +1171,7 @@ index 79e62b9..ecfa0b0 100644
}
if(arep.msg)
free(arep.msg);
@@ -692,30 +728,12 @@ lookup_tacacs_user(struct pwbuf *pb)
@@ -692,30 +727,12 @@ lookup_tacacs_user(struct pwbuf *pb)
tac_free_attrib(&arep.attr);
}
@ -1198,7 +1204,7 @@ index 79e62b9..ecfa0b0 100644
*
* We try the lookup to the tacacs server first. If we can't make a
* connection to the server for some reason, we also try looking up
@@ -730,20 +748,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
@@ -730,20 +747,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
int result;
struct pwbuf pbuf;
@ -1233,7 +1239,7 @@ index 79e62b9..ecfa0b0 100644
/* marshal the args for the lower level functions */
pbuf.name = (char *)name;
pbuf.pw = pw;
@@ -751,126 +774,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
@@ -751,126 +773,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
pbuf.buflen = buflen;
pbuf.errnop = errnop;
@ -1468,4 +1474,3 @@ index bb4eb1e..7cb756f 100644
+# many_to_one=y
--
2.7.4

View File

@ -113,8 +113,8 @@ index 2de00a6..048745a 100644
for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
arep.msg = NULL;
@@ -748,7 +823,7 @@ lookup_tacacs_user(struct pwbuf *pb)
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
@@ -747,7 +822,7 @@ lookup_tacacs_user(struct pwbuf *pb)
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
continue;
}
- ret = tac_author_send(tac_fd, pb->name, "", "", attr);

View File

@ -4,11 +4,11 @@ Date: Mon, 26 Jun 2023 09:18:44 -0700
Subject: [PATCH] Replace popen shell execution with safer execle
---
nss_tacplus.c | 63 ++++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 52 insertions(+), 11 deletions(-)
nss_tacplus.c | 54 ++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 47 insertions(+), 7 deletions(-)
diff --git a/nss_tacplus.c b/nss_tacplus.c
index cd73870..7574374 100644
index 50e560d..33e3e8c 100644
--- a/nss_tacplus.c
+++ b/nss_tacplus.c
@@ -34,6 +34,8 @@
@ -72,7 +72,7 @@ index cd73870..7574374 100644
fp = fopen(user_conf, "ab+");
if(!fp) {
syslog(LOG_ERR, "%s: %s fopen failed", nssname, user_conf);
@@ -495,18 +535,19 @@ static int create_or_modify_local_user(const char *name, int level, bool existin
@@ -495,18 +535,18 @@ static int create_or_modify_local_user(const char *name, int level, bool existin
while(lvl >= MIN_TACACS_USER_PRIV) {
user = &useradd_grp_list[lvl];
if(user->info && user->secondary_grp && user->shell) {
@ -83,21 +83,16 @@ index cd73870..7574374 100644
- if(!fp || -1 == pclose(fp)) {
- syslog(LOG_ERR, "%s: %s popen failed errno=%d %s",
- nssname, command, errno, strerror(errno));
- delete_conf_line(name);
- return -1;
- }
- if(debug)
+ char sgid[10] = {0};
+ char home[64] = {0};
+ snprintf(sgid, 10, "%d", user->gid);
+ snprintf(home, 63, "/home/%s", name);
+ if(0 != user_mod_add(command, name, sgid, user->secondary_grp, user->info, home, user->shell)) {
+ if(debug)
+ syslog(LOG_ERR, "%s: %s %s failed", nssname, command, name);
+ delete_conf_line(name);
+ return -1;
+ }
+ if(debug)
+ syslog(LOG_ERR, "%s: %s %s failed", nssname, command, name);
delete_conf_line(name);
return -1;
}
if(debug)
syslog(LOG_DEBUG, "%s: %s %s success", nssname, command, name);
+
delete_conf_line(name);