matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Write error message to syslog when add user failed or connect to TACACS server failed. (#16240)

Browse Source 
Write error message to syslog when add user failed or connect to TACACS server failed.

#### Why I did it
With these messages, we can downgrade TACACS server with issue to lower priority.

##### Work item tracking
- Microsoft ADO: 24667696

#### How I did it
Write error message to syslog when add user failed or connect to TACACS server failed.

#### How to verify it
Pass all UT.
Manually verify error message generated.

### Description for the changelog
Write error message to syslog when add user failed or connect to TACACS server failed.
This commit is contained in:
Hua Liu 2023-09-12 06:35:54 +08:00 committed by GitHub
parent 78415800a5
commit b0be5824f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/tacacs/nss/patch/0001-Modify-user-map-profile.patch
View File

@ -18,9 +18,9 @@ Subject: [PATCH] Modify user map profile
debian/changelog | 11 + debian/changelog | 11 +
debian/control | 11 +- debian/control | 11 +-
debian/libnss-tacplus.symbols | 1 - debian/libnss-tacplus.symbols | 1 -
nss_tacplus.c | 1018 +++++++++++++++------------------ nss_tacplus.c | 1015 +++++++++++++++------------------
tacplus_nss.conf | 91 ++- tacplus_nss.conf | 91 ++-
8 files changed, 527 insertions(+), 613 deletions(-) 8 files changed, 525 insertions(+), 612 deletions(-)
diff --git a/Makefile.am b/Makefile.am diff --git a/Makefile.am b/Makefile.am
index 293951e..b33c455 100644 index 293951e..b33c455 100644
@ -1083,7 +1083,7 @@ index 79e62b9..ecfa0b0 100644
tac_add_attrib(attr, "service", tac_service); tac_add_attrib(attr, "service", tac_service);
if(tac_protocol[0]) if(tac_protocol[0])
tac_add_attrib(attr, "protocol", tac_protocol); tac_add_attrib(attr, "protocol", tac_protocol);
@@ -598,34 +659,9 @@ lookup_tacacs_user(struct pwbuf *pb) @@ -598,52 +659,25 @@ lookup_tacacs_user(struct pwbuf *pb)
{ {
struct areply arep; struct areply arep;
int ret = 1, done = 0; int ret = 1, done = 0;
@ -1119,11 +1119,17 @@ index 79e62b9..ecfa0b0 100644
for(srvr=0; srvr < tac_srv_no && !done; srvr++) { for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
arep.msg = NULL; arep.msg = NULL;
arep.attr = NULL; arep.attr = NULL;
@@ -636,14 +672,13 @@ lookup_tacacs_user(struct pwbuf *pb) arep.status = TAC_PLUS_AUTHOR_STATUS_ERROR; /* if author_send fails */
syslog(LOG_WARNING, "%s: failed to connect TACACS+ server %s," tac_fd = connect_tacacs(&attr, srvr);
" ret=%d: %m", nssname, tac_srv[srvr].addr ? if (tac_fd < 0) {
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd); - if(debug)
- syslog(LOG_WARNING, "%s: failed to connect TACACS+ server %s,"
- " ret=%d: %m", nssname, tac_srv[srvr].addr ?
- tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
- tac_free_attrib(&attr); - tac_free_attrib(&attr);
+ syslog(LOG_ERR, "%s: failed to connect TACACS+ server %s,"
+ " ret=%d: %m", nssname, tac_srv[srvr].addr ?
+ tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
continue; continue;
} }
- ret = tac_author_send(tac_fd, pb->name, "", tac_rhost, attr); - ret = tac_author_send(tac_fd, pb->name, "", tac_rhost, attr);
@ -1137,7 +1143,7 @@ index 79e62b9..ecfa0b0 100644
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", ret, tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", ret,
pb->name); pb->name);
} }
@@ -668,14 +703,11 @@ lookup_tacacs_user(struct pwbuf *pb) @@ -668,14 +702,11 @@ lookup_tacacs_user(struct pwbuf *pb)
if(arep.status == AUTHOR_STATUS_PASS_ADD || if(arep.status == AUTHOR_STATUS_PASS_ADD ||
arep.status == AUTHOR_STATUS_PASS_REPL) { arep.status == AUTHOR_STATUS_PASS_REPL) {
ret = got_tacacs_user(arep.attr, pb); ret = got_tacacs_user(arep.attr, pb);
@ -1154,7 +1160,7 @@ index 79e62b9..ecfa0b0 100644
done = 1; /* break out of loop after arep cleanup */ done = 1; /* break out of loop after arep cleanup */
} }
else { else {
@@ -685,6 +717,10 @@ lookup_tacacs_user(struct pwbuf *pb) @@ -685,6 +716,10 @@ lookup_tacacs_user(struct pwbuf *pb)
" invalid (%d)", nssname, " invalid (%d)", nssname,
tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name, tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name,
arep.status); arep.status);
@ -1165,7 +1171,7 @@ index 79e62b9..ecfa0b0 100644
} }
if(arep.msg) if(arep.msg)
free(arep.msg); free(arep.msg);
@@ -692,30 +728,12 @@ lookup_tacacs_user(struct pwbuf *pb) @@ -692,30 +727,12 @@ lookup_tacacs_user(struct pwbuf *pb)
tac_free_attrib(&arep.attr); tac_free_attrib(&arep.attr);
} }
@ -1198,7 +1204,7 @@ index 79e62b9..ecfa0b0 100644
* *
* We try the lookup to the tacacs server first. If we can't make a * We try the lookup to the tacacs server first. If we can't make a
* connection to the server for some reason, we also try looking up * connection to the server for some reason, we also try looking up
@@ -730,20 +748,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw, @@ -730,20 +747,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
int result; int result;
struct pwbuf pbuf; struct pwbuf pbuf;
@ -1233,7 +1239,7 @@ index 79e62b9..ecfa0b0 100644
/* marshal the args for the lower level functions */ /* marshal the args for the lower level functions */
pbuf.name = (char *)name; pbuf.name = (char *)name;
pbuf.pw = pw; pbuf.pw = pw;
@@ -751,126 +774,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw, @@ -751,126 +773,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
pbuf.buflen = buflen; pbuf.buflen = buflen;
pbuf.errnop = errnop; pbuf.errnop = errnop;
@ -1468,4 +1474,3 @@ index bb4eb1e..7cb756f 100644
+# many_to_one=y +# many_to_one=y
-- --
2.7.4 2.7.4

4
src/tacacs/nss/patch/0010-Send-remote-address-in-TACACS-authorization-message.patch
View File

@ -113,8 +113,8 @@ index 2de00a6..048745a 100644
for(srvr=0; srvr < tac_srv_no && !done; srvr++) { for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
arep.msg = NULL; arep.msg = NULL;
@@ -748,7 +823,7 @@ lookup_tacacs_user(struct pwbuf *pb) @@ -747,7 +822,7 @@ lookup_tacacs_user(struct pwbuf *pb)
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd); tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
continue; continue;
} }
- ret = tac_author_send(tac_fd, pb->name, "", "", attr); - ret = tac_author_send(tac_fd, pb->name, "", "", attr);

23
src/tacacs/nss/patch/0011-Replace-popen-shell-execution-with-safer-execle.patch
View File

@ -4,11 +4,11 @@ Date: Mon, 26 Jun 2023 09:18:44 -0700
Subject: [PATCH] Replace popen shell execution with safer execle Subject: [PATCH] Replace popen shell execution with safer execle
--- ---
nss_tacplus.c | 63 ++++++++++++++++++++++++++++++++++++++++++--------- nss_tacplus.c | 54 ++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 52 insertions(+), 11 deletions(-) 1 file changed, 47 insertions(+), 7 deletions(-)
diff --git a/nss_tacplus.c b/nss_tacplus.c diff --git a/nss_tacplus.c b/nss_tacplus.c
index cd73870..7574374 100644 index 50e560d..33e3e8c 100644
--- a/nss_tacplus.c --- a/nss_tacplus.c
+++ b/nss_tacplus.c +++ b/nss_tacplus.c
@@ -34,6 +34,8 @@ @@ -34,6 +34,8 @@
@ -72,7 +72,7 @@ index cd73870..7574374 100644
fp = fopen(user_conf, "ab+"); fp = fopen(user_conf, "ab+");
if(!fp) { if(!fp) {
syslog(LOG_ERR, "%s: %s fopen failed", nssname, user_conf); syslog(LOG_ERR, "%s: %s fopen failed", nssname, user_conf);
@@ -495,18 +535,19 @@ static int create_or_modify_local_user(const char *name, int level, bool existin @@ -495,18 +535,18 @@ static int create_or_modify_local_user(const char *name, int level, bool existin
while(lvl >= MIN_TACACS_USER_PRIV) { while(lvl >= MIN_TACACS_USER_PRIV) {
user = &useradd_grp_list[lvl]; user = &useradd_grp_list[lvl];
if(user->info && user->secondary_grp && user->shell) { if(user->info && user->secondary_grp && user->shell) {
@ -83,21 +83,16 @@ index cd73870..7574374 100644
- if(!fp || -1 == pclose(fp)) { - if(!fp || -1 == pclose(fp)) {
- syslog(LOG_ERR, "%s: %s popen failed errno=%d %s", - syslog(LOG_ERR, "%s: %s popen failed errno=%d %s",
- nssname, command, errno, strerror(errno)); - nssname, command, errno, strerror(errno));
- delete_conf_line(name);
- return -1;
- }
- if(debug)
+ char sgid[10] = {0}; + char sgid[10] = {0};
+ char home[64] = {0}; + char home[64] = {0};
+ snprintf(sgid, 10, "%d", user->gid); + snprintf(sgid, 10, "%d", user->gid);
+ snprintf(home, 63, "/home/%s", name); + snprintf(home, 63, "/home/%s", name);
+ if(0 != user_mod_add(command, name, sgid, user->secondary_grp, user->info, home, user->shell)) { + if(0 != user_mod_add(command, name, sgid, user->secondary_grp, user->info, home, user->shell)) {
+ if(debug) + syslog(LOG_ERR, "%s: %s %s failed", nssname, command, name);
+ syslog(LOG_ERR, "%s: %s %s failed", nssname, command, name); delete_conf_line(name);
+ delete_conf_line(name); return -1;
+ return -1; }
+ } if(debug)
+ if(debug)
syslog(LOG_DEBUG, "%s: %s %s success", nssname, command, name); syslog(LOG_DEBUG, "%s: %s %s success", nssname, command, name);
+ +
delete_conf_line(name); delete_conf_line(name);