Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[tacacs] Support privilege level 0 #1442

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[tacacs] Support privilege level 0 #1442

wants to merge 1 commit into from

Conversation

taoyl-ms
Copy link
Contributor

@taoyl-ms taoyl-ms commented Mar 2, 2018
edited
Loading

- What I did
To support tacacs user privilege level 0 by setting MIN_TACACS_USER_PRIV = 0 in tacacs-nss patch.

@taoyl-ms
Copy link
Contributor Author

taoyl-ms commented Mar 2, 2018

@liuqu, could you kindly help review?

liuqu
liuqu suggested changes Mar 2, 2018
View reviewed changes
src/tacacs/nss/0001-Modify-user-map-profile.patch
@@ -463,7 +463,7 @@ index 79e62b9..ecfa0b0 100644
+{
+ char *token;
+ char delim[] = ";\n\r";
+ int priv = 0;
+ int priv = -1;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default value of “priv_level” in function got_tacacs_user() also need to be changed

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TACACS priv-level 0 is seldom used and defined as non-privilege in general. Any scenarios need to support it?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does non-privilege mean normal user?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

it is still valid, we should still enable it.

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13860-PRIV.html

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need to modify default value in got_tacacs_user()? I think current behavior is that to treat user as least privileged (0) if search fails?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original design is that the priv-lvl for the user configuration on the TACACS + server should be set as a valid value(1-15) explicitly. If priv-lvl search fails, it will be set as privileged(0) and not allowed to login in.
If priv-lvl(0) is treated as valid value, the default value should be set as invalid value. Unless we don't care priv-lvl.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think non-privilege means the user has less command privilege. There is no authorization for current SONiC cli, so the original design is to filter non-privilege user to avoid unsafe operation. Maybe it's too hard-coded to limit user's configuration.

@lguohan
Copy link
Collaborator

lguohan commented Aug 12, 2018

@taoyl-ms , do we still need this?

abdosi added a commit that referenced this pull request Sep 19, 2020
@abdosi
[Submodule update] sonic-swss
f930f39 
Avoid adding loopback interface (ip link add) when setting nat zone on
loopback interface (#1434)
    [acl] Remove Ethertype from L3V6 qualifiers (#1433)
    Sflow fixes during DEL processing (#1427)
    Fix #3971 by skipping create-only SAI attributes when modifying
    buffer pools or profiles in orchagent (#1430)
    Fix issue: bufferorch only pass the first attribute to sai when
    setting attribute (#1442)

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
abdosi added a commit to abdosi/sonic-buildimage that referenced this pull request Sep 29, 2020
@abdosi
[Submodule update] sonic swss
4156c1a 
be51ebc Add IPv6 key item support to request parser (sonic-net#1449)
76e2251 When teamd feature state is disabled the Netdevice created by teamd were (sonic-net#1450)
6aa97ce Use .clear() after std::move() (sonic-net#1444)
d5757db Add libzmq to README dependencies (sonic-net#1447)
c7b262e Add libzmq to Makefiles (sonic-net#1443)
0b2e59a [drop counters] Clarify log messages for initial counter setup (sonic-net#1445)
003cf24 [dvs] Refactor and add buffer pool wm test (sonic-net#1446)
2f5d2d9 [acl] Remove Ethertype from L3V6 qualifiers (sonic-net#1433)
f7b974f Fix issue: bufferorch only pass the first attribute to sai when setting attribute (sonic-net#1442)

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
@abdosi abdosi mentioned this pull request Sep 29, 2020
Merged
3 tasks
lguohan pushed a commit that referenced this pull request Oct 2, 2020
@abdosi
[Submodule update] sonic swss (#5489)
dda9802 
be51ebc Add IPv6 key item support to request parser (#1449)
76e2251 When teamd feature state is disabled the Netdevice created by teamd were (#1450)
6aa97ce Use .clear() after std::move() (#1444)
d5757db Add libzmq to README dependencies (#1447)
c7b262e Add libzmq to Makefiles (#1443)
0b2e59a [drop counters] Clarify log messages for initial counter setup (#1445)
003cf24 [dvs] Refactor and add buffer pool wm test (#1446)
2f5d2d9 [acl] Remove Ethertype from L3V6 qualifiers (#1433)
f7b974f Fix issue: bufferorch only pass the first attribute to sai when setting attribute (#1442)

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
raphaelt-nvidia pushed a commit to raphaelt-nvidia/sonic-buildimage that referenced this pull request Jan 14, 2021
@stephenxs @abdosi
Fix issue: bufferorch only pass the first attribute to sai when setti…
3514596 
…ng attribute (sonic-net#1442)

Signed-off-by: Stephen Sun <stephens@nvidia.com>
santhosh-kt pushed a commit to santhosh-kt/sonic-buildimage that referenced this pull request Feb 25, 2021
@abdosi @santhosh-kt
[Submodule update] sonic swss (sonic-net#5489)
35caaa5 
be51ebc Add IPv6 key item support to request parser (sonic-net#1449)
76e2251 When teamd feature state is disabled the Netdevice created by teamd were (sonic-net#1450)
6aa97ce Use .clear() after std::move() (sonic-net#1444)
d5757db Add libzmq to README dependencies (sonic-net#1447)
c7b262e Add libzmq to Makefiles (sonic-net#1443)
0b2e59a [drop counters] Clarify log messages for initial counter setup (sonic-net#1445)
003cf24 [dvs] Refactor and add buffer pool wm test (sonic-net#1446)
2f5d2d9 [acl] Remove Ethertype from L3V6 qualifiers (sonic-net#1433)
f7b974f Fix issue: bufferorch only pass the first attribute to sai when setting attribute (sonic-net#1442)

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
@anshuv-mfst anshuv-mfst mentioned this pull request Mar 3, 2021
Closed
theasianpianist pushed a commit to theasianpianist/sonic-buildimage that referenced this pull request Feb 5, 2022
@stephenxs
Fix issue: bufferorch only pass the first attribute to sai when setti…
f7b974f 
…ng attribute (sonic-net#1442)

Signed-off-by: Stephen Sun <stephens@nvidia.com>
@taoyl-ms taoyl-ms requested a review from a team as a code owner June 10, 2022 02:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liuqu liuqu liuqu requested changes

@lguohan lguohan lguohan approved these changes

Assignees
No one assigned
Labels
Enhancement ➕
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@taoyl-ms @lguohan @liuqu @stcheng