--- tacacs+-4.0.4.19.orig/debian/control +++ tacacs+-4.0.4.19/debian/control @@ -0,0 +1,31 @@ +Source: tacacs+ +Section: net +Priority: extra +Maintainer: Henry-Nicolas Tourneur +Build-Depends: debhelper (>= 7), autotools-dev, flex, m4, bison, libwrap0-dev, libpam0g-dev, dpatch +Standards-Version: 3.9.1 +Homepage: http://www.shrubbery.net/tac_plus/ + +Package: tacacs+ +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends}, libwrap0, libpam0g, adduser, libtacacs+1, python +Description: TACACS+ authentication daemon + TACACS+ is a protocol (not TACACS or XTACACS) for authentication, + authorization and accounting (AAA) services for routers and network devices. + +Package: libtacacs+1 +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends}, libwrap0, libpam0g, adduser +Description: TACACS+ authentication daemon + TACACS+ is a protocol (not TACACS or XTACACS) for authentication, + authorization and accounting (AAA) services for routers and network devices. + This package include the library used by the Daemon. + +Package: libtacacs+1-dev +Architecture: all +Section: libdevel +Depends: ${misc:Depends}, libtacacs+1 (>= ${source:Upstream-Version}), libtacacs+1 (<< ${source:Upstream-Version}+1~) +Description: TACACS+ authentication daemon + TACACS+ is a protocol (not TACACS or XTACACS) for authentication, + authorization and accounting (AAA) services for routers and network devices. + This package include the header file used for development purpose. --- tacacs+-4.0.4.19.orig/debian/libtacacs+1.lintian-overrides +++ tacacs+-4.0.4.19/debian/libtacacs+1.lintian-overrides @@ -0,0 +1,2 @@ +package-name-doesnt-match-sonames + --- tacacs+-4.0.4.19.orig/debian/rules +++ tacacs+-4.0.4.19/debian/rules @@ -0,0 +1,90 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +include /usr/share/dpatch/dpatch.make +# These are used for cross-compiling and for saving the configure script +# from having to guess our platform (since we know it already) +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE)) +CROSS= --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +else +CROSS= --build $(DEB_BUILD_GNU_TYPE) +endif + + + +config.status: patch-stamp configure + dh_testdir +ifneq "$(wildcard /usr/share/misc/config.sub)" "" + cp -f /usr/share/misc/config.sub config.sub +endif +ifneq "$(wildcard /usr/share/misc/config.guess)" "" + cp -f /usr/share/misc/config.guess config.guess +endif + ./configure $(CROSS) --prefix=/usr --bindir=\$${prefix}/sbin --mandir=\$${prefix}/share/man\ + --infodir=\$${prefix}/share/info CFLAGS="$(CFLAGS)"\ + --enable-acls --enable-uenable --enable-maxsess --enable-finger + +build: build-stamp + +build-stamp: config.status + dh_testdir + $(MAKE) + + touch $@ + +clean: unpatch + dh_testdir + dh_testroot + rm -f build-stamp + + [ ! -f Makefile ] || $(MAKE) distclean + rm -f config.sub config.guess users_guide debian/*.log debian/files + + dh_prep + +install: build + dh_testdir + dh_testroot + dh_installdirs + + $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install + + +# Build architecture-independent files here. +binary-indep: build install + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs CHANGES + dh_installdocs + dh_installlogrotate + dh_installinit --name=tacacs_plus + dh_installman + dh_install + dh_makeshlibs + dh_shlibdeps + dh_link + dh_strip + dh_fixperms + install -m 644 debian/tacacs+.default $(CURDIR)/debian/tacacs+/etc/default/tacacs+ + install -m 600 debian/tac_plus.conf $(CURDIR)/debian/tacacs+/etc/tacacs+ + install -m 755 do_auth.py $(CURDIR)/debian/tacacs+/usr/sbin/do_auth + install -d $(CURDIR)/debian/tacacs+/usr/share/lintian/overrides + install -d $(CURDIR)/debian/libtacacs+1/usr/share/lintian/overrides + install -m 644 debian/tacacs+.lintian-overrides $(CURDIR)/debian/tacacs+/usr/share/lintian/overrides/tacacs+ + install -m 644 debian/do_auth.8 $(CURDIR)/debian/tacacs+/usr/share/man/man8 + install -m 644 debian/libtacacs+1.lintian-overrides $(CURDIR)/debian/libtacacs+1/usr/share/lintian/overrides/libtacacs+1 + dh_compress + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install + + --- tacacs+-4.0.4.19.orig/debian/compat +++ tacacs+-4.0.4.19/debian/compat @@ -0,0 +1 @@ +7 --- tacacs+-4.0.4.19.orig/debian/tacacs+.debhelper.log +++ tacacs+-4.0.4.19/debian/tacacs+.debhelper.log @@ -0,0 +1 @@ +dh_prep --- tacacs+-4.0.4.19.orig/debian/tacacs+.install +++ tacacs+-4.0.4.19/debian/tacacs+.install @@ -0,0 +1,3 @@ +usr/sbin +usr/share/man/man5 +usr/share/man/man8 --- tacacs+-4.0.4.19.orig/debian/tacacs+.default +++ tacacs+-4.0.4.19/debian/tacacs+.default @@ -0,0 +1,6 @@ +# This is the configuration file for /etc/init.d/tacacs+ +# You can overwrite default arguments passed to the daemon here. +# See man(8) tac_plus + + +DAEMON_OPTS="-C /etc/tacacs+/tac_plus.conf" --- tacacs+-4.0.4.19.orig/debian/do_auth.8 +++ tacacs+-4.0.4.19/debian/do_auth.8 @@ -0,0 +1,64 @@ +.TH do_auth 8 "February 27, 2010" "version 1.2" +.SH NAME +do_auth \- Program allowing more granular control than tac_plus. +.SH SYNOPSIS +.B do_auth +\-u user [\-i Ip Address] [\-d Device address] [\-f Config filename] [\-l Log file] [-D Debug mode] +.SH DESCRIPTION +do_auth is a python program written to work as an authorization script for +tacacs to allow greater flexability in tacacs authentication. It allows +a user to be part of many predefined groups that can allow different +access to different devices based on ip, user, and source address. +.PP +Groups are assigned to users in the [users] section. A user must +be assigned to one or more groups, one per line. Groups are defined +in brackets, but can be any name. Each group can have up to 6 options +as defined below. + + host_deny Deny any user coming from this host. Optional. + host_allow Allow users from this range. Mandatory with -i. + device_deny Deny any device with this IP. Optional. + device_permit Allow this range. Mandatory if -d is specified. + command_deny Deny these commands. Optional. + command_permit Allow these commands. Mandatory. +.PP +The options are parsed in order till a match is found. Obviously, +for login, the commands section is not parsed. If a match is not +found, or a deny is found, we move on to the next group. At the +end, we have an implicit deny if no groups match. All tacacs keys +passed on login to do_auth are returned. (except cmd*) It is +possible to modify them, but I haven't implemented this yet as +I don't need it. Future versions may have an av_pair & +append_av_pair option. +.PP +.SH OPTIONS +.TP +\-u +Username. Mandatory. $user +.TP +\-i +Ip address of user. Optional. If not specified, all host_ entries +are ignored and can be omitted. $address +.TP +\-d +Device address. Optional. If not specified, all device_ entries +are ignored and can be omitted. $name +.TP +\-f +Config Filename. Default is do_auth.ini. +.TP +\-l +Logfile. Default is log.txt. +.TP +\-D +Activate debug mode. +.SH EXAMPLES +.B do_auth +-i $address -u $user -d $name -l /var/log/do_auth.log -f /etc/tacacs+/do_auth.ini +.PP +.SH EXIT STATUS +do_auth returns 0 to allow, 1 to deny authorization. +.SH AUTHOR +Henry-Nicolas Tourneur from the do_auth file written by Dan Schmidt. +.SH SEE ALSO +tac_plus(8), tac_plus.conf(5) --- tacacs+-4.0.4.19.orig/debian/libtacacs+1.debhelper.log +++ tacacs+-4.0.4.19/debian/libtacacs+1.debhelper.log @@ -0,0 +1 @@ +dh_prep --- tacacs+-4.0.4.19.orig/debian/tacacs+.tacacs_plus.init +++ tacacs+-4.0.4.19/debian/tacacs+.tacacs_plus.init @@ -0,0 +1,243 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: tacacs+ +# Required-Start: $network $local_fs $syslog $remote_fs +# Required-Stop: $network $local_fs $remote_fs +# Should-Start: $named +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: TACACS+ authentication daemon +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +DAEMON=/usr/sbin/tac_plus +NAME="tacacs+" +DESC="TACACS+ authentication daemon" +LOGDIR=/var/log/ +STARTTIME=1 + +PIDFILE=/var/run/tac_plus.pid + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions + +# Default options, these can be overriden by the information +# at /etc/default/$NAME +DAEMON_OPTS="-C /etc/tacacs+/tac_plus.conf" # Additional options given to the server + + +LOGFILE=$LOGDIR/tac_plus.log # Server logfile + +# Include defaults if available +if [ -f /etc/default/$NAME ] ; then + . /etc/default/$NAME +fi + +# Check that the user exists (if we set a user) +# Does the user exist? +if [ -n "$DAEMONUSER" ] ; then + if getent passwd | grep -q "^$DAEMONUSER:"; then + # Obtain the uid and gid + DAEMONUID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $3}'` + DAEMONGID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $4}'` + else + log_failure_msg "The user $DAEMONUSER, required to run $NAME does not exist." + exit 1 + fi +fi + + +set -e + +running_pid() { +# Check if a given process pid's cmdline matches a given name + pid=$1 + name=$2 + [ -z "$pid" ] && return 1 + [ ! -d /proc/$pid ] && return 1 + cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1` + # Is this the expected server + [ "$cmd" != "$name" ] && return 1 + return 0 +} + +running() { +# Check if the process is running looking at /proc +# (works for all users) + + # No pidfile, probably no daemon present + [ ! -f "$PIDFILE" ] && return 1 + pid=`cat $PIDFILE` + running_pid $pid $DAEMON || return 1 + return 0 +} + +start_server() { +# Start the process using the wrapper + if check_config_quiet ; then + start-stop-daemon --start --quiet --pidfile $PIDFILE \ + --exec $DAEMON -- $DAEMON_OPTS + errcode=$? + return $errcode + else + return $? + fi + +} + +stop_server() { + killproc -p $PIDFILE $DAEMON + return $? +} + +reload_server() { + if check_config_quiet ; then + [ ! -f "$PIDFILE" ] && return 1 + pid=`cat $PIDFILE` # This is the daemon's pid + # Send a SIGHUP + kill -1 $pid + return $? + else + return $? + fi +} + +check_config() { + $DAEMON -P $DAEMON_OPTS + return $? +} + +check_config_quiet() { + $DAEMON -P $DAEMON_OPTS >/dev/null 2>&1 + return $? +} + +force_stop() { +# Force the process to die killing it manually + [ ! -e "$PIDFILE" ] && return + if running ; then + kill -15 $pid + # Is it really dead? + sleep "$DIETIME"s + if running ; then + kill -9 $pid + sleep "$DIETIME"s + if running ; then + echo "Cannot kill $NAME (pid=$pid)!" + exit 1 + fi + fi + fi + rm -f $PIDFILE +} + + +case "$1" in + start) + log_daemon_msg "Starting $DESC " "$NAME" + # Check if it's running first + if running ; then + log_progress_msg "apparently already running" + log_end_msg 0 + exit 0 + fi + if start_server ; then + # NOTE: Some servers might die some time after they start, + # this code will detect this issue if STARTTIME is set + # to a reasonable value + [ -n "$STARTTIME" ] && sleep $STARTTIME # Wait some time + if running ; then + # It's ok, the server started and is running + log_end_msg 0 + else + # It is not running after we did start + log_end_msg 1 + fi + else + # Either we could not start it + log_end_msg 1 + fi + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + if running ; then + # Only stop the server if we see it running + errcode=0 + stop_server || errcode=$? + log_end_msg $errcode + else + # If it's not running don't do anything + log_progress_msg "apparently not running" + log_end_msg 0 + exit 0 + fi + ;; + force-stop) + # First try to stop gracefully the program + $0 stop + if running; then + # If it's still running try to kill it more forcefully + log_daemon_msg "Stopping (force) $DESC" "$NAME" + errcode=0 + force_stop || errcode=$? + log_end_msg $errcode + fi + ;; + restart|force-reload) + log_daemon_msg "Restarting $DESC" "$NAME" + errcode=0 + stop_server || errcode=$? + # Wait some sensible amount, some server need this + [ -n "$DIETIME" ] && sleep $DIETIME + start_server || errcode=$? + [ -n "$STARTTIME" ] && sleep $STARTTIME + running || errcode=$? + log_end_msg $errcode + ;; + status) + + log_daemon_msg "Checking status of $DESC" "$NAME" + if running ; then + log_progress_msg "running" + log_end_msg 0 + else + log_progress_msg "apparently not running" + log_end_msg 1 + exit 1 + fi + ;; + # Use this if the daemon cannot reload + reload) + log_daemon_msg "Reloading $DESC configuration files" "$NAME" + if reload_server ; then + if running ; then + log_end_msg 0 + else + log_progress_msg "$NAME not running" + log_end_msg 1 + fi + else + log_progress_msg "Reload failled" + log_end_msg 1 + fi + ;; + check) + check_config + if [ X$? = "X0" ] + then + log_daemon_msg "Checking $DESC configuration files successful" "$NAME" + else + log_daemon_msg "Checking $DESC configuration files failed" + exit 1 + fi + ;; + *) + N=/etc/init.d/tacacs_plus + echo "Usage: $N {start|stop|force-stop|restart|force-reload|status|check}" >&2 + exit 1 + ;; +esac + +exit 0 --- tacacs+-4.0.4.19.orig/debian/libtacacs+1-dev.install +++ tacacs+-4.0.4.19/debian/libtacacs+1-dev.install @@ -0,0 +1,3 @@ +usr/include/* +usr/lib/libtacacs*.so +usr/share/man/man3 --- tacacs+-4.0.4.19.orig/debian/tac_plus.conf +++ tacacs+-4.0.4.19/debian/tac_plus.conf @@ -0,0 +1,60 @@ +# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be) +# See man(5) tac_plus.conf for more details + +# Define where to log accounting data, this is the default. + +accounting file = /var/log/tac_plus.acct + +# This is the key that clients have to use to access Tacacs+ + +key = testing123 + +# Use /etc/passwd file to do authentication + +#default authentication = file /etc/passwd + + +# You can use feature like per host key with different enable passwords +#host = 127.0.0.1 { +# key = test +# type = cisco +# enable = enablepass +# prompt = "Welcome XXX ISP Access Router \n\nUsername:" +#} + +# We also can define local users and specify a file where data is stored. +# That file may be filled using tac_pwd +#user = test1 { +# name = "Test User" +# member = staff +# login = file /etc/tacacs/tacacs_passwords +#} + +# We can also specify rules valid per group of users. +#group = group1 { +# cmd = conf { +# deny +# } +#} + +# Another example : forbid configure command for some hosts +# for a define range of clients +#group = group1 { +# login = PAM +# service = ppp +# protocol = ip { +# addr = 10.10.0.0/24 +# } +# cmd = conf { +# deny .* +# } +#} + +user = DEFAULT { + login = PAM + service = ppp protocol = ip {} +} + +# Much more features are availables, like ACL, more service compatibilities, +# commands authorization, scripting authorization. +# See the man page for those features. --- tacacs+-4.0.4.19.orig/debian/dirs +++ tacacs+-4.0.4.19/debian/dirs @@ -0,0 +1,6 @@ +usr/sbin +etc/tacacs+ +etc/logrotate.d +etc/default +etc/init.d + --- tacacs+-4.0.4.19.orig/debian/libtacacs+1-dev.debhelper.log +++ tacacs+-4.0.4.19/debian/libtacacs+1-dev.debhelper.log @@ -0,0 +1 @@ +dh_prep --- tacacs+-4.0.4.19.orig/debian/tacacs+.lintian-overrides +++ tacacs+-4.0.4.19/debian/tacacs+.lintian-overrides @@ -0,0 +1 @@ +tacacs+: non-standard-file-perm etc/tacacs+/tac_plus.conf 0600 != 0644 --- tacacs+-4.0.4.19.orig/debian/tacacs+.logrotate +++ tacacs+-4.0.4.19/debian/tacacs+.logrotate @@ -0,0 +1,12 @@ +/var/log/tac_plus.log +/var/log/tac_plus.acct { + rotate 4 + weekly + compress + missingok + notifempty + postrotate + invoke-rc.d tacacs_plus reload > /dev/null + endscript +} + --- tacacs+-4.0.4.19.orig/debian/changelog +++ tacacs+-4.0.4.19/debian/changelog @@ -0,0 +1,61 @@ +tacacs+ (4.0.4.19-10) unstable; urgency=low + * Closes: #609755 (ignore $DAEMONUSER in init script stop_server()) + + -- Henry-Nicolas Tourneur Mon, 12 Jan 2011 21:07:51 +0100 + +tacacs+ (4.0.4.19-9) unstable; urgency=low + * Improve the init script: check the config on + start/reload (Thanks to Erik Wenzel) + * Use the debian way to restart daemons in logrotate scripts (Erik Wenzel too) + + -- Henry-Nicolas Tourneur Mon, 18 Oct 2010 21:30:51 +0100 + +tacacs+ (4.0.4.19-8) unstable; urgency=low + * Closes: #582334 (replace gethostbyname() with getaddrinfo()) + + -- Henry-Nicolas Tourneur Thu, 23 May 2010 11:46:24 +0100 + +tacacs+ (4.0.4.19-7) unstable; urgency=low + * Closes: #580845 (fix logrotate init script reload issue) + + -- Henry-Nicolas Tourneur Thu, 09 May 2010 13:23:15 +0100 + +tacacs+ (4.0.4.19-6) unstable; urgency=low + * Closes: #573766 (fix FTBFS) + + -- Henry-Nicolas Tourneur Thu, 14 Mar 2010 11:21:08 +0100 + +tacacs+ (4.0.4.19-5) unstable; urgency=low + * Correct a typo in copyright file + * Add the path to the GPL3 license in copyright file + + -- Henry-Nicolas Tourneur Thu, 13 Mar 2010 12:03:33 +0100 + +tacacs+ (4.0.4.19-4) unstable; urgency=low + * Include do_auth.py in binary and correct copyright issue + * Add a man page for do_auth + + -- Henry-Nicolas Tourneur Thu, 22 Feb 2010 22:55:42 +0100 + +tacacs+ (4.0.4.19-3) unstable; urgency=low + * Remove bad group/owner from the logrotate file + + -- Henry-Nicolas Tourneur Thu, 14 Feb 2010 20:19:14 +0100 + +tacacs+ (4.0.4.19-2) unstable; urgency=low + * Correct an error in the logrotate file + + -- Henry-Nicolas Tourneur Thu, 11 Feb 2010 19:06:14 +0100 + +tacacs+ (4.0.4.19-1) unstable; urgency=low + + * Patches: + - fix_man : Correct a man page error about a date + * 2 lintian overwrites: + - package-name-doesnt-match-sonames : because the so file + is named libtacacs.so but the software name is tacacs+ and not tacacs. + - non-standard-file-perm : because the main configuration + file holds the tacacs+ key, it shouldn't be world readable. + * Initial release (Closes: #568161) + + -- Henry-Nicolas Tourneur Thu, 04 Feb 2010 15:04:46 +0100 --- tacacs+-4.0.4.19.orig/debian/README.source +++ tacacs+-4.0.4.19/debian/README.source @@ -0,0 +1,38 @@ +This package uses dpatch to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +To get the fully patched source after unpacking the source package, cd +to the root level of the source package and run: + + debian/rules patch + +Removing a patch is as simple as removing its entry from the +debian/patches/00list file, and please also remove the patch file +itself. + +Creating a new patch is done with "dpatch-edit-patch patch XX_patchname" +where you should replace XX with a new number and patchname with a +descriptive shortname of the patch. You can then simply edit all the +files your patch wants to edit, and then simply "exit 0" from the shell +to actually create the patch file. + +To tweak an already existing patch, call "dpatch-edit-patch XX_patchname" +and replace XX_patchname with the actual filename from debian/patches +you want to use. + +To clean up afterwards again, "debian/rules unpatch" will do the +work for you - or you can of course choose to call +"fakeroot debian/rules clean" all together. + + +--- + +this documentation is part of dpatch package, and may be used by +packages using dpatch to comply with policy on README.source. This +documentation is meant to be useful to users who are not proficient in +dpatch in doing work with dpatch-based packages. Please send any +improvements to the BTS of dpatch package. + +original text by Gerfried Fuchs, edited by Junichi Uekawa +10 Aug 2008. --- tacacs+-4.0.4.19.orig/debian/postrm +++ tacacs+-4.0.4.19/debian/postrm @@ -0,0 +1,6 @@ +#!/bin/sh +set -e +#DEBHELPER# +if [ "$1" = "purge" ] ; then + rm -f /var/log/tac_plus* +fi --- tacacs+-4.0.4.19.orig/debian/copyright +++ tacacs+-4.0.4.19/debian/copyright @@ -0,0 +1,37 @@ +This package was debianized by Henry-Nicolas Tourneur on +Wed, 23 Dec 2009 15:04:46 +0100. + +It was downloaded from http://www.shrubbery.net/tac_plus/ + +Lol Grant (Cisco System) : up to 4.0.3a not included +Contributors are in CHANGES file + +Copyright: + +The original cisco code carries the following license/disclaimer/whatever: + +/* + Copyright (c) 1995-1998 by Cisco systems, Inc. + + Permission to use, copy, modify, and distribute this software for + any purpose and without fee is hereby granted, provided that this + copyright and permission notice appear on all copies of the + software and supporting documentation, the name of Cisco Systems, + Inc. not be used in advertising or publicity pertaining to + distribution of the program without specific prior permission, and + notice be given in supporting documentation that modification, + copying and distribution is by permission of Cisco Systems, Inc. + + Cisco Systems, Inc. makes no representations about the suitability + of this software for any purpose. THIS SOFTWARE IS PROVIDED ``AS + IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, + WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND + FITNESS FOR A PARTICULAR PURPOSE. +*/ + +As for the bits I have added or contributions I have received from other +folks, they are noted in the CHANGES file post version 4.0.3a. please +give credit where due. thanks. + +The file do_auth located under /usr/sbin is under GPL3+. +The GPL3 license can be found under /usr/share/common-licenses/GPL-3. --- tacacs+-4.0.4.19.orig/debian/libtacacs+1.install +++ tacacs+-4.0.4.19/debian/libtacacs+1.install @@ -0,0 +1 @@ +usr/lib/libtacacs*.so.* --- tacacs+-4.0.4.19.orig/debian/patches/fix_gethostbyname.dpatch +++ tacacs+-4.0.4.19/debian/patches/fix_gethostbyname.dpatch @@ -0,0 +1,139 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## fix_gethostbyname.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' tacacs+-4.0.4.19~/maxsess.c tacacs+-4.0.4.19/maxsess.c +--- tacacs+-4.0.4.19~/maxsess.c 2009-07-28 02:15:10.000000000 +0000 ++++ tacacs+-4.0.4.19/maxsess.c 2010-05-23 09:43:06.000000000 +0000 +@@ -31,6 +31,8 @@ + + char *wholog = TACPLUS_WHOLOGFILE; + ++static int timed_read(int, unsigned char *, int, int); ++ + /* + * initialize wholog file for tracking of user logins/logouts from + * accounting records. +@@ -262,8 +264,8 @@ + * + * Return -1 on error, eof or timeout. Otherwise return number of bytes read. + */ +-int +-timed_read(int fd, u_char *ptr, int nbytes, int timeout) ++static int ++timed_read(int fd, unsigned char *ptr, int nbytes, int timeout) + { + int nread; + struct pollfd pfds; +@@ -346,64 +348,65 @@ + * Column zero contains a space or an asterisk character. The line number + * starts at column 1 and is 3 digits wide. User names start at column 13, + * with a maximum possible width of 10. ++ * ++ * Returns the number of sessions/connections, or zero on error. + */ + + static int + ckfinger(char *user, char *nas, struct identity *idp) + { +- struct sockaddr_in sin; +- struct servent *serv; +- int count, s, bufsize; ++ struct addrinfo hints, *res, *resp; ++ int count, s, bufsize, ecode; + char *buf, *p, *pn; + int incr = 4096, slop = 32; +- u_long inaddr; + char *curport = portname(idp->NAS_port); + char *name; + +- /* The finger service, aka port 79 */ +- serv = getservbyname("finger", "tcp"); +- if (serv) { +- sin.sin_port = serv->s_port; +- } else { +- sin.sin_port = 79; +- } ++ memset(&hints, 0, sizeof(struct addrinfo)); ++ hints.ai_family = PF_UNSPEC; ++ hints.ai_socktype = SOCK_STREAM; + +- /* Get IP addr for the NAS */ +- inaddr = inet_addr(nas); +- if (inaddr != -1) { +- /* A dotted decimal address */ +- memcpy(&sin.sin_addr, &inaddr, sizeof(inaddr)); +- sin.sin_family = AF_INET; +- } else { +- struct hostent *host = gethostbyname(nas); ++ if ((ecode = getaddrinfo(nas, "finger", &hints, &res)) != 0) { ++ report(LOG_ERR, "ckfinger: getaddrinfo %s failure: %s", nas, ++ gai_strerror(ecode)); ++ return(0); ++ } + +- if (host == NULL) { +- report(LOG_ERR, "ckfinger: gethostbyname %s failure: %s", +- nas, strerror(errno)); ++ ecode = 0; ++ for (resp = res; resp != NULL; resp = resp->ai_next) { ++ s = socket(resp->ai_family, resp->ai_socktype, resp->ai_protocol); ++ if (s < 0) { ++ if (errno == EAFNOSUPPORT || errno == EPROTONOSUPPORT) ++ continue; ++ report(LOG_ERR, "ckfinger: socket: %s", strerror(errno)); ++ freeaddrinfo(res); + return(0); + } +- memcpy(&sin.sin_addr, host->h_addr, host->h_length); +- sin.sin_family = host->h_addrtype; ++ if ((ecode = connect(s, resp->ai_addr, res->ai_addrlen)) < 0) { ++ close(s); ++ continue; ++ } else ++ break; + } + +- s = socket(AF_INET, SOCK_STREAM, 0); +- if (s < 0) { ++ freeaddrinfo(res); ++ /* socket failure / no supported address families */ ++ if (resp == NULL && ecode == 0) { + report(LOG_ERR, "ckfinger: socket: %s", strerror(errno)); + return(0); + } +- if (connect(s, (struct sockaddr *) & sin, sizeof(sin)) < 0) { +- report(LOG_ERR, "ckfinger: connect failure %s", strerror(errno)); +- close(s); ++ if (ecode != 0) { ++ report(LOG_ERR, "ckfinger: connect %s: %s", nas, strerror(errno)); + return(0); + } +- /* Read in the finger output into a single flat buffer */ ++ /* Read the finger output into a single flat buffer */ + buf = NULL; + bufsize = 0; + for (;;) { + int x; + + buf = tac_realloc(buf, bufsize + incr + slop); +- x = timed_read(s, buf + bufsize, incr, 10); ++ x = timed_read(s, (unsigned char *)(buf + bufsize), incr, 10); + if (x <= 0) { + break; + } +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' tacacs+-4.0.4.19~/tac_plus.h tacacs+-4.0.4.19/tac_plus.h +--- tacacs+-4.0.4.19~/tac_plus.h 2009-07-28 00:11:53.000000000 +0000 ++++ tacacs+-4.0.4.19/tac_plus.h 2010-05-23 09:43:45.000000000 +0000 +@@ -669,7 +669,7 @@ + char username[64]; /* User name */ + char NAS_name[32]; /* NAS user logged into */ + char NAS_port[32]; /* ...port on that NAS */ +- char NAC_address[32]; /* ...IP address of NAS */ ++ char NAC_address[64]; /* ...IP address of NAS */ + }; + #endif /* MAXSESS */ + --- tacacs+-4.0.4.19.orig/debian/patches/00list +++ tacacs+-4.0.4.19/debian/patches/00list @@ -0,0 +1,2 @@ +fix_man +fix_gethostbyname --- tacacs+-4.0.4.19.orig/debian/patches/fix_man.dpatch +++ tacacs+-4.0.4.19/debian/patches/fix_man.dpatch @@ -0,0 +1,17 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## fix_man.dpatch by Henry-Nicolas Tourneur +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad tacacs+-4.0.4.19~/regexp.3 tacacs+-4.0.4.19/regexp.3 +--- tacacs+-4.0.4.19~/regexp.3 2009-07-17 17:34:30.000000000 +0000 ++++ tacacs+-4.0.4.19/regexp.3 2010-01-31 16:36:14.000000000 +0000 +@@ -1,5 +1,4 @@ +-.TH REGEXP 3 local +-.DA 2 April 1986 ++.TH REGEXP 3 "2 April 1986" + .SH NAME + regcomp, regexec, regsub, regerror \- regular expression handler + .SH SYNOPSIS