Missing information from the services of membership group
29 views
Skip to first unread message
Dario Esposito
Jul 27, 2025, 2:31:47 AMJul 27
to Event-Driven Servers
Hi there,
I'm having a little trouble with the user groups. I noticed that some information isn't being inherited, but I'm not sure if this is the expected behavior or if I'm doing something wrong.
Ubuntu
tac_plus version 726ecccf3a4105ee3100a382403b5f282a82c175/PCRE2/CRYPTO/ARES/CURL/SSL
configuration #1:
group = grp-root-system {
default service = permit
service = shell {
set priv-lvl = 15
default attribute = permit
default cmd = permit
}
service = shell {
set priv-lvl = 15
default attribute = permit
default cmd = permit
}
}
user = test {
login = mavis
member = grp-root-system
default service = permit
}
debug:
27643: 07:18:37.402 1/87004931: 100.100.100.129 d.esp...@100.100.100.129: not found: svcname=shell@grp-host protocol=
27643: 07:18:37.402 1/87004931: 100.100.100.129 d.esp...@100.100.100.129: not found: svcname=shell protocol=
27643: 07:18:37.402 1/87004931: 100.100.100.129 nas:service=shell (passed thru)
27643: 07:18:37.402 1/87004931: 100.100.100.129 nas:cmd* (passed thru)
27643: 07:18:37.402 1/87004931: 100.100.100.129 nas:task* svr:absent/deny -> delete task* (i)
27643: 07:18:37.402 1/87004931: 100.100.100.129 replaced 1 args
27643: 07:18:37.402 1/87004931: 100.100.100.129 Writing AUTHOR/PASS_REPL size=37
27643: 07:18:37.402 1/87004931: 100.100.100.129 ---<start packet>---
27643: 07:18:37.402 1/87004931: 100.100.100.129 key used: _____
27643: 07:18:37.402 1/87004931: 100.100.100.129 version: 192, type: 2, seq no: 2, flags: unencrypted
27643: 07:18:37.402 1/87004931: 100.100.100.129 session id: 31490087, data length: 25
27643: 07:18:37.402 1/87004931: 100.100.100.129 packet body (len: 25): \002\002\000\000\000\000\r\004service=shellcmd*
27643: 07:18:37.402 1/87004931: 100.100.100.129 0000 02 02 00 00 00 00 0d 04 73 65 72 76 69 63 65 3d ........ service=
27643: 07:18:37.402 1/87004931: 100.100.100.129 0010 73 68 65 6c 6c 63 6d 64 2a shellcmd *
27643: 07:18:37.402 1/87004931: 100.100.100.129 AUTHOR/REPLY, status=2 (AUTHOR/PASS_REPL)
27643: 07:18:37.402 1/87004931: 100.100.100.129 msg_len=0, data_len=0, arg_cnt=2
27643: 07:18:37.402 1/87004931: 100.100.100.129 msg (len: 0):
27643: 07:18:37.402 1/87004931: 100.100.100.129 data (len: 0):
27643: 07:18:37.402 1/87004931: 100.100.100.129 arg[0] (len: 13): service=shell
27643: 07:18:37.402 1/87004931: 100.100.100.129 arg[1] (len: 4): cmd*
27643: 07:18:37.402 1/87004931: 100.100.100.129 ---<end packet>---
configuration #2:
group = grp-root-system {
default service = permit
service = shell {
set priv-lvl = 15
default attribute = permit
default cmd = permit
}
service = shell {
set priv-lvl = 15
default attribute = permit
default cmd = permit
}
}
user = test {
login = mavis
member = grp-root-system
default service = permit
service = shell {
set priv-lvl = 15
default attribute = permit
default cmd = permit
}
}
debug #2:
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 d.esp...@100.100.100.129: not found: svcname=shell@grp-host protocol=
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 d.esp...@100.100.100.129: found: svcname=shell protocol=
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 cfg_get_svc_attrs_func: found svcname=shell proto=
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 nas:service=shell (passed thru)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 nas:cmd* (passed thru)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 nas:task* svr:absent/deny -> delete task* (i)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 nas:absent srv:priv-lvl=15 -> add priv-lvl=15 (k)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 replaced 1 args
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 Writing AUTHOR/PASS_REPL size=49
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 ---<start packet>---
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 key used: _____
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 version: 192, type: 2, seq no: 2, flags: unencrypted
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 session id: 043d008b, data length: 37
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 packet body (len: 37): \002\003\000\000\000\000\r\004\vservice=shellcmd*priv-lvl=15
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 0000 02 03 00 00 00 00 0d 04 0b 73 65 72 76 69 63 65 ........ .service
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 0010 3d 73 68 65 6c 6c 63 6d 64 2a 70 72 69 76 2d 6c =shellcm d*priv-l
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 0020 76 6c 3d 31 35 vl=15
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 AUTHOR/REPLY, status=2 (AUTHOR/PASS_REPL)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 msg_len=0, data_len=0, arg_cnt=3
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 msg (len: 0):
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 data (len: 0):
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 arg[0] (len: 13): service=shell
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 arg[1] (len: 4): cmd*
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 arg[2] (len: 11): priv-lvl=15
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 ---<end packet>---
Why doesn't the "priv-lvl=15" attribute get passed down to the service configured on the group, but only if it's specified on the user?
What am I missing here? Any ideas?
I'm having a little trouble with the user groups. I noticed that some information isn't being inherited, but I'm not sure if this is the expected behavior or if I'm doing something wrong.
Ubuntu
tac_plus version 726ecccf3a4105ee3100a382403b5f282a82c175/PCRE2/CRYPTO/ARES/CURL/SSL
configuration #1:
group = grp-root-system {
default service = permit
service = shell {
set priv-lvl = 15
default attribute = permit
default cmd = permit
}
service = shell {
set priv-lvl = 15
default attribute = permit
default cmd = permit
}
}
user = test {
login = mavis
member = grp-root-system
default service = permit
}
debug:
27643: 07:18:37.402 1/87004931: 100.100.100.129 d.esp...@100.100.100.129: not found: svcname=shell@grp-host protocol=
27643: 07:18:37.402 1/87004931: 100.100.100.129 d.esp...@100.100.100.129: not found: svcname=shell protocol=
27643: 07:18:37.402 1/87004931: 100.100.100.129 nas:service=shell (passed thru)
27643: 07:18:37.402 1/87004931: 100.100.100.129 nas:cmd* (passed thru)
27643: 07:18:37.402 1/87004931: 100.100.100.129 nas:task* svr:absent/deny -> delete task* (i)
27643: 07:18:37.402 1/87004931: 100.100.100.129 replaced 1 args
27643: 07:18:37.402 1/87004931: 100.100.100.129 Writing AUTHOR/PASS_REPL size=37
27643: 07:18:37.402 1/87004931: 100.100.100.129 ---<start packet>---
27643: 07:18:37.402 1/87004931: 100.100.100.129 key used: _____
27643: 07:18:37.402 1/87004931: 100.100.100.129 version: 192, type: 2, seq no: 2, flags: unencrypted
27643: 07:18:37.402 1/87004931: 100.100.100.129 session id: 31490087, data length: 25
27643: 07:18:37.402 1/87004931: 100.100.100.129 packet body (len: 25): \002\002\000\000\000\000\r\004service=shellcmd*
27643: 07:18:37.402 1/87004931: 100.100.100.129 0000 02 02 00 00 00 00 0d 04 73 65 72 76 69 63 65 3d ........ service=
27643: 07:18:37.402 1/87004931: 100.100.100.129 0010 73 68 65 6c 6c 63 6d 64 2a shellcmd *
27643: 07:18:37.402 1/87004931: 100.100.100.129 AUTHOR/REPLY, status=2 (AUTHOR/PASS_REPL)
27643: 07:18:37.402 1/87004931: 100.100.100.129 msg_len=0, data_len=0, arg_cnt=2
27643: 07:18:37.402 1/87004931: 100.100.100.129 msg (len: 0):
27643: 07:18:37.402 1/87004931: 100.100.100.129 data (len: 0):
27643: 07:18:37.402 1/87004931: 100.100.100.129 arg[0] (len: 13): service=shell
27643: 07:18:37.402 1/87004931: 100.100.100.129 arg[1] (len: 4): cmd*
27643: 07:18:37.402 1/87004931: 100.100.100.129 ---<end packet>---
configuration #2:
group = grp-root-system {
default service = permit
service = shell {
set priv-lvl = 15
default attribute = permit
default cmd = permit
}
service = shell {
set priv-lvl = 15
default attribute = permit
default cmd = permit
}
}
user = test {
login = mavis
member = grp-root-system
default service = permit
service = shell {
set priv-lvl = 15
default attribute = permit
default cmd = permit
}
}
debug #2:
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 d.esp...@100.100.100.129: not found: svcname=shell@grp-host protocol=
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 d.esp...@100.100.100.129: found: svcname=shell protocol=
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 cfg_get_svc_attrs_func: found svcname=shell proto=
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 nas:service=shell (passed thru)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 nas:cmd* (passed thru)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 nas:task* svr:absent/deny -> delete task* (i)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 nas:absent srv:priv-lvl=15 -> add priv-lvl=15 (k)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 replaced 1 args
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 Writing AUTHOR/PASS_REPL size=49
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 ---<start packet>---
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 key used: _____
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 version: 192, type: 2, seq no: 2, flags: unencrypted
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 session id: 043d008b, data length: 37
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 packet body (len: 37): \002\003\000\000\000\000\r\004\vservice=shellcmd*priv-lvl=15
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 0000 02 03 00 00 00 00 0d 04 0b 73 65 72 76 69 63 65 ........ .service
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 0010 3d 73 68 65 6c 6c 63 6d 64 2a 70 72 69 76 2d 6c =shellcm d*priv-l
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 0020 76 6c 3d 31 35 vl=15
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 AUTHOR/REPLY, status=2 (AUTHOR/PASS_REPL)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 msg_len=0, data_len=0, arg_cnt=3
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 msg (len: 0):
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 data (len: 0):
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 arg[0] (len: 13): service=shell
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 arg[1] (len: 4): cmd*
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 arg[2] (len: 11): priv-lvl=15
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 ---<end packet>---
Why doesn't the "priv-lvl=15" attribute get passed down to the service configured on the group, but only if it's specified on the user?
What am I missing here? Any ideas?
Marc Huber
Jul 27, 2025, 2:55:25 AMJul 27
to event-driv...@googlegroups.com
Hi Dario,
that's quite likely caused by setting "default service = permit" in user context.
Cheers,
Marc
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/f7ee71c2-87a5-4d5e-9a95-897c198dc581n%40googlegroups.com.
Dario Esposito
Jul 28, 2025, 3:28:06 AMJul 28
to Event-Driven Servers
Thanks, Marc.
I had read the note in the documentation, but I had definitely misunderstood it.
“default service = permit” was the only parameter I set, and I didn't try to change it during my various attempts.
After removing "default service = permit," the behavior was as expected.
Thanks again!
I had read the note in the documentation, but I had definitely misunderstood it.
“default service = permit” was the only parameter I set, and I didn't try to change it during my various attempts.
After removing "default service = permit," the behavior was as expected.
Thanks again!
Reply all
Reply to author
Forward
0 new messages