Missing information from the services of membership group

25 views
Skip to first unread message

Dario Esposito

unread,
Jul 27, 2025, 2:31:47 AMJul 27
to Event-Driven Servers
Hi there,

I'm having a little trouble with the user groups. I noticed that some information isn't being inherited, but I'm not sure if this is the expected behavior or if I'm doing something wrong.

Ubuntu
tac_plus version 726ecccf3a4105ee3100a382403b5f282a82c175/PCRE2/CRYPTO/ARES/CURL/SSL

configuration #1:

  group = grp-root-system {
    default service = permit
    service = shell {
      set priv-lvl = 15
      default attribute = permit
      default cmd = permit
    }
    service = shell {
      set priv-lvl = 15
      default attribute = permit
      default cmd = permit
    }
   
  }

  user = test {
    login = mavis
    member = grp-root-system
    default service = permit
  }
 
 
debug:

27643: 07:18:37.402 1/87004931: 100.100.100.129 d.esp...@100.100.100.129: not found: svcname=shell@grp-host protocol=
27643: 07:18:37.402 1/87004931: 100.100.100.129 d.esp...@100.100.100.129: not found: svcname=shell protocol=
27643: 07:18:37.402 1/87004931: 100.100.100.129 nas:service=shell (passed thru)
27643: 07:18:37.402 1/87004931: 100.100.100.129 nas:cmd* (passed thru)
27643: 07:18:37.402 1/87004931: 100.100.100.129 nas:task* svr:absent/deny -> delete task* (i)
27643: 07:18:37.402 1/87004931: 100.100.100.129 replaced 1 args
27643: 07:18:37.402 1/87004931: 100.100.100.129 Writing AUTHOR/PASS_REPL size=37
27643: 07:18:37.402 1/87004931: 100.100.100.129 ---<start packet>---
27643: 07:18:37.402 1/87004931: 100.100.100.129 key used: _____
27643: 07:18:37.402 1/87004931: 100.100.100.129 version: 192, type: 2, seq no: 2, flags: unencrypted
27643: 07:18:37.402 1/87004931: 100.100.100.129 session id: 31490087, data length: 25
27643: 07:18:37.402 1/87004931: 100.100.100.129 packet body (len: 25): \002\002\000\000\000\000\r\004service=shellcmd*
27643: 07:18:37.402 1/87004931: 100.100.100.129 0000 02 02 00 00 00 00 0d 04  73 65 72 76 69 63 65 3d  ........ service=
27643: 07:18:37.402 1/87004931: 100.100.100.129 0010 73 68 65 6c 6c 63 6d 64  2a                       shellcmd *
27643: 07:18:37.402 1/87004931: 100.100.100.129 AUTHOR/REPLY, status=2 (AUTHOR/PASS_REPL)
27643: 07:18:37.402 1/87004931: 100.100.100.129 msg_len=0, data_len=0, arg_cnt=2
27643: 07:18:37.402 1/87004931: 100.100.100.129 msg (len: 0):
27643: 07:18:37.402 1/87004931: 100.100.100.129 data (len: 0):
27643: 07:18:37.402 1/87004931: 100.100.100.129 arg[0] (len: 13): service=shell
27643: 07:18:37.402 1/87004931: 100.100.100.129 arg[1] (len: 4): cmd*
27643: 07:18:37.402 1/87004931: 100.100.100.129 ---<end packet>---

configuration #2:


  group = grp-root-system {
    default service = permit
    service = shell {
      set priv-lvl = 15
      default attribute = permit
      default cmd = permit
    }
    service = shell {
      set priv-lvl = 15
      default attribute = permit
      default cmd = permit
    }
   
  }

  user = test {
    login = mavis
    member = grp-root-system
    default service = permit
    service = shell {
      set priv-lvl = 15
      default attribute = permit
      default cmd = permit
    }
  }
 
debug #2:

27830: 07:21:46.368 1/8b003d04: 100.100.100.129 d.esp...@100.100.100.129: not found: svcname=shell@grp-host protocol=
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 d.esp...@100.100.100.129: found: svcname=shell protocol=
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 cfg_get_svc_attrs_func: found svcname=shell proto=
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 nas:service=shell (passed thru)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 nas:cmd* (passed thru)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 nas:task* svr:absent/deny -> delete task* (i)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 nas:absent srv:priv-lvl=15 -> add priv-lvl=15 (k)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 replaced 1 args
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 Writing AUTHOR/PASS_REPL size=49
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 ---<start packet>---
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 key used: _____
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 version: 192, type: 2, seq no: 2, flags: unencrypted
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 session id: 043d008b, data length: 37
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 packet body (len: 37): \002\003\000\000\000\000\r\004\vservice=shellcmd*priv-lvl=15
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 0000 02 03 00 00 00 00 0d 04  0b 73 65 72 76 69 63 65  ........ .service
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 0010 3d 73 68 65 6c 6c 63 6d  64 2a 70 72 69 76 2d 6c  =shellcm d*priv-l
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 0020 76 6c 3d 31 35                                    vl=15
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 AUTHOR/REPLY, status=2 (AUTHOR/PASS_REPL)
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 msg_len=0, data_len=0, arg_cnt=3
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 msg (len: 0):
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 data (len: 0):
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 arg[0] (len: 13): service=shell
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 arg[1] (len: 4): cmd*
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 arg[2] (len: 11): priv-lvl=15
27830: 07:21:46.368 1/8b003d04: 100.100.100.129 ---<end packet>---


Why doesn't the "priv-lvl=15" attribute get passed down to the service configured on the group, but only if it's specified on the user?

What am I missing here? Any ideas?

Marc Huber

unread,
Jul 27, 2025, 2:55:25 AMJul 27
to event-driv...@googlegroups.com

Hi Dario,

that's quite likely caused by setting "default service = permit" in user context.

Cheers,

Marc

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/f7ee71c2-87a5-4d5e-9a95-897c198dc581n%40googlegroups.com.

Dario Esposito

unread,
Jul 28, 2025, 3:28:06 AMJul 28
to Event-Driven Servers
Thanks, Marc.

I had read the note in the documentation, but I had definitely misunderstood it.
“default service = permit” was the only parameter I set, and I didn't try to change it during my various attempts.

After removing "default service = permit," the behavior was as expected.

Thanks again!
Reply all
Reply to author
Forward
0 new messages