Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RADIUS Management User Authentication Feature #7284

Merged
merged 5 commits into from
Apr 24, 2021
Merged

RADIUS Management User Authentication Feature #7284

merged 5 commits into from
Apr 24, 2021

Conversation

a-barboza
Copy link
Contributor

Why I did it

HLD: https://github.com/Azure/SONiC/blob/master/doc/aaa/radius_authentication.md
CLI: In a separate PR.

How I did it

How to verify it

UT: src/sonic-host-services/tests/hostcfgd/hostcfgd_radius_test.py

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012

Description for the changelog

A picture of a cute animal (not mandatory but encouraged)

HLD: https://github.com/Azure/SONiC/blob/master/doc/aaa/radius_authentication.md

UT: src/sonic-host-services/tests/hostcfgd/hostcfgd_radius_test.py

CLI: In a separate PR.
@lgtm-com
Copy link

lgtm-com bot commented Apr 10, 2021

This pull request introduces 3 alerts when merging 3f26e3e into e30a7eb - view on LGTM.com

new alerts:

  • 3 for Unused import

@lgtm-com
Copy link

lgtm-com bot commented Apr 14, 2021

This pull request introduces 3 alerts when merging d1a7a26 into 75c29cb - view on LGTM.com

new alerts:

  • 3 for Unused import

@a-barboza
Copy link
Contributor Author

/azp run

@azure-pipelines
Copy link

Commenter does not have sufficient privileges for PR 7284 in repo Azure/sonic-buildimage

- Address review comments
- Renamed tacacs_get_source_intf_ip() to be more generic
- Removed redundant run_cmd() definition. Added return in exception hdlr.
- Removed redundant parameter in handle_radius_source_intf_ip_chg()
- src_ip is deprecated. Honor an attempt to configure src_intf, even
  if it does not yield an IP address.
- Remove the modification of sudo PAM file
- Adjusted aaastatsd service restart in systemd service file. Fixes for
  py-swsssdk API changes. Only start aaastatsd for RADIUS statistics.
@lgtm-com
Copy link

lgtm-com bot commented Apr 22, 2021

This pull request introduces 5 alerts when merging ac3e9a3 into 38f65c8 - view on LGTM.com

new alerts:

  • 4 for Unused local variable
  • 1 for Unused import

@renukamanavalan renukamanavalan merged commit ec9101f into sonic-net:master Apr 24, 2021
lguohan added a commit to lguohan/sonic-buildimage that referenced this pull request Apr 24, 2021
regression introduced in sonic-net#7284

Signed-off-by: Guohan Lu <lguohan@gmail.com>
lguohan added a commit that referenced this pull request Apr 25, 2021
regression introduced in #7284

Signed-off-by: Guohan Lu <lguohan@gmail.com>
raphaelt-nvidia pushed a commit to raphaelt-nvidia/sonic-buildimage that referenced this pull request May 23, 2021
Why I did it
HLD: https://github.com/Azure/SONiC/blob/master/doc/aaa/radius_authentication.md
CLI: In a separate PR.

How I did it
How to verify it
UT: src/sonic-host-services/tests/hostcfgd/hostcfgd_radius_test.py
raphaelt-nvidia pushed a commit to raphaelt-nvidia/sonic-buildimage that referenced this pull request May 23, 2021
regression introduced in sonic-net#7284

Signed-off-by: Guohan Lu <lguohan@gmail.com>
carl-nokia pushed a commit to carl-nokia/sonic-buildimage that referenced this pull request Aug 7, 2021
Why I did it
HLD: https://github.com/Azure/SONiC/blob/master/doc/aaa/radius_authentication.md
CLI: In a separate PR.

How I did it
How to verify it
UT: src/sonic-host-services/tests/hostcfgd/hostcfgd_radius_test.py
carl-nokia pushed a commit to carl-nokia/sonic-buildimage that referenced this pull request Aug 7, 2021
regression introduced in sonic-net#7284

Signed-off-by: Guohan Lu <lguohan@gmail.com>
os.unlink(stats_file)
else:
open(stats_file, 'a').close()
os.chmod(stats_file, 0o666)
Copy link
Contributor

@maipbui maipbui Jan 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep detects a widely permissive file permission issue.

 scripts/aaastatsd
     python.lang.security.audit.insecure-file-permissions.insecure-file-permissions
        These permissions `0o666` are widely permissive and grant access to more people than may be
        necessary. A good default is `0o644` which gives read and write access to yourself and read
        access to everyone else.
        Details: https://sg.run/AXY4

        154┆ os.chmod(stats_file, 0o666)

Github code scanning also detects same issue.
Is it possible to limit the rw access to the owner only and give no access to others? #Closed

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maipbui
I think 0o644 or 0o600 might be ok. There is no sensitive information in this file.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @a-barboza! I’ll raise a PR to address this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants