2016-10-13 tacplus-auth v1.0.0 Dave Olson <olson@cumulusnetworks.com>

	First revision:

	This program does TACACS+ per-command authorization, using the libtac
	interfaces.

	It is expected to be symlink'ed or linked into a bin directory for
	restricted shell users such as rbash.  A link should exist
	for every command the restricted user might run.

	The real command is found by checking the directories in PATH from the
	ENV_PATH variable in /etc/login.defs, and if that file is not found, by
	looking for PATH in /etc/environment.  This works for at least the major
	Linux distributions, and also netbsd and freebsd.

	tacplus-auth is installed setuid so it can get the list of
	tacacs servers from /etc/tacplus_servers.

	tacplus-auth sends the command and arguments (up to 250 characters)
	to each tacacs server for authorization.

	It tries each server in turn until it gets successful permission or there
	are no more servers.  All servers are tried in case they have different
	databases.

	If authorization is succesful, the real command is executed with the same
	arguments.

	debug can be enabled from /etc/tacplus_servers, and if enabled, debug
	messages are printed on stderr.

	See README for more details and limitations.
