On Fri, Oct 7, 2016 at 11:32 PM, Michael Rash <michael.r...@gmail.com>
wrote:
>
>
> On Fri, Oct 7, 2016 at 3:17 PM, Stephen Isard <xkyr47r...@snkmail.com>
> wrote:
>
>> Hello,
>>
>> I've recently installed fwknop, so am not an experienced user. I'm
>> testing the use of command packets over my local interface. I have a
>> very restricted user set up as the CMD_EXEC_USER. When I start fwknopd
>> and run fwknop -C with a command that the user is permitted to run, it
>> works as expected. And when I give a command that the user isn't
>> allowed to execute, the command is rejected. However, after a rejected
>> command, permitted commands stop working and I get lines of the form
>>
>> fwknopd[4346]: (stanza #2) SPA Packet from IP: 127.0.0.1 received with
>> access source match
>> fwknopd[4346]: Could not open digest cache: /var/run/fwknop/digest.cache
>> fwknopd[4346]: [127.0.0.1] (stanza #2) Could not add digest to replay
>> cache
>>
>> in my log file. If I restart fwknopd, the permitted commands start
>> working again.
>>
>> I'm running fwknop 2.6.5-2.el6 on a Scientific Linux 6.8 system
>> (equivalent to Centos 6.8, RHEL 6.8).
>>
>
Ok, I'm having some trouble reproducing this. When using CMD_EXEC_USER,
fwknopd calls setuid() when executing a command on behalf of the user.
But, setuid() is called in a child process after fork(), and digest
operations are done in the parent. I assume you are running fwknopd as
root? Also, what mechanism are you using to place restrictions on what
types of commands the non-privileged user can execute? I tried passing a
command that the 'nobody' user cannot do (like 'cat /etc/shadow'), but this
results in a standard permissions error from the OS, and didn't affect
subsequent 'valid' commands. I may need some further details on how the
user is set up on your system, and the commands that you are passing from
the fwknop client.
Thanks,
--Mike
>
> That is interesting - I will try to reproduce this tomorrow and report
> back.
>
> Thanks,
>
> --Mike
>
>
>
>>
>> I'd be grateful for any pointers.
>>
>> Stephen Isard
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Fwknop-discuss mailing list
>> Fwknop-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>
>
>
>
> --
> Michael Rash | Founder
> http://www.cipherdyne.org/
> Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
