On Sat, 8 Oct 2016, Michael Rash michael.rash-at-gmail.com |fwknop| wrote: ... > Ok, I'm having some trouble reproducing this. When using CMD_EXEC_USER, > fwknopd calls setuid() when executing a command on behalf of the user. > But, setuid() is called in a child process after fork(), and digest > operations are done in the parent. I assume you are running fwknopd as > root? Also, what mechanism are you using to place restrictions on what > types of commands the non-privileged user can execute? I tried passing a > command that the 'nobody' user cannot do (like 'cat /etc/shadow'), but this > results in a standard permissions error from the OS, and didn't affect > subsequent 'valid' commands. I may need some further details on how the > user is set up on your system, and the commands that you are passing from > the fwknop client.
Yes, fwknopd is running as root. I've started it from the script installed by the rpm in /etc/init.d. The user has /bin/nologin as shell, no password and no home directory of its own. I've put an entry in /etc/sudoers to permit this user to run a script, without giving a password, that adds an entry to /etc/hosts, and I have had to set the defaults !requiretty, visiblepw for the user in /etc/sudoers to make that work. So "-C sudo scriptname" is what is supposed to work, while plain "-C scriptname" should not work. Today, when I went to reproduce the problem, I found that I had to give the illegal command twice before getting the "Could not open digest cache" message with failure of the legal command. Restarting fwknopd still clears the problem. Extra, probably irrelevant, details: I have both REQUIRE_SOURCE_ADDRESS Y and REQUIRE_USERNAME someuser in the access.conf stanza that allows command execution. Stephen Isard ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
