On Sat, Oct 8, 2016 at 12:49 PM, Stephen Isard <xkyr47r...@snkmail.com> wrote:
> On Sat, 8 Oct 2016, Michael Rash michael.rash-at-gmail.com |fwknop| wrote: > ... > > Ok, I'm having some trouble reproducing this. When using CMD_EXEC_USER, > > fwknopd calls setuid() when executing a command on behalf of the user. > > But, setuid() is called in a child process after fork(), and digest > > operations are done in the parent. I assume you are running fwknopd as > > root? Also, what mechanism are you using to place restrictions on what > > types of commands the non-privileged user can execute? I tried passing a > > command that the 'nobody' user cannot do (like 'cat /etc/shadow'), but > this > > results in a standard permissions error from the OS, and didn't affect > > subsequent 'valid' commands. I may need some further details on how the > > user is set up on your system, and the commands that you are passing from > > the fwknop client. > > Yes, fwknopd is running as root. I've started it from the script > installed by the rpm in /etc/init.d. The user has /bin/nologin as > shell, no password and no home directory of its own. I've put an entry > in /etc/sudoers to permit this user to run a script, without giving a > password, that adds an entry to /etc/hosts, and I have had to set the > defaults !requiretty, visiblepw for the user in /etc/sudoers to make > that work. > > So "-C sudo scriptname" is what is supposed to work, while plain "-C > scriptname" should not work. Today, when I went to reproduce the > problem, I found that I had to give the illegal command twice before > getting the "Could not open digest cache" message with failure of the > legal command. Restarting fwknopd still clears the problem. > Ok, a couple of additional thoughts - can you try setting a path for the digest cache file that is outside of /var/run/? So, just add something like this to the init script start line for fwknopd: -d /root/fwknopd.cache Is the problem reproducible with this path? Also, is SELinux deployed on your system? If the problem is reproducible with /root/fwknopd.cache, then can you temporarily disable SELinux to see if it is still reproducible? Also, I've attached a small patch to fwknop-2.6.5 (which is an older version) to get strerror() output for the log message you are seeing. This would help determine the exact reason that fopen() is failing if you want to apply it and recompile (let me know if you have any questions about this). Also, I've applied this patch to git master, so if you want to try the latest sources, this is patch is already there. Thanks, --Mike > > Extra, probably irrelevant, details: I have both REQUIRE_SOURCE_ADDRESS > Y and REQUIRE_USERNAME someuser in the access.conf stanza that allows > command execution. > > Stephen Isard > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > -- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
cache.patch
Description: Binary data
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
