On Sun, Oct 9, 2016 at 8:03 PM, Stephen Isard <xkyr47r...@snkmail.com>
wrote:
> On Sun, 9 Oct 2016, Michael Rash michael.rash-at-gmail.com |fwknop| wrote:
> ...
> > Ok, a couple of additional thoughts - can you try setting a path for the
> > digest cache file that is outside of /var/run/? So, just add something
> like
> > this to the init script start line for fwknopd:
> >
> > -d /root/fwknopd.cache
> >
> > Is the problem reproducible with this path? Also, is SELinux deployed on
> > your system? If the problem is reproducible with /root/fwknopd.cache,
> then
> > can you temporarily disable SELinux to see if it is still reproducible?
>
> Neither changing the cache location nor disabling selinux makes any
> difference, either separately or together.
>
Understood, thanks for running that test.
>
> > Also, I've attached a small patch to fwknop-2.6.5 (which is an older
> > version) to get strerror() output for the log message you are seeing.
> This
> > would help determine the exact reason that fopen() is failing if you want
> > to apply it and recompile (let me know if you have any questions about
> > this). Also, I've applied this patch to git master, so if you want to try
> > the latest sources, this is patch is already there.
>
> Right, I've downloaded, untarred and patched fwknop-2.6.5.tar.bz2. (I
> downloaded fwknop-master.zip, but had trouble when I tried to configure
> it.)
>
> Running the fwknopd that I get, I've noticed two odd things:
> 1) A successful command produces a log entry
> [127.0.0.1] (stanza #2) CMD_EXEC: command returned 0, pid_status: 2
> while an unsuccessful one gives
> [127.0.0.1] (stanza #2) CMD_EXEC: command returned 0, pid_status: 0
>
> 2) After the unsuccessful command, I have two fwknopd processes running,
> where I only had one before. And I think that may account for the error
> messages saying (with line folded for readability)
> Could not open digest cache: /usr/local/var/run/fwknop/digest.cache:
> Permission denied
> that I get on subsequent tries, because the
> /usr/local/var/run/fwknop/fwknopd.pid file still has the pid of the
> original process, not the new one.
>
Ok, that is useful information. It sounds like fwknopd is not exiting after
calling fork() when running the command. Is it possible that the script you
are running is getting held up on something? Like expecting a password via
sudo or something like this?
By default, under autoconf, fwknopd looks for execvpe() and uses it to
execute all sub-commands so that it doesn't have to use the shell
environment. But, if execvpe() is not available for some strange reason, it
punts and just uses system() for this. If system() is used, then the child
doesn't call exit() until after system(), so if the command that is
executed is really long running, then there would be two fwknopd processes
along with the command that is being executed. On the other hand, if
execvpe() is used, then there should only be one fwknopd process even if
the command hangs. At least, this is what appears to happen during my
testing.
If you run fwknopd in the foreground in --verbose --verbose mode, then it
should produce output that shows which style of execution is being used.
For example - this is for the system() type of execution:
# fwknopd -i lo --foreground --verbose --verbose
[127.0.0.1] (stanza #1) setuid/setgid user/group to nobody/nobody
(UID=65534,GID=65534) before running command.
run_extcmd() (without execvpe()): running CMD: /tmp/test.sh
run_extcmd(): returning 0, pid_status: 0
[127.0.0.1] (stanza #1) CMD_EXEC: command returned 0, pid_status: 0
Thanks,
--Mike
>
> Stephen Isard
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
