On Sun, Oct 9, 2016 at 10:34 PM, Stephen Isard <xkyr47r...@snkmail.com>
wrote:
> On Sun, 9 Oct 2016, Michael Rash michael.rash-at-gmail.com |fwknop| wrote:
> ...
> > Ok, that is useful information. It sounds like fwknopd is not exiting
> after
> > calling fork() when running the command. Is it possible that the script
> you
> > are running is getting held up on something? Like expecting a password
> via
> > sudo or something like this?
>
> Maybe something on those lines, but I don't think that either the script
> or sudo is involved. I'm not calling sudo for the "bad" command, and the
> user doesn't have permission to run the script without sudo. If I run
> sudo -u fakeuser testscript
> either as myself or as root, I get
> sudo: unable to execute testscript: Permission denied
> so I imagine that that is essentially what happens when fwknopd tries to
> run the script. The script is in /usr/sbin, owned by root.root, with
> permissions 0500.
>
Ah, that helps - I have the problem reproduced now. I'll have a fix at some
point tonight.
Thanks,
--Mike
>
> > By default, under autoconf, fwknopd looks for execvpe() and uses it to
> > execute all sub-commands so that it doesn't have to use the shell
> > environment. But, if execvpe() is not available for some strange reason,
> it
> > punts and just uses system() for this. If system() is used, then the
> child
> > doesn't call exit() until after system(), so if the command that is
> > executed is really long running, then there would be two fwknopd
> processes
> > along with the command that is being executed. On the other hand, if
> > execvpe() is used, then there should only be one fwknopd process even if
> > the command hangs. At least, this is what appears to happen during my
> > testing.
> >
> > If you run fwknopd in the foreground in --verbose --verbose mode, then it
> > should produce output that shows which style of execution is being used.
> > For example - this is for the system() type of execution:
> >
> > # fwknopd -i lo --foreground --verbose --verbose
> >
> > [127.0.0.1] (stanza #1) setuid/setgid user/group to nobody/nobody
> > (UID=65534,GID=65534) before running command.
> >
> > run_extcmd() (without execvpe()): running CMD: /tmp/test.sh
> >
> > run_extcmd(): returning 0, pid_status: 0
> >
> > [127.0.0.1] (stanza #1) CMD_EXEC: command returned 0, pid_status: 0
>
> With the illegal command I get
>
> [127.0.0.1] (stanza #2) setuid/setgid user/group to fakeuser/fakeuser
> (UID=495,GID=490) before running command.
> [+] add_argv() + arg: testscript
> run_extcmd() (with execvpe()): running CMD: testscript
> run_extcmd(): returning 0, pid_status: 0
> [127.0.0.1] (stanza #2) CMD_EXEC: command returned 0, pid_status: 0
>
> and then have two fwknopd processes.
>
> By the way, ignore the pid_status 2 for the successful command that I
> reported in the previous message. That was a byproduct of the fact that
> the patched fwknop installed itself under /usr/local. I've made a
> correction and now get pid_status 0 when the command succeeds.
>
> Stephen Isard
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
