On Mon, Oct 10, 2016 at 10:39 AM, Stephen Isard <xkyr47r...@snkmail.com> wrote:
> On Mon, 10 Oct 2016, Michael Rash michael.rash-at-gmail.com |fwknop| > wrote: > > > On Sun, Oct 9, 2016 at 10:34 PM, Stephen Isard <xkyr47r...@snkmail.com> > > wrote: > > > >> On Sun, 9 Oct 2016, Michael Rash michael.rash-at-gmail.com |fwknop| > wrote: > >> ... > >>> Ok, that is useful information. It sounds like fwknopd is not exiting > >> after > >>> calling fork() when running the command. Is it possible that the script > >> you > >>> are running is getting held up on something? Like expecting a password > >> via > >>> sudo or something like this? > > You are probably onto this already, but I followed up your suggestion by > putting fwknopd in the foreground and running > fwknop -n testcommand -a 127.0.0.1 -C cat > I get > > [127.0.0.1] (stanza #2) Processing SPA Command message: command='cat'. > [127.0.0.1] (stanza #2) setuid/setgid user/group to fakeuser/fakeuser > (UID=495,GID=490) before running command. > [+] add_argv() + arg: cat > run_extcmd() (with execvpe()): running CMD: cat > > fwknopd then just hangs and there is no further output in response > to any fwknop commands of any sort. > > This might be an argument in favor of making ENABLE_CMD_SUDO_EXEC and > friends mandatory, or at least the default, so that the server can be > configured to restrict the commands that the user can attempt. (The > epel repository that supplies fwknop for RHEL/Centos/SL 6 is still on > fwknop 2.6.5, and ENABLE_CMD_SUDO_EXEC isn't available in that version, > but they will probably catch up eventually.) > I've attached a patch against 2.6.5 that fixes the problem. It was a bug where exit() was not being called upon an execvpe() error. This caused an extra copy of fwknopd to be left around. This has been pushed to master, and is a fairly important fix I think - thanks for reporting this. > > I've seen a reference to CMD_REGEX in an ubuntu man page on > the web for fwknop-server_1.9.12-3, but it appears to have dropped out > of more recent versions. That would have the advantage of keeping all > configuration within fwknop(d) itself, rather than spreading some of it > to /etc/sudoers. > The CMD_REGEX feature was from the old perl version of fwknop, and was easy because regex's naturally built into perl. But, in the C version of fwknop, one important design goal is to minimize library dependencies, so there would need to be compelling reasons to link against libpcre. I think a good middle ground here would be to just require a substring match at the beginning of what the user provides via a SPA packet - just to validate the full path of whatever command is being sent. This could be used to require sudo, etc. Thanks, --Mike > > Stephen Isard > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss >
execvpe.patch
Description: Binary data
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
