Re: SOLVED? Re: 4.0 - 4.1 broke ipsec
On Fri, Sep 28, 2007 at 07:02:28AM +0200, Otto Moerbeek wrote: On Thu, 27 Sep 2007, Brian A. Seklecki wrote: Ok, it's running now. The cause was not the move from 4.0 - 4.1, but the move from a diskful to a diskless setup: The machine mounts its root fs via nfs. WHAT?!?!?! What the heck kind of security-minded sanity check would fail based on the underlying VFS? Did you eventually get a PR open on this? This has to do with a bug in isakmpd, where scanning a dir could skip files. The bug could only be triggered on nfs mounts. pr 5557 has been fixed in isakmpd/monitor.c rev 1.70 d_type is not passed over NFS, unless you mount with readdir+
Re: SOLVED? Re: 4.0 - 4.1 broke ipsec
Ok, it's running now. The cause was not the move from 4.0 - 4.1, but the move from a diskful to a diskless setup: The machine mounts its root fs via nfs. WHAT?!?!?! What the heck kind of security-minded sanity check would fail based on the underlying VFS? Did you eventually get a PR open on this? ~BAS This runs just fine, except for isakmpd: It silently does not read any certificates from a NFS mounted directory. After moving /etc/isakmpd to a ramdisk, ipsec runs fine as well. Question: Is this a bug or a feature? If it is a feature, it really should be documented. If it is a bug, i am unable to fix it. I started digging into isakmpd's sources, but failed to further trace things in monitor.c's forking and privilege separation. Regards, Heinrich
Re: SOLVED? Re: 4.0 - 4.1 broke ipsec
On Thu, 27 Sep 2007, Brian A. Seklecki wrote: Ok, it's running now. The cause was not the move from 4.0 - 4.1, but the move from a diskful to a diskless setup: The machine mounts its root fs via nfs. WHAT?!?!?! What the heck kind of security-minded sanity check would fail based on the underlying VFS? Did you eventually get a PR open on this? This has to do with a bug in isakmpd, where scanning a dir could skip files. The bug could only be triggered on nfs mounts. -Otto ~BAS This runs just fine, except for isakmpd: It silently does not read any certificates from a NFS mounted directory. After moving /etc/isakmpd to a ramdisk, ipsec runs fine as well. Question: Is this a bug or a feature? If it is a feature, it really should be documented. If it is a bug, i am unable to fix it. I started digging into isakmpd's sources, but failed to further trace things in monitor.c's forking and privilege separation. Regards, Heinrich