Public bug reported:
[impact]
any knockd configuration rules that call ufw fail because any ufw
changes always update the ufw conf files in /etc/ufw/, but the knockd
systemd service is started with ProtectSystem=full.
[test case]
on a bionic or later system install knockd, edit /etc/default/knockd to
enable it, and edit /etc/knockd.conf to add a rule that calls ufw to do
something (e.g. ufw allow <SOME FIREWALL RULE>).
trigger the rule by using 'knock' to send the rule's knock sequence and
observe /var/log/syslog to verify the knock sequence packets were
received and the rule triggered. The log will show:
Apr 3 11:59:29 quassel knockd[1270]: ERROR: '/etc/ufw/user.rules' is
not writable
[regression potential]
very low - this only gives knockd access to read/write files under
/etc/ufw. Any regression would be around problems with ufw's firewall
rules, or possibly problems with systemd starting knockd because of the
new param in the service file.
[other info]
the /etc/ufw/ permissions should be added to knockd's service file
because the use case of knockd is almost always to modify the system's
firewall after a successful knock sequence, either by directly calling
iptables, or by calling ufw. Since iptables does not make any
persistent changes, no extra filesystem access is needed; but ufw always
makes persistent changes.
Note also that it's possible someone might want to modify iptables and
then also save the new iptables rules using netfilter-persistent, in
which case knockd would also need r/w access to /etc/iptables/. This
bug does not address that possible need.
** Affects: knockd (Ubuntu)
Importance: Medium
Assignee: Dan Streetman (ddstreet)
Status: In Progress
** Affects: knockd (Ubuntu Bionic)
Importance: Medium
Assignee: Dan Streetman (ddstreet)
Status: In Progress
** Affects: knockd (Ubuntu Cosmic)
Importance: Medium
Assignee: Dan Streetman (ddstreet)
Status: In Progress
** Affects: knockd (Ubuntu Disco)
Importance: Medium
Assignee: Dan Streetman (ddstreet)
Status: In Progress
** Affects: knockd (Ubuntu Ee-series)
Importance: Medium
Assignee: Dan Streetman (ddstreet)
Status: In Progress
** Also affects: knockd (Ubuntu Ee-series)
Importance: Undecided
Status: New
** Also affects: knockd (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: knockd (Ubuntu Disco)
Importance: Undecided
Status: New
** Also affects: knockd (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Changed in: knockd (Ubuntu Ee-series)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: knockd (Ubuntu Disco)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: knockd (Ubuntu Cosmic)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: knockd (Ubuntu Bionic)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: knockd (Ubuntu Bionic)
Importance: Undecided => Medium
** Changed in: knockd (Ubuntu Cosmic)
Importance: Undecided => Medium
** Changed in: knockd (Ubuntu Disco)
Importance: Undecided => Medium
** Changed in: knockd (Ubuntu Ee-series)
Importance: Undecided => Medium
** Changed in: knockd (Ubuntu Bionic)
Status: New => In Progress
** Changed in: knockd (Ubuntu Cosmic)
Status: New => In Progress
** Changed in: knockd (Ubuntu Disco)
Status: New => In Progress
** Changed in: knockd (Ubuntu Ee-series)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1823051
Title:
knockd can't use ufw
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/knockd/+bug/1823051/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
