** Patch added: "lp1823051-eoan.debdiff" https://bugs.launchpad.net/ubuntu/+source/knockd/+bug/1823051/+attachment/5258212/+files/lp1823051-eoan.debdiff
** Description changed: [impact] any knockd configuration rules that call ufw fail because any ufw changes always update the ufw conf files in /etc/ufw/, but the knockd systemd service is started with ProtectSystem=full. [test case] on a bionic or later system install knockd, edit /etc/default/knockd to enable it, and edit /etc/knockd.conf to add a rule that calls ufw to do something (e.g. ufw allow <SOME FIREWALL RULE>). trigger the rule by using 'knock' to send the rule's knock sequence and observe /var/log/syslog to verify the knock sequence packets were received and the rule triggered. The log will show: Apr 3 11:59:29 quassel knockd[1270]: ERROR: '/etc/ufw/user.rules' is not writable [regression potential] - very low - this only gives knockd access to read/write files under - /etc/ufw. Any regression would be around problems with ufw's firewall - rules, or possibly problems with systemd starting knockd because of the - new param in the service file. + low - this only gives knockd access to read/write files under /etc/ [other info] the /etc/ufw/ permissions should be added to knockd's service file because the use case of knockd is almost always to modify the system's firewall after a successful knock sequence, either by directly calling iptables, or by calling ufw. Since iptables does not make any persistent changes, no extra filesystem access is needed; but ufw always makes persistent changes. Note also that it's possible someone might want to modify iptables and then also save the new iptables rules using netfilter-persistent, in - which case knockd would also need r/w access to /etc/iptables/. This - bug does not address that possible need. + which case knockd would also need r/w access to /etc/iptables/. + + The fix of relaxing ProtectSystem down to 'true' instead of 'full' + addresses both use cases. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1823051 Title: knockd can't use ufw To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/knockd/+bug/1823051/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
