[prev in list] [next in list] [prev in thread] [next in thread] 

List:       quagga-users
Subject:    [quagga-users 9711]  quagga (vtysh) and grsec
From:       Jonathan Fournier <jonathan.fournier () windriver ! com>
Date:       2008-07-14 21:18:55
Message-ID: 1216070335.21575.16.camel () yow-jfournie-d1 ! ottawa ! windriver ! com
[Download RAW message or body]

Hi,

I was wondering if someone ran into a similar issue before.

I'm running the zebra daemon under the user "quagga:quagga", starting
vtysh (PAM auth enabled), I edit the running-config, and then try to
issue the "write" command.

I then get a grsec error complaining about link creation:

localhost# write
Building Configuration...
Can't save configuration file /etc/quagga/zebra.conf.
[OK]
localhost# Jul 11 19:59:50 localhost kernel: grsec: From 128.224.146.14:
denied hardlink of /etc/quagga/zebra.conf.ajkfKp (owned by 0.0)
to /etc/quagga/zebra.conf for /usr/sbin/zebra[zebra:8463] uid/euid:92/92
gid/egid:92/92, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Jul 11 19:59:50 localhost kernel: grsec: From 128.224.146.14: denied
hardlink of /etc/quagga/zebra.conf.ajkfKp (owned by 0.0)
to /etc/quagga/zebra.conf for /usr/sbin/zebra[zebra:8463] uid/euid:92/92
gid/egid:92/92, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

The file /etc/quagga/zebra.conf.ajkfKp got created by mkstemp() in
lib/command.c (DEFUN (config_write_file, config_write_file_cmd, ...)

This code then fails:

  if (link (config_file_tmp, config_file) != 0)
    {
      vty_out (vty, "Can't save configuration file %s.%s", config_file,
          VTY_NEWLINE);
      goto finished;
    }

>From "man mkstemp", The file is created with mode read/write and
permissions 0666 (glibc 2.0.6 and earlier), 0600 (glibc 2.0.7 and
later).

Why is that file owned by root:root even if the vtysh client and zebra
daemon are not running as root? (init, the parent process is running
root...)

Cheers,

/jonathan

_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
http://lists.quagga.net/mailman/listinfo/quagga-users
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic