[prev in list] [next in list] [prev in thread] [next in thread]
List: quagga-users
Subject: [quagga-users 14290] Re: enable-vty-group not working anymore with latest release (1.0.20160315) ?
From: Thomas Martin <tmartincpp () gmail ! com>
Date: 2016-04-13 8:08:09
Message-ID: CAO1iXZJtgA4SUkLrcvud4QzaER8tLSbLv9YadZAE8u+4SiQUyg () mail ! gmail ! com
[Download RAW message or body]
Thanks Donald.
2016-04-08 18:37 GMT+02:00 Donald Sharp <sharpd@cumulusnetworks.com>:
> So the bug here imo, is that we should fail out and let the end-user know
> that the user quagga is not part of the quaggavty group and as such don't
> have permission to create the vty as asked.
>
> donald
>
> On Fri, Apr 8, 2016 at 10:57 AM, Thomas Martin <tmartincpp@gmail.com> wrote:
>>
>> (sorry for the triple post)
>>
>> The issue is related to ngroups which is initialized to 1 on line 749
>> (at least in my case) while it is initialized to 262144 on line 713 (
>> just after 'ngroups = sizeof(groups);' ).
>>
>> So, after some investigations, it seems that it was related to the line
>> 714:
>> if ( (ngroups = getgrouplist (zprivs->user, zprivs_state.zgid, groups,
>> &ngroups )) < 0 )
>>
>> which set ngroups to 1.
>>
>>
>> So the issue is related to the system function getgrouplist and I
>> think that I understood why: on my system the quagga user is *not* in
>> the quaggavty group !
>>
>> If I add quagga to quaggavty ; it's working:
>> # /usr/lib/quagga/ospf6d -A ::1
>> # ls -l /var/run/quagga/*vty
>> srwxrwx--- 1 quagga quagga 0 Apr 8 16:48 /var/run/quagga/ospf6d.vty
>>
>> # adduser quagga quaggavty
>> Adding user `quagga' to group `quaggavty' ...
>> Adding user quagga to group quaggavty
>> Done.
>>
>> # /usr/lib/quagga/ospf6d -A ::1
>> # ls -l /var/run/quagga/*vty
>> srwxrwx--- 1 quagga quaggavty 0 Apr 8 16:48 /var/run/quagga/ospf6d.vty
>>
>>
>> So it seems that Quagga 1.0.20160315 needs the enable-user configured
>> to be in the vty-group configured to work because it is now using
>> getgrouplist.
>>
>>
>> (sorry if parts of my debug are obvious, as I said earlier I'm not
>> really familiar with C developments)
>>
>>
>>
>> 2016-04-08 15:05 GMT+02:00 Thomas Martin <tmartincpp@gmail.com>:
>> > I compiled quagga 0.99.24.1 and 1.0.20160315 with the same parameters
>> > and on the same host; the group is correctly set with 0.99.24.1 but
>> > not on 1.0.20160315.
>> >
>> > Here is the ./configure used:
>> > ./configure --enable-exampledir=/usr/share/doc/quagga/examples/
>> > --localstatedir=/var/run/quagga --sbindir=/usr/lib/quagga
>> > --sysconfdir=/etc/quagga --enable-snmp --enable-vtysh --enable-isisd
>> > --enable-watchquagga --enable-ospf-te --enable-opaque-lsa
>> > --enable-ipv6 --enable-ospfclient=yes --enable-ospfapi=yes
>> > --enable-multipath=64 --enable-user=quagga --enable-group=quagga
>> > --enable-vty-group=quaggavty --enable-configfile-mask=0640
>> > --enable-logfile-mask=0640 --enable-rtadv --enable-gcc-rdynamic
>> > --with-libpam
>> >
>> > My server is running Debian Jessie.
>> >
>> > Here is what I see running strace:
>> > - 0.99.24.1:
>> > chown("/var/run/quagga/ospf6d.vty", 4294967295, 118) = 0
>> > - 1.0.20160315:
>> > chown("/var/run/quagga/ospf6d.vty", 4294967295, 118) = -1 EPERM
>> > (Operation not permitted)
>> >
>> > Early on:
>> > - 0.99.24.1:
>> > open("/etc/group", O_RDONLY|O_CLOEXEC) = 4
>> > lseek(4, 0, SEEK_CUR) = 0
>> > fstat(4, {st_mode=S_IFREG|0644, st_size=843, ...}) = 0
>> > mmap(NULL, 843, PROT_READ, MAP_SHARED, 4, 0) = 0x7fdf0e423000
>> > lseek(4, 843, SEEK_SET) = 843
>> > munmap(0x7fdf0e423000, 843) = 0
>> > close(4) = 0
>> > setgroups(1, [118])
>> >
>> > - 1.0.20160315:
>> > open("/etc/group", O_RDONLY|O_CLOEXEC) = 4
>> > lseek(4, 0, SEEK_CUR) = 0
>> > fstat(4, {st_mode=S_IFREG|0644, st_size=843, ...}) = 0
>> > mmap(NULL, 843, PROT_READ, MAP_SHARED, 4, 0) = 0x7fbdc2187000
>> > lseek(4, 843, SEEK_SET) = 843
>> > munmap(0x7fbdc2187000, 843) = 0
>> > close(4) = 0
>> > setgroups(1, [1004]) = 0
>> >
>> >
>> > 118 is quaggavty's group, 1004 is quagga's group.
>> >
>> >
>> > Here is the full traces:
>> > - 0.99.24.1: http://www.pastefile.com/W26wof
>> > - 1.0.20160915: http://www.pastefile.com/1kfxiG
>> >
>> >
>> > I'm looking at lib/privs.c now and will send an email if I found
>> > something (I'm not a developer so it could take me some time).
>> >
>> >
>> > 2016-04-08 10:20 GMT+02:00 Thomas Martin <tmartincpp@gmail.com>:
>> >> Hello Donald,
>> >>
>> >> Thanks for this confirmation; I will do more digging on my side.
>> >>
>> >> HAVE_GETGROUPLIST is set to 1; here are the files:
>> >> - config.h: http://www.pastefile.com/7PKksc
>> >> - config.log: http://www.pastefile.com/u6Z2DK
>> >>
>> >>
>> >> Thank you.
>> >>
>> >> Thomas
>> >>
>> >> 2016-04-07 13:46 GMT+02:00 Donald Sharp <sharpd@cumulusnetworks.com>:
>> >>> Thomas -
>> >>>
>> >>> It is working for me:
>> >>>
>> >>> root@Robot:/work/robot/sharpd/official# ls -altr /var/run/quagga
>> >>> total 16
>> >>> srwx------ 1 quagga quagga 0 Mar 24 07:54 zserv.api
>> >>> -rw-r--r-- 1 quagga quagga 5 Mar 24 07:54 zebra.pid
>> >>> srwxrwx--- 1 quagga quaggavty 0 Mar 24 07:54 zebra.vty
>> >>> srwxrwx--- 1 quagga quaggavty 0 Mar 24 07:54 bgpd.vty
>> >>> -rw-r--r-- 1 quagga quagga 5 Mar 24 07:54 bgpd.pid
>> >>> srwxrwx--- 1 quagga quaggavty 0 Mar 24 07:54 pimd.vty
>> >>> -rw-r--r-- 1 quagga quagga 5 Mar 24 07:54 pimd.pid
>> >>> -rw-r--r-- 1 root root 5 Mar 24 07:54 watchquagga.pid
>> >>> drwxr-xr-x 2 quagga quagga 200 Mar 24 07:54 .
>> >>> drwxr-xr-x 24 root root 1060 Apr 6 22:01 ..
>> >>> root@Robot:/work/robot/sharpd/official# vtysh -c "show ver"
>> >>> Quagga 1.0.20160315 ().
>> >>> Copyright 1996-2005 Kunihiro Ishiguro, et al.
>> >>> configured with:
>> >>> --build=x86_64-linux-gnu --prefix=/usr
>> >>> --includedir=${prefix}/include
>> >>> --mandir=${prefix}/share/man --infodir=${prefix}/share/info
>> >>> --sysconfdir=/etc --localstatedir=/var
>> >>> --libexecdir=${prefix}/lib/quagga
>> >>> --disable-maintainer-mode --enable-dependency-checking
>> >>> --enable-exampledir=/usr/share/doc/quagga/examples/
>> >>> --localstatedir=/var/run/quagga --sbindir=/usr/lib/quagga
>> >>> --sysconfdir=/etc/quagga --enable-vtysh --enable-isisd
>> >>> --enable-watchquagga
>> >>> --enable-ospf-te --enable-opaque-lsa --enable-ipv6
>> >>> --enable-ospfclient=yes
>> >>> --enable-ospfapi=yes --enable-multipath=64 --enable-user=quagga
>> >>> --enable-group=quagga --enable-vty-group=quaggavty
>> >>> --enable-configfile-mask=0640 --enable-logfile-mask=0640
>> >>> --enable-rtadv
>> >>> --enable-werror --enable-gcc-rdynamic --with-libpam
>> >>> build_alias=x86_64-linux-gnu --no-create --no-recursion
>> >>> root@Robot:/work/robot/sharpd/official# ps -ef | grep quagga
>> >>> quagga 3553 1 0 Apr02 ? 00:00:10 /usr/lib/quagga/zebra
>> >>> --daemon -A 127.0.0.1
>> >>> quagga 3562 1 0 Apr02 ? 00:00:26 /usr/lib/quagga/bgpd
>> >>> --daemon -A 127.0.0.1
>> >>> quagga 3569 1 0 Apr02 ? 00:00:06 /usr/lib/quagga/pimd
>> >>> --daemon -A 127.0.0.1
>> >>> root 3576 1 0 Apr02 ? 00:00:23
>> >>> /usr/lib/quagga/watchquagga
>> >>> -adz -r /usr/sbin/servicebBquaggabBrestartbB%s -s
>> >>> /usr/sbin/servicebBquaggabBstartbB%s -k
>> >>> /usr/sbin/servicebBquaggabBstopbB%s
>> >>> -b bB -t 30 zebra bgpd pimd
>> >>> root 6307 6298 0 07:44 pts/1 00:00:00 grep quagga
>> >>> root@Robot:/work/robot/sharpd/official#
>> >>>
>> >>>
>> >>> What does your config.h have for HAVE_GETGROUPLIST? Can you point us
>> >>> at
>> >>> your config.log and config.h files?
>> >>>
>> >>> Something strange has happened.
>> >>>
>> >>> donald
>> >>>
>> >>> On Thu, Apr 7, 2016 at 3:15 AM, Thomas Martin <tmartincpp@gmail.com>
>> >>> wrote:
>> >>>>
>> >>>> Hello,
>> >>>>
>> >>>> I'm having issues with enable-vty-group with Quagga 1.0.20160315 (all
>> >>>> daemons).
>> >>>>
>> >>>> I complied it with "--enable-vty-group=quaggavty", as usual, but the
>> >>>> correct group is not set on vty:
>> >>>> # ls -l /var/run/quagga/*vty
>> >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/bgpd.vty
>> >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/ospf6d.vty
>> >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/ospfd.vty
>> >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/zebra.vty
>> >>>>
>> >>>> I checked and the group quaggavty is correctly defined on my servers:
>> >>>> # grep quaggavty /etc/group
>> >>>> quaggavty:x:118:
>> >>>>
>> >>>>
>> >>>> Am I the only one to have this issue or am I missing something ?
>> >>>>
>> >>>> Please note that I don't had this issue with Quagga 0.99.24.1 on the
>> >>>> same servers.
>> >>>>
>> >>>>
>> >>>> Thanks!
>> >>>>
>> >>>> FIY here is an "ospf6d -v":
>> >>>> # /usr/lib/quagga/ospf6d -v
>> >>>> ospf6d version 1.0.20160315
>> >>>> Copyright 1996-2005 Kunihiro Ishiguro, et al.
>> >>>> configured with:
>> >>>> --build=x86_64-linux-gnu --prefix=/usr
>> >>>> --includedir=${prefix}/include --mandir=${prefix}/share/man
>> >>>> --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var
>> >>>> --disable-silent-rules --libexecdir=${prefix}/lib/quagga
>> >>>> --disable-maintainer-mode --disable-dependency-tracking
>> >>>> --enable-exampledir=/usr/share/doc/quagga/examples/
>> >>>> --localstatedir=/var/run/quagga --sbindir=/usr/lib/quagga
>> >>>> --sysconfdir=/etc/quagga --enable-snmp --enable-vtysh --enable-isisd
>> >>>> --enable-watchquagga --enable-ospf-te --enable-opaque-lsa
>> >>>> --enable-ipv6 --enable-ospfclient=yes --enable-ospfapi=yes
>> >>>> --enable-multipath=64 --enable-user=quagga --enable-group=quagga
>> >>>> --enable-vty-group=quaggavty --enable-configfile-mask=0640
>> >>>> --enable-logfile-mask=0640 --enable-rtadv --enable-gcc-rdynamic
>> >>>> --with-libpam CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
>> >>>> -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2
>> >>>> -fPIE -fstack-protector-strong -Wformat -Werror=format-security
>> >>>> FCFLAGS=-g -O2 -fPIE -fstack-protector-strong FFLAGS=-g -O2 -fPIE
>> >>>> -fstack-protector-strong GCJFLAGS=-g -O2 -fPIE
>> >>>> -fstack-protector-strong LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now
>> >>>> OBJCFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
>> >>>> -Werror=format-security OBJCXXFLAGS=-g -O2 -fPIE
>> >>>> -fstack-protector-strong -Wformat -Werror=format-security
>> >>>>
>> >>>> _______________________________________________
>> >>>> Quagga-users mailing list
>> >>>> Quagga-users@lists.quagga.net
>> >>>> https://lists.quagga.net/mailman/listinfo/quagga-users
>> >>>
>> >>>
>
>
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic