[cmaster-next] Snapcraft_v2 branch ready for merge into stable/2.0

Martin Winter mwinter at opensourcerouting.org
Thu Dec 15 05:06:36 EST 2016 

David,

On 15 Dec 2016, at 0:41, David Lamparter wrote:

> Hm.  Some bits aren't quite nice yet...
>
>
> +++ b/vtysh/vtysh.h
> +       case OPTION_CONFDIR:
> +         /*
> +          * Overwrite location for vtysh.conf
> +          */
> ...
>
> This is a hard no-go.  vtysh.conf contains authentication-related
> options which can be used together with setting vtysh SGID to 
> quaggavty.
> E.g. you can set it up like this:
>
> ./configure --with-pam
>
> -rwx--s--x. root   quaggavty  /usr/bin/vtysh
> srwxrwx---. quagga quaggavty  /var/run/quagga/zebra.vty
>
> /etc/pam.d/quagga:
> auth   sufficient   pam_group.so group=netadmins
> auth   sufficient   pam_group.so group=sysadmins
> auth   required     pam_deny.so
>
> Now users that are in the "netadmins" or "sysadmins" group can use 
> vtysh
> to access zebra config.
>
> BUT.
>
> vtysh.conf has a "username XXX no-password" option which disables PAM.
>
> And, with your change, the user can supply their own vtysh.conf.  With 
> a
> line "username myuser no-password".  Now they can access zebra without
> being in either of these groups...
>
> ... Congratulations, you created a security issue :)

Crap.

Any suggestion on how to get this done? Location is unknown at compile 
time.

Only thought I have is to only allow the override if run as root?
Any better idea?

> (Bottom line: the file location of vtysh.conf can *never* be a command
> line option if vtysh is installed SGID or SUID.  You could try 
> checking
> if it is SGID/SUID and ignore the option.)
>
> (Note: I even recently updated the documentation on this, see
> doc/vtysh.texi.  It says "No security guarantees are made for this
> configuration", but still that doesn't mean we should break it 
> further.)
>
>
> +++ b/lib/privs.c
> ...
> -  if (zprivs_state.zgid)
> +  /* change gid only if we changed uid - otherwise skip */
> +  if ((zprivs_state.zgid) && (zprivs_state.zsuid != 
> zprivs_state.zuid))
> ...
> -  if (zprivs_state.zgid)
> +  /* change gid only if we changed uid - otherwise skip */
> +  if ((zprivs_state.zgid) && (zprivs_state.zsuid != 
> zprivs_state.zuid))
>
> Both of these won't do; if someone starts a daemon with "-u root", it
> should still apply its group settings.  Need a gid != current gid 
> check.

Ack.

>
> +++ b/ospfd/ospf_main.c
> ...
> +      snprintf(pidfile_temp, sizeof(pidfile_temp), "%s/ospfd-%d.pid", 
> pid_file, instance );
> +      strncpy(pid_file, pidfile_temp, sizeof(pid_file));
>
> strncpy is the wrong function to call (should be strlcpy), but it
> shouldn't even be there - just snprintf to pid_file directly.

Ack.

> Also, normally, socket path options on other daemons use full paths as
> arguments, not directory paths.  Can we rename it to --vty_socket_dir?

No problem.

- Martin


> On Sun, Dec 11, 2016 at 04:29:08AM -0800, Martin Winter wrote:
>> Got all the required changes from Renato and have now a branch
>> with all the Snapcraft parts ready for merge.
>> This includes code to modify the main Quagga and (in the snapcraft
>> subdir) all the needed files to build a snap.
>>
>> Doc / Package files will need one more round to adjust mainly for the
>> name (once we settle on something)
>>
>> Branch is  snapcraft_v2
>>
>> Main changes:
>>
>> - Snap packages are only allowed to write into their own mounted
>> container and the
>>    filenames are not known until the package is installed. There are 
>> now
>> new —vty_socket
>>    cli options to specify the location for the vty socket instead of
>> using the compile-time
>>    path. (Plus —ctl_socket for the extra LDP socket and 
>> —config_dir
>> for vtysh)
>>
>> - Snap packages can’t even read files outside their directories.
>> Getting the homedir
>>    from the password file isn’t possible. Using now HOME env 
>> variable
>> and only fall back
>>    to passed file if it doesn’t exits
>>
>> - Snap packages can’t SETUID or SETGID. They always run under root.
>> There is now a check
>>    for UID and GID and the change only happens if it’s not already
>> running under the
>>    requested User/Group
>>
>> - Martin
>>
>> _______________________________________________
>> cmaster-next mailing list
>> cmaster-next at lists.nox.tf
>> https://lists.nox.tf/listinfo/cmaster-next

More information about the dev mailing list