(sorry for the triple post) The issue is related to ngroups which is initialized to 1 on line 749 (at least in my case) while it is initialized to 262144 on line 713 ( just after 'ngroups = sizeof(groups);' ).
So, after some investigations, it seems that it was related to the line 714: if ( (ngroups = getgrouplist (zprivs->user, zprivs_state.zgid, groups, &ngroups )) < 0 ) which set ngroups to 1. So the issue is related to the system function getgrouplist and I think that I understood why: on my system the quagga user is *not* in the quaggavty group ! If I add quagga to quaggavty ; it's working: # /usr/lib/quagga/ospf6d -A ::1 # ls -l /var/run/quagga/*vty srwxrwx--- 1 quagga quagga 0 Apr 8 16:48 /var/run/quagga/ospf6d.vty # adduser quagga quaggavty Adding user `quagga' to group `quaggavty' ... Adding user quagga to group quaggavty Done. # /usr/lib/quagga/ospf6d -A ::1 # ls -l /var/run/quagga/*vty srwxrwx--- 1 quagga quaggavty 0 Apr 8 16:48 /var/run/quagga/ospf6d.vty So it seems that Quagga 1.0.20160315 needs the enable-user configured to be in the vty-group configured to work because it is now using getgrouplist. (sorry if parts of my debug are obvious, as I said earlier I'm not really familiar with C developments) 2016-04-08 15:05 GMT+02:00 Thomas Martin <[email protected]>: > I compiled quagga 0.99.24.1 and 1.0.20160315 with the same parameters > and on the same host; the group is correctly set with 0.99.24.1 but > not on 1.0.20160315. > > Here is the ./configure used: > ./configure --enable-exampledir=/usr/share/doc/quagga/examples/ > --localstatedir=/var/run/quagga --sbindir=/usr/lib/quagga > --sysconfdir=/etc/quagga --enable-snmp --enable-vtysh --enable-isisd > --enable-watchquagga --enable-ospf-te --enable-opaque-lsa > --enable-ipv6 --enable-ospfclient=yes --enable-ospfapi=yes > --enable-multipath=64 --enable-user=quagga --enable-group=quagga > --enable-vty-group=quaggavty --enable-configfile-mask=0640 > --enable-logfile-mask=0640 --enable-rtadv --enable-gcc-rdynamic > --with-libpam > > My server is running Debian Jessie. > > Here is what I see running strace: > - 0.99.24.1: > chown("/var/run/quagga/ospf6d.vty", 4294967295, 118) = 0 > - 1.0.20160315: > chown("/var/run/quagga/ospf6d.vty", 4294967295, 118) = -1 EPERM > (Operation not permitted) > > Early on: > - 0.99.24.1: > open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 > lseek(4, 0, SEEK_CUR) = 0 > fstat(4, {st_mode=S_IFREG|0644, st_size=843, ...}) = 0 > mmap(NULL, 843, PROT_READ, MAP_SHARED, 4, 0) = 0x7fdf0e423000 > lseek(4, 843, SEEK_SET) = 843 > munmap(0x7fdf0e423000, 843) = 0 > close(4) = 0 > setgroups(1, [118]) > > - 1.0.20160315: > open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 > lseek(4, 0, SEEK_CUR) = 0 > fstat(4, {st_mode=S_IFREG|0644, st_size=843, ...}) = 0 > mmap(NULL, 843, PROT_READ, MAP_SHARED, 4, 0) = 0x7fbdc2187000 > lseek(4, 843, SEEK_SET) = 843 > munmap(0x7fbdc2187000, 843) = 0 > close(4) = 0 > setgroups(1, [1004]) = 0 > > > 118 is quaggavty's group, 1004 is quagga's group. > > > Here is the full traces: > - 0.99.24.1: http://www.pastefile.com/W26wof > - 1.0.20160915: http://www.pastefile.com/1kfxiG > > > I'm looking at lib/privs.c now and will send an email if I found > something (I'm not a developer so it could take me some time). > > > 2016-04-08 10:20 GMT+02:00 Thomas Martin <[email protected]>: >> Hello Donald, >> >> Thanks for this confirmation; I will do more digging on my side. >> >> HAVE_GETGROUPLIST is set to 1; here are the files: >> - config.h: http://www.pastefile.com/7PKksc >> - config.log: http://www.pastefile.com/u6Z2DK >> >> >> Thank you. >> >> Thomas >> >> 2016-04-07 13:46 GMT+02:00 Donald Sharp <[email protected]>: >>> Thomas - >>> >>> It is working for me: >>> >>> root@Robot:/work/robot/sharpd/official# ls -altr /var/run/quagga >>> total 16 >>> srwx------ 1 quagga quagga 0 Mar 24 07:54 zserv.api >>> -rw-r--r-- 1 quagga quagga 5 Mar 24 07:54 zebra.pid >>> srwxrwx--- 1 quagga quaggavty 0 Mar 24 07:54 zebra.vty >>> srwxrwx--- 1 quagga quaggavty 0 Mar 24 07:54 bgpd.vty >>> -rw-r--r-- 1 quagga quagga 5 Mar 24 07:54 bgpd.pid >>> srwxrwx--- 1 quagga quaggavty 0 Mar 24 07:54 pimd.vty >>> -rw-r--r-- 1 quagga quagga 5 Mar 24 07:54 pimd.pid >>> -rw-r--r-- 1 root root 5 Mar 24 07:54 watchquagga.pid >>> drwxr-xr-x 2 quagga quagga 200 Mar 24 07:54 . >>> drwxr-xr-x 24 root root 1060 Apr 6 22:01 .. >>> root@Robot:/work/robot/sharpd/official# vtysh -c "show ver" >>> Quagga 1.0.20160315 (). >>> Copyright 1996-2005 Kunihiro Ishiguro, et al. >>> configured with: >>> --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include >>> --mandir=${prefix}/share/man --infodir=${prefix}/share/info >>> --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/quagga >>> --disable-maintainer-mode --enable-dependency-checking >>> --enable-exampledir=/usr/share/doc/quagga/examples/ >>> --localstatedir=/var/run/quagga --sbindir=/usr/lib/quagga >>> --sysconfdir=/etc/quagga --enable-vtysh --enable-isisd --enable-watchquagga >>> --enable-ospf-te --enable-opaque-lsa --enable-ipv6 --enable-ospfclient=yes >>> --enable-ospfapi=yes --enable-multipath=64 --enable-user=quagga >>> --enable-group=quagga --enable-vty-group=quaggavty >>> --enable-configfile-mask=0640 --enable-logfile-mask=0640 --enable-rtadv >>> --enable-werror --enable-gcc-rdynamic --with-libpam >>> build_alias=x86_64-linux-gnu --no-create --no-recursion >>> root@Robot:/work/robot/sharpd/official# ps -ef | grep quagga >>> quagga 3553 1 0 Apr02 ? 00:00:10 /usr/lib/quagga/zebra >>> --daemon -A 127.0.0.1 >>> quagga 3562 1 0 Apr02 ? 00:00:26 /usr/lib/quagga/bgpd >>> --daemon -A 127.0.0.1 >>> quagga 3569 1 0 Apr02 ? 00:00:06 /usr/lib/quagga/pimd >>> --daemon -A 127.0.0.1 >>> root 3576 1 0 Apr02 ? 00:00:23 /usr/lib/quagga/watchquagga >>> -adz -r /usr/sbin/servicebBquaggabBrestartbB%s -s >>> /usr/sbin/servicebBquaggabBstartbB%s -k /usr/sbin/servicebBquaggabBstopbB%s >>> -b bB -t 30 zebra bgpd pimd >>> root 6307 6298 0 07:44 pts/1 00:00:00 grep quagga >>> root@Robot:/work/robot/sharpd/official# >>> >>> >>> What does your config.h have for HAVE_GETGROUPLIST? Can you point us at >>> your config.log and config.h files? >>> >>> Something strange has happened. >>> >>> donald >>> >>> On Thu, Apr 7, 2016 at 3:15 AM, Thomas Martin <[email protected]> wrote: >>>> >>>> Hello, >>>> >>>> I'm having issues with enable-vty-group with Quagga 1.0.20160315 (all >>>> daemons). >>>> >>>> I complied it with "--enable-vty-group=quaggavty", as usual, but the >>>> correct group is not set on vty: >>>> # ls -l /var/run/quagga/*vty >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/bgpd.vty >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/ospf6d.vty >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/ospfd.vty >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/zebra.vty >>>> >>>> I checked and the group quaggavty is correctly defined on my servers: >>>> # grep quaggavty /etc/group >>>> quaggavty:x:118: >>>> >>>> >>>> Am I the only one to have this issue or am I missing something ? >>>> >>>> Please note that I don't had this issue with Quagga 0.99.24.1 on the >>>> same servers. >>>> >>>> >>>> Thanks! >>>> >>>> FIY here is an "ospf6d -v": >>>> # /usr/lib/quagga/ospf6d -v >>>> ospf6d version 1.0.20160315 >>>> Copyright 1996-2005 Kunihiro Ishiguro, et al. >>>> configured with: >>>> --build=x86_64-linux-gnu --prefix=/usr >>>> --includedir=${prefix}/include --mandir=${prefix}/share/man >>>> --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var >>>> --disable-silent-rules --libexecdir=${prefix}/lib/quagga >>>> --disable-maintainer-mode --disable-dependency-tracking >>>> --enable-exampledir=/usr/share/doc/quagga/examples/ >>>> --localstatedir=/var/run/quagga --sbindir=/usr/lib/quagga >>>> --sysconfdir=/etc/quagga --enable-snmp --enable-vtysh --enable-isisd >>>> --enable-watchquagga --enable-ospf-te --enable-opaque-lsa >>>> --enable-ipv6 --enable-ospfclient=yes --enable-ospfapi=yes >>>> --enable-multipath=64 --enable-user=quagga --enable-group=quagga >>>> --enable-vty-group=quaggavty --enable-configfile-mask=0640 >>>> --enable-logfile-mask=0640 --enable-rtadv --enable-gcc-rdynamic >>>> --with-libpam CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat >>>> -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 >>>> -fPIE -fstack-protector-strong -Wformat -Werror=format-security >>>> FCFLAGS=-g -O2 -fPIE -fstack-protector-strong FFLAGS=-g -O2 -fPIE >>>> -fstack-protector-strong GCJFLAGS=-g -O2 -fPIE >>>> -fstack-protector-strong LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now >>>> OBJCFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat >>>> -Werror=format-security OBJCXXFLAGS=-g -O2 -fPIE >>>> -fstack-protector-strong -Wformat -Werror=format-security >>>> >>>> _______________________________________________ >>>> Quagga-users mailing list >>>> [email protected] >>>> https://lists.quagga.net/mailman/listinfo/quagga-users >>> >>> _______________________________________________ Quagga-users mailing list [email protected] https://lists.quagga.net/mailman/listinfo/quagga-users
