So the bug here imo, is that we should fail out and let the end-user know that the user quagga is not part of the quaggavty group and as such don't have permission to create the vty as asked.
donald On Fri, Apr 8, 2016 at 10:57 AM, Thomas Martin <[email protected]> wrote: > (sorry for the triple post) > > The issue is related to ngroups which is initialized to 1 on line 749 > (at least in my case) while it is initialized to 262144 on line 713 ( > just after 'ngroups = sizeof(groups);' ). > > So, after some investigations, it seems that it was related to the line > 714: > if ( (ngroups = getgrouplist (zprivs->user, zprivs_state.zgid, groups, > &ngroups )) < 0 ) > > which set ngroups to 1. > > > So the issue is related to the system function getgrouplist and I > think that I understood why: on my system the quagga user is *not* in > the quaggavty group ! > > If I add quagga to quaggavty ; it's working: > # /usr/lib/quagga/ospf6d -A ::1 > # ls -l /var/run/quagga/*vty > srwxrwx--- 1 quagga quagga 0 Apr 8 16:48 /var/run/quagga/ospf6d.vty > > # adduser quagga quaggavty > Adding user `quagga' to group `quaggavty' ... > Adding user quagga to group quaggavty > Done. > > # /usr/lib/quagga/ospf6d -A ::1 > # ls -l /var/run/quagga/*vty > srwxrwx--- 1 quagga quaggavty 0 Apr 8 16:48 /var/run/quagga/ospf6d.vty > > > So it seems that Quagga 1.0.20160315 needs the enable-user configured > to be in the vty-group configured to work because it is now using > getgrouplist. > > > (sorry if parts of my debug are obvious, as I said earlier I'm not > really familiar with C developments) > > > > 2016-04-08 15:05 GMT+02:00 Thomas Martin <[email protected]>: > > I compiled quagga 0.99.24.1 and 1.0.20160315 with the same parameters > > and on the same host; the group is correctly set with 0.99.24.1 but > > not on 1.0.20160315. > > > > Here is the ./configure used: > > ./configure --enable-exampledir=/usr/share/doc/quagga/examples/ > > --localstatedir=/var/run/quagga --sbindir=/usr/lib/quagga > > --sysconfdir=/etc/quagga --enable-snmp --enable-vtysh --enable-isisd > > --enable-watchquagga --enable-ospf-te --enable-opaque-lsa > > --enable-ipv6 --enable-ospfclient=yes --enable-ospfapi=yes > > --enable-multipath=64 --enable-user=quagga --enable-group=quagga > > --enable-vty-group=quaggavty --enable-configfile-mask=0640 > > --enable-logfile-mask=0640 --enable-rtadv --enable-gcc-rdynamic > > --with-libpam > > > > My server is running Debian Jessie. > > > > Here is what I see running strace: > > - 0.99.24.1: > > chown("/var/run/quagga/ospf6d.vty", 4294967295, 118) = 0 > > - 1.0.20160315: > > chown("/var/run/quagga/ospf6d.vty", 4294967295, 118) = -1 EPERM > > (Operation not permitted) > > > > Early on: > > - 0.99.24.1: > > open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 > > lseek(4, 0, SEEK_CUR) = 0 > > fstat(4, {st_mode=S_IFREG|0644, st_size=843, ...}) = 0 > > mmap(NULL, 843, PROT_READ, MAP_SHARED, 4, 0) = 0x7fdf0e423000 > > lseek(4, 843, SEEK_SET) = 843 > > munmap(0x7fdf0e423000, 843) = 0 > > close(4) = 0 > > setgroups(1, [118]) > > > > - 1.0.20160315: > > open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 > > lseek(4, 0, SEEK_CUR) = 0 > > fstat(4, {st_mode=S_IFREG|0644, st_size=843, ...}) = 0 > > mmap(NULL, 843, PROT_READ, MAP_SHARED, 4, 0) = 0x7fbdc2187000 > > lseek(4, 843, SEEK_SET) = 843 > > munmap(0x7fbdc2187000, 843) = 0 > > close(4) = 0 > > setgroups(1, [1004]) = 0 > > > > > > 118 is quaggavty's group, 1004 is quagga's group. > > > > > > Here is the full traces: > > - 0.99.24.1: http://www.pastefile.com/W26wof > > - 1.0.20160915: http://www.pastefile.com/1kfxiG > > > > > > I'm looking at lib/privs.c now and will send an email if I found > > something (I'm not a developer so it could take me some time). > > > > > > 2016-04-08 10:20 GMT+02:00 Thomas Martin <[email protected]>: > >> Hello Donald, > >> > >> Thanks for this confirmation; I will do more digging on my side. > >> > >> HAVE_GETGROUPLIST is set to 1; here are the files: > >> - config.h: http://www.pastefile.com/7PKksc > >> - config.log: http://www.pastefile.com/u6Z2DK > >> > >> > >> Thank you. > >> > >> Thomas > >> > >> 2016-04-07 13:46 GMT+02:00 Donald Sharp <[email protected]>: > >>> Thomas - > >>> > >>> It is working for me: > >>> > >>> root@Robot:/work/robot/sharpd/official# ls -altr /var/run/quagga > >>> total 16 > >>> srwx------ 1 quagga quagga 0 Mar 24 07:54 zserv.api > >>> -rw-r--r-- 1 quagga quagga 5 Mar 24 07:54 zebra.pid > >>> srwxrwx--- 1 quagga quaggavty 0 Mar 24 07:54 zebra.vty > >>> srwxrwx--- 1 quagga quaggavty 0 Mar 24 07:54 bgpd.vty > >>> -rw-r--r-- 1 quagga quagga 5 Mar 24 07:54 bgpd.pid > >>> srwxrwx--- 1 quagga quaggavty 0 Mar 24 07:54 pimd.vty > >>> -rw-r--r-- 1 quagga quagga 5 Mar 24 07:54 pimd.pid > >>> -rw-r--r-- 1 root root 5 Mar 24 07:54 watchquagga.pid > >>> drwxr-xr-x 2 quagga quagga 200 Mar 24 07:54 . > >>> drwxr-xr-x 24 root root 1060 Apr 6 22:01 .. > >>> root@Robot:/work/robot/sharpd/official# vtysh -c "show ver" > >>> Quagga 1.0.20160315 (). > >>> Copyright 1996-2005 Kunihiro Ishiguro, et al. > >>> configured with: > >>> --build=x86_64-linux-gnu --prefix=/usr > --includedir=${prefix}/include > >>> --mandir=${prefix}/share/man --infodir=${prefix}/share/info > >>> --sysconfdir=/etc --localstatedir=/var > --libexecdir=${prefix}/lib/quagga > >>> --disable-maintainer-mode --enable-dependency-checking > >>> --enable-exampledir=/usr/share/doc/quagga/examples/ > >>> --localstatedir=/var/run/quagga --sbindir=/usr/lib/quagga > >>> --sysconfdir=/etc/quagga --enable-vtysh --enable-isisd > --enable-watchquagga > >>> --enable-ospf-te --enable-opaque-lsa --enable-ipv6 > --enable-ospfclient=yes > >>> --enable-ospfapi=yes --enable-multipath=64 --enable-user=quagga > >>> --enable-group=quagga --enable-vty-group=quaggavty > >>> --enable-configfile-mask=0640 --enable-logfile-mask=0640 --enable-rtadv > >>> --enable-werror --enable-gcc-rdynamic --with-libpam > >>> build_alias=x86_64-linux-gnu --no-create --no-recursion > >>> root@Robot:/work/robot/sharpd/official# ps -ef | grep quagga > >>> quagga 3553 1 0 Apr02 ? 00:00:10 /usr/lib/quagga/zebra > >>> --daemon -A 127.0.0.1 > >>> quagga 3562 1 0 Apr02 ? 00:00:26 /usr/lib/quagga/bgpd > >>> --daemon -A 127.0.0.1 > >>> quagga 3569 1 0 Apr02 ? 00:00:06 /usr/lib/quagga/pimd > >>> --daemon -A 127.0.0.1 > >>> root 3576 1 0 Apr02 ? 00:00:23 > /usr/lib/quagga/watchquagga > >>> -adz -r /usr/sbin/servicebBquaggabBrestartbB%s -s > >>> /usr/sbin/servicebBquaggabBstartbB%s -k > /usr/sbin/servicebBquaggabBstopbB%s > >>> -b bB -t 30 zebra bgpd pimd > >>> root 6307 6298 0 07:44 pts/1 00:00:00 grep quagga > >>> root@Robot:/work/robot/sharpd/official# > >>> > >>> > >>> What does your config.h have for HAVE_GETGROUPLIST? Can you point us > at > >>> your config.log and config.h files? > >>> > >>> Something strange has happened. > >>> > >>> donald > >>> > >>> On Thu, Apr 7, 2016 at 3:15 AM, Thomas Martin <[email protected]> > wrote: > >>>> > >>>> Hello, > >>>> > >>>> I'm having issues with enable-vty-group with Quagga 1.0.20160315 (all > >>>> daemons). > >>>> > >>>> I complied it with "--enable-vty-group=quaggavty", as usual, but the > >>>> correct group is not set on vty: > >>>> # ls -l /var/run/quagga/*vty > >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/bgpd.vty > >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/ospf6d.vty > >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/ospfd.vty > >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/zebra.vty > >>>> > >>>> I checked and the group quaggavty is correctly defined on my servers: > >>>> # grep quaggavty /etc/group > >>>> quaggavty:x:118: > >>>> > >>>> > >>>> Am I the only one to have this issue or am I missing something ? > >>>> > >>>> Please note that I don't had this issue with Quagga 0.99.24.1 on the > >>>> same servers. > >>>> > >>>> > >>>> Thanks! > >>>> > >>>> FIY here is an "ospf6d -v": > >>>> # /usr/lib/quagga/ospf6d -v > >>>> ospf6d version 1.0.20160315 > >>>> Copyright 1996-2005 Kunihiro Ishiguro, et al. > >>>> configured with: > >>>> --build=x86_64-linux-gnu --prefix=/usr > >>>> --includedir=${prefix}/include --mandir=${prefix}/share/man > >>>> --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var > >>>> --disable-silent-rules --libexecdir=${prefix}/lib/quagga > >>>> --disable-maintainer-mode --disable-dependency-tracking > >>>> --enable-exampledir=/usr/share/doc/quagga/examples/ > >>>> --localstatedir=/var/run/quagga --sbindir=/usr/lib/quagga > >>>> --sysconfdir=/etc/quagga --enable-snmp --enable-vtysh --enable-isisd > >>>> --enable-watchquagga --enable-ospf-te --enable-opaque-lsa > >>>> --enable-ipv6 --enable-ospfclient=yes --enable-ospfapi=yes > >>>> --enable-multipath=64 --enable-user=quagga --enable-group=quagga > >>>> --enable-vty-group=quaggavty --enable-configfile-mask=0640 > >>>> --enable-logfile-mask=0640 --enable-rtadv --enable-gcc-rdynamic > >>>> --with-libpam CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat > >>>> -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 > >>>> -fPIE -fstack-protector-strong -Wformat -Werror=format-security > >>>> FCFLAGS=-g -O2 -fPIE -fstack-protector-strong FFLAGS=-g -O2 -fPIE > >>>> -fstack-protector-strong GCJFLAGS=-g -O2 -fPIE > >>>> -fstack-protector-strong LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now > >>>> OBJCFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat > >>>> -Werror=format-security OBJCXXFLAGS=-g -O2 -fPIE > >>>> -fstack-protector-strong -Wformat -Werror=format-security > >>>> > >>>> _______________________________________________ > >>>> Quagga-users mailing list > >>>> [email protected] > >>>> https://lists.quagga.net/mailman/listinfo/quagga-users > >>> > >>> >
_______________________________________________ Quagga-users mailing list [email protected] https://lists.quagga.net/mailman/listinfo/quagga-users
