Thanks Donald. 2016-04-08 18:37 GMT+02:00 Donald Sharp <[email protected]>: > So the bug here imo, is that we should fail out and let the end-user know > that the user quagga is not part of the quaggavty group and as such don't > have permission to create the vty as asked. > > donald > > On Fri, Apr 8, 2016 at 10:57 AM, Thomas Martin <[email protected]> wrote: >> >> (sorry for the triple post) >> >> The issue is related to ngroups which is initialized to 1 on line 749 >> (at least in my case) while it is initialized to 262144 on line 713 ( >> just after 'ngroups = sizeof(groups);' ). >> >> So, after some investigations, it seems that it was related to the line >> 714: >> if ( (ngroups = getgrouplist (zprivs->user, zprivs_state.zgid, groups, >> &ngroups )) < 0 ) >> >> which set ngroups to 1. >> >> >> So the issue is related to the system function getgrouplist and I >> think that I understood why: on my system the quagga user is *not* in >> the quaggavty group ! >> >> If I add quagga to quaggavty ; it's working: >> # /usr/lib/quagga/ospf6d -A ::1 >> # ls -l /var/run/quagga/*vty >> srwxrwx--- 1 quagga quagga 0 Apr 8 16:48 /var/run/quagga/ospf6d.vty >> >> # adduser quagga quaggavty >> Adding user `quagga' to group `quaggavty' ... >> Adding user quagga to group quaggavty >> Done. >> >> # /usr/lib/quagga/ospf6d -A ::1 >> # ls -l /var/run/quagga/*vty >> srwxrwx--- 1 quagga quaggavty 0 Apr 8 16:48 /var/run/quagga/ospf6d.vty >> >> >> So it seems that Quagga 1.0.20160315 needs the enable-user configured >> to be in the vty-group configured to work because it is now using >> getgrouplist. >> >> >> (sorry if parts of my debug are obvious, as I said earlier I'm not >> really familiar with C developments) >> >> >> >> 2016-04-08 15:05 GMT+02:00 Thomas Martin <[email protected]>: >> > I compiled quagga 0.99.24.1 and 1.0.20160315 with the same parameters >> > and on the same host; the group is correctly set with 0.99.24.1 but >> > not on 1.0.20160315. >> > >> > Here is the ./configure used: >> > ./configure --enable-exampledir=/usr/share/doc/quagga/examples/ >> > --localstatedir=/var/run/quagga --sbindir=/usr/lib/quagga >> > --sysconfdir=/etc/quagga --enable-snmp --enable-vtysh --enable-isisd >> > --enable-watchquagga --enable-ospf-te --enable-opaque-lsa >> > --enable-ipv6 --enable-ospfclient=yes --enable-ospfapi=yes >> > --enable-multipath=64 --enable-user=quagga --enable-group=quagga >> > --enable-vty-group=quaggavty --enable-configfile-mask=0640 >> > --enable-logfile-mask=0640 --enable-rtadv --enable-gcc-rdynamic >> > --with-libpam >> > >> > My server is running Debian Jessie. >> > >> > Here is what I see running strace: >> > - 0.99.24.1: >> > chown("/var/run/quagga/ospf6d.vty", 4294967295, 118) = 0 >> > - 1.0.20160315: >> > chown("/var/run/quagga/ospf6d.vty", 4294967295, 118) = -1 EPERM >> > (Operation not permitted) >> > >> > Early on: >> > - 0.99.24.1: >> > open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 >> > lseek(4, 0, SEEK_CUR) = 0 >> > fstat(4, {st_mode=S_IFREG|0644, st_size=843, ...}) = 0 >> > mmap(NULL, 843, PROT_READ, MAP_SHARED, 4, 0) = 0x7fdf0e423000 >> > lseek(4, 843, SEEK_SET) = 843 >> > munmap(0x7fdf0e423000, 843) = 0 >> > close(4) = 0 >> > setgroups(1, [118]) >> > >> > - 1.0.20160315: >> > open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 >> > lseek(4, 0, SEEK_CUR) = 0 >> > fstat(4, {st_mode=S_IFREG|0644, st_size=843, ...}) = 0 >> > mmap(NULL, 843, PROT_READ, MAP_SHARED, 4, 0) = 0x7fbdc2187000 >> > lseek(4, 843, SEEK_SET) = 843 >> > munmap(0x7fbdc2187000, 843) = 0 >> > close(4) = 0 >> > setgroups(1, [1004]) = 0 >> > >> > >> > 118 is quaggavty's group, 1004 is quagga's group. >> > >> > >> > Here is the full traces: >> > - 0.99.24.1: http://www.pastefile.com/W26wof >> > - 1.0.20160915: http://www.pastefile.com/1kfxiG >> > >> > >> > I'm looking at lib/privs.c now and will send an email if I found >> > something (I'm not a developer so it could take me some time). >> > >> > >> > 2016-04-08 10:20 GMT+02:00 Thomas Martin <[email protected]>: >> >> Hello Donald, >> >> >> >> Thanks for this confirmation; I will do more digging on my side. >> >> >> >> HAVE_GETGROUPLIST is set to 1; here are the files: >> >> - config.h: http://www.pastefile.com/7PKksc >> >> - config.log: http://www.pastefile.com/u6Z2DK >> >> >> >> >> >> Thank you. >> >> >> >> Thomas >> >> >> >> 2016-04-07 13:46 GMT+02:00 Donald Sharp <[email protected]>: >> >>> Thomas - >> >>> >> >>> It is working for me: >> >>> >> >>> root@Robot:/work/robot/sharpd/official# ls -altr /var/run/quagga >> >>> total 16 >> >>> srwx------ 1 quagga quagga 0 Mar 24 07:54 zserv.api >> >>> -rw-r--r-- 1 quagga quagga 5 Mar 24 07:54 zebra.pid >> >>> srwxrwx--- 1 quagga quaggavty 0 Mar 24 07:54 zebra.vty >> >>> srwxrwx--- 1 quagga quaggavty 0 Mar 24 07:54 bgpd.vty >> >>> -rw-r--r-- 1 quagga quagga 5 Mar 24 07:54 bgpd.pid >> >>> srwxrwx--- 1 quagga quaggavty 0 Mar 24 07:54 pimd.vty >> >>> -rw-r--r-- 1 quagga quagga 5 Mar 24 07:54 pimd.pid >> >>> -rw-r--r-- 1 root root 5 Mar 24 07:54 watchquagga.pid >> >>> drwxr-xr-x 2 quagga quagga 200 Mar 24 07:54 . >> >>> drwxr-xr-x 24 root root 1060 Apr 6 22:01 .. >> >>> root@Robot:/work/robot/sharpd/official# vtysh -c "show ver" >> >>> Quagga 1.0.20160315 (). >> >>> Copyright 1996-2005 Kunihiro Ishiguro, et al. >> >>> configured with: >> >>> --build=x86_64-linux-gnu --prefix=/usr >> >>> --includedir=${prefix}/include >> >>> --mandir=${prefix}/share/man --infodir=${prefix}/share/info >> >>> --sysconfdir=/etc --localstatedir=/var >> >>> --libexecdir=${prefix}/lib/quagga >> >>> --disable-maintainer-mode --enable-dependency-checking >> >>> --enable-exampledir=/usr/share/doc/quagga/examples/ >> >>> --localstatedir=/var/run/quagga --sbindir=/usr/lib/quagga >> >>> --sysconfdir=/etc/quagga --enable-vtysh --enable-isisd >> >>> --enable-watchquagga >> >>> --enable-ospf-te --enable-opaque-lsa --enable-ipv6 >> >>> --enable-ospfclient=yes >> >>> --enable-ospfapi=yes --enable-multipath=64 --enable-user=quagga >> >>> --enable-group=quagga --enable-vty-group=quaggavty >> >>> --enable-configfile-mask=0640 --enable-logfile-mask=0640 >> >>> --enable-rtadv >> >>> --enable-werror --enable-gcc-rdynamic --with-libpam >> >>> build_alias=x86_64-linux-gnu --no-create --no-recursion >> >>> root@Robot:/work/robot/sharpd/official# ps -ef | grep quagga >> >>> quagga 3553 1 0 Apr02 ? 00:00:10 /usr/lib/quagga/zebra >> >>> --daemon -A 127.0.0.1 >> >>> quagga 3562 1 0 Apr02 ? 00:00:26 /usr/lib/quagga/bgpd >> >>> --daemon -A 127.0.0.1 >> >>> quagga 3569 1 0 Apr02 ? 00:00:06 /usr/lib/quagga/pimd >> >>> --daemon -A 127.0.0.1 >> >>> root 3576 1 0 Apr02 ? 00:00:23 >> >>> /usr/lib/quagga/watchquagga >> >>> -adz -r /usr/sbin/servicebBquaggabBrestartbB%s -s >> >>> /usr/sbin/servicebBquaggabBstartbB%s -k >> >>> /usr/sbin/servicebBquaggabBstopbB%s >> >>> -b bB -t 30 zebra bgpd pimd >> >>> root 6307 6298 0 07:44 pts/1 00:00:00 grep quagga >> >>> root@Robot:/work/robot/sharpd/official# >> >>> >> >>> >> >>> What does your config.h have for HAVE_GETGROUPLIST? Can you point us >> >>> at >> >>> your config.log and config.h files? >> >>> >> >>> Something strange has happened. >> >>> >> >>> donald >> >>> >> >>> On Thu, Apr 7, 2016 at 3:15 AM, Thomas Martin <[email protected]> >> >>> wrote: >> >>>> >> >>>> Hello, >> >>>> >> >>>> I'm having issues with enable-vty-group with Quagga 1.0.20160315 (all >> >>>> daemons). >> >>>> >> >>>> I complied it with "--enable-vty-group=quaggavty", as usual, but the >> >>>> correct group is not set on vty: >> >>>> # ls -l /var/run/quagga/*vty >> >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/bgpd.vty >> >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/ospf6d.vty >> >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/ospfd.vty >> >>>> srwxrwx--- 1 quagga quagga 0 Apr 7 09:08 /var/run/quagga/zebra.vty >> >>>> >> >>>> I checked and the group quaggavty is correctly defined on my servers: >> >>>> # grep quaggavty /etc/group >> >>>> quaggavty:x:118: >> >>>> >> >>>> >> >>>> Am I the only one to have this issue or am I missing something ? >> >>>> >> >>>> Please note that I don't had this issue with Quagga 0.99.24.1 on the >> >>>> same servers. >> >>>> >> >>>> >> >>>> Thanks! >> >>>> >> >>>> FIY here is an "ospf6d -v": >> >>>> # /usr/lib/quagga/ospf6d -v >> >>>> ospf6d version 1.0.20160315 >> >>>> Copyright 1996-2005 Kunihiro Ishiguro, et al. >> >>>> configured with: >> >>>> --build=x86_64-linux-gnu --prefix=/usr >> >>>> --includedir=${prefix}/include --mandir=${prefix}/share/man >> >>>> --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var >> >>>> --disable-silent-rules --libexecdir=${prefix}/lib/quagga >> >>>> --disable-maintainer-mode --disable-dependency-tracking >> >>>> --enable-exampledir=/usr/share/doc/quagga/examples/ >> >>>> --localstatedir=/var/run/quagga --sbindir=/usr/lib/quagga >> >>>> --sysconfdir=/etc/quagga --enable-snmp --enable-vtysh --enable-isisd >> >>>> --enable-watchquagga --enable-ospf-te --enable-opaque-lsa >> >>>> --enable-ipv6 --enable-ospfclient=yes --enable-ospfapi=yes >> >>>> --enable-multipath=64 --enable-user=quagga --enable-group=quagga >> >>>> --enable-vty-group=quaggavty --enable-configfile-mask=0640 >> >>>> --enable-logfile-mask=0640 --enable-rtadv --enable-gcc-rdynamic >> >>>> --with-libpam CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat >> >>>> -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 >> >>>> -fPIE -fstack-protector-strong -Wformat -Werror=format-security >> >>>> FCFLAGS=-g -O2 -fPIE -fstack-protector-strong FFLAGS=-g -O2 -fPIE >> >>>> -fstack-protector-strong GCJFLAGS=-g -O2 -fPIE >> >>>> -fstack-protector-strong LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now >> >>>> OBJCFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat >> >>>> -Werror=format-security OBJCXXFLAGS=-g -O2 -fPIE >> >>>> -fstack-protector-strong -Wformat -Werror=format-security >> >>>> >> >>>> _______________________________________________ >> >>>> Quagga-users mailing list >> >>>> [email protected] >> >>>> https://lists.quagga.net/mailman/listinfo/quagga-users >> >>> >> >>> > >
_______________________________________________ Quagga-users mailing list [email protected] https://lists.quagga.net/mailman/listinfo/quagga-users
