Bug#552321: Patch works only partly
Hello! On Wed, Feb 03, 2010 at 21:37:08 +, b...@bc-bd.org wrote: Attached is an updated version of the patch fixing said bash-ism. I've just uploaded a new version of molly-guard (0.4.5-1); my intention was to close the release critical bug #548099, so I focused on letting molly-guard work on Debian GNU/kFreeBSD with the same set of functionalities as the previous version, rather than adding new features. Mine was meant to be a small and non-intrusive non-maintainer upload (as the author and maintainer is Martin), but I got a sort of field promotion ;-) and uploaded it as a co-maintainer. So: your work has been ignored in this release (including the look for a sshd parent part, which is in 0.4.5-1 as well but with a different implementation) just because the aim was to get rid of a RC bug. I see that you and Martin already discussed (and I'd personally appreciate some support for screen/tmux) so I'd prefer to leave to him the choice of adding non-ssh support to molly-guard, unless I receive an explicit authorization to do so on his behalf. :-) In any case, thanks for your contribution! Ludovico -- l...@dovi.coIRC: garden@freenode OpenPGP: 1024D/63D2D5D907F89BB8 Jabber/gtalk: garde...@gmail.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#552321: Patch works only partly
also sprach b...@bc-bd.org b...@bc-bd.org [2010.02.03.0021 +1300]: I still think the patch is a valuable addition to molly-guard, as it fixes a problem I and maybe others have. I think that holding this patch back because you feel molly-guard needs to be rewritten is the wrong thing to do. There is no reason for me *not* to include it, so I will. However, there is one remaining problem, as far as I can see. While your patch gets rid of the pgrep-based approach and hence solves the kFreeBSD-problem, where the tty-name of the sshd process is not exported by ps, it introduces another Linux-ism: EXE=$(basename $(readlink /proc/$PARENT/exe) ) /proc/$PARENT/exe does not exist on FreeBSD. Can you fathom another way to achieve this? -- .''`. martin f. krafft madd...@d.o Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduckhttp://vcs-pkg.org `- Debian - when you have better things to do than fixing systems moderation is a fatal thing. enough is as bad as a meal. more than enough is as good as a feast. -- oscar wilde digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Bug#552321: Patch works only partly
On Thu, Feb 04, 2010 at 09:40:08AM +1300, martin f krafft wrote: also sprach b...@bc-bd.org b...@bc-bd.org [2010.02.03.0021 +1300]: I still think the patch is a valuable addition to molly-guard, as it fixes a problem I and maybe others have. I think that holding this patch back because you feel molly-guard needs to be rewritten is the wrong thing to do. There is no reason for me *not* to include it, so I will. Great :). However, there is one remaining problem, as far as I can see. While your patch gets rid of the pgrep-based approach and hence solves the kFreeBSD-problem, where the tty-name of the sshd process is not exported by ps, it introduces another Linux-ism: EXE=$(basename $(readlink /proc/$PARENT/exe) ) /proc/$PARENT/exe does not exist on FreeBSD. Can you fathom another way to achieve this? Since I don't have a kfreebsd machine I asked in irc.debian.org/#debian-kbsd, where I have been told that kfreebsd normally does have /proc mounted and the exe link exists. We discovered one bash-ism, but the test for /proc/$PID/exe worked. Attached is an updated version of the patch fixing said bash-ism. regards Stefan -- You will be winged by an anti-aircraft battery. diff --git a/rc b/rc index d5b87cc..eb456ed 100644 --- a/rc +++ b/rc @@ -4,3 +4,9 @@ # when set, causes the 30-query-hostname script to always ask for the # hostname, even if no SSH session was detected. #ALWAYS_QUERY_HOSTNAME=true +# +# CHECK_IMAGES +# +# Space seperated list of image names to look for and if found to protect +# against. +CHECK_IMAGES=sshd screen diff --git a/run.d/30-query-hostname b/run.d/30-query-hostname index d040603..0aa9833 100755 --- a/run.d/30-query-hostname +++ b/run.d/30-query-hostname @@ -3,6 +3,7 @@ # 30-ask-hostname - request the user to type in the hostname of the local host # # Copyright © martin f. krafft madd...@madduck.net +# Copyright © 2009-2010 Stefan Völkel b...@bc-bd.org # Released under the terms of the Artistic Licence 2.0 # set -eu @@ -21,28 +22,57 @@ done # require an interactive terminal connected to stdin test -t 0 || exit 0 -# we've been asked to always protect this host +# whether we should check for an ssh session or not +CHECK=1 + +# should we bypass ssh session checking and handle as if we found one? +if [ $PRETEND_SSH -eq 1 ]; then + CHECK=0 + echo I: $ME: --pretend-ssh was given, handling as ssh session 2 +fi + +# should this hostname always be guarded? case ${ALWAYS_QUERY_HOSTNAME:-0} in 0|false|False|no|No|off|Off) -# only run if we are being called over SSH, that is if the current terminal -# was created by sshd. -PTS=$(readlink /proc/$$/fd/0) -if ! pgrep -f ^sshd.+${PTS#/dev/}\ /dev/null \ - [ -z ${SSH_CONNECTION:-} ]; then -if [ $PRETEND_SSH -eq 1 ]; then - echo I: $ME: this is not an SSH session, but --pretend-ssh was given... 2 -else - exit 0 -fi -else - echo W: $ME: SSH session detected! 2 -fi -;; + ;; *) +CHECK=0 echo I: $ME: $MOLLYGUARD_CMD is always molly-guarded on this system. 2 ;; esac +# bypass image check? +if [ $CHECK -ne 0 ]; then + # no, set parent pid + PARENT=$$ + + FOUND= + # keep looking at parent pid until ... + while [ -z $FOUND ]; do +# ... no more parents +# = molly-guard was NOT started as child of sshd +# = this is NOT an ssh/screen/whatever session +# = reboot/halt/... as requested +[ $PARENT -eq 0 ] exit 0 + +# find out image name +EXE=$(basename $(readlink /proc/$PARENT/exe) ) + +# ... parent image is one of sshd, screen +for p in $CHECK_IMAGES; do + if [ $p = $EXE ]; then +FOUND=$p +break; + fi +done + +# get next pid +PARENT=$(ps -o ppid= $PARENT | sed 's/^ \+//') + done + + echo I: $ME: $FOUND found. 2 +fi + HOSTNAME=$(hostname --short) sigh()
Bug#552321: Patch works only partly
On Tue, Feb 02, 2010 at 08:32:20AM +1300, martin f krafft wrote: also sprach b...@bc-bd.org b...@bc-bd.org [2010.02.01.2237 +1300]: Well, this feels to me like trying to prove a negative, which is always hard or impossible. Actually, I thought that is what we are doing now: the impossible. Think about a firewall: there, you'd configure it to REJECT all packages it does not ACCEPT. So why should molly-guard not be equally careful and REJECT (ask for confirmation) everything except when it knows for sure that it can ACCEPT (continue without confirmation)? As I see it, a Firewall tests for the presence of things (certain port, IP, protocol, etc) molly-guard tests for the absence of things (ssh ENV, etc). Now, to get back to what this bug was originally about. I still think the patch is a valuable addition to molly-guard, as it fixes a problem I and maybe others have. I think that holding this patch back because you feel molly-guard needs to be rewritten is the wrong thing to do. regards Stefan -- BOFH excuse #239: CPU needs bearings repacked -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#552321: Patch works only partly
also sprach b...@bc-bd.org b...@bc-bd.org [2010.02.03.0021 +1300]: As I see it, a Firewall tests for the presence of things (certain port, IP, protocol, etc) molly-guard tests for the absence of things (ssh ENV, etc). Molly-guard currently tests to see if it runs remotely. Previously, this was done with $SSH_CONNECTION, but now it checks for the PTY of the sshd daemon, which is not checking for absence. I still think the patch is a valuable addition to molly-guard, as it fixes a problem I and maybe others have. I think that holding this patch back because you feel molly-guard needs to be rewritten is the wrong thing to do. I'll take another look today. -- .''`. martin f. krafft madd...@d.o Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduckhttp://vcs-pkg.org `- Debian - when you have better things to do than fixing systems if voting could really change things, it would be illegal. -- revolution books, new york -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#552321: Patch works only partly
On Mon, Feb 01, 2010 at 04:49:34PM +1300, martin f krafft wrote: tags 552321 help moreinfo thanks also sprach Stefan Völkel b...@bc-bd.org [2009.12.11.0029 +1300]: after playing around with this, it looks like this will only work as long as the screen session has not been detached. [???] Now if you run molly-guard from bash (PID 4986) it will walk up the process hierarchy and _NOT_ encounter ssh, since SCREENs parent is now init. I changed the patch to walk up the process hierarchy and molly-guard the machine if screen or sshd is found. While I appreciate your work, this is very much going into the direction of a hack (if molly-guard isn't a giant hack already). I guess one could patch /sbin/halt to accept a --hostname parameter: r...@foo $ /sbin/halt --hostname bar E: dude, no, wrong machine. I was thinking that we should take a different approach: prompt UNLESS we can verify that the current tty is local. Any ideas how to accomplish that? Well, this feels to me like trying to prove a negative, which is always hard or impossible. The current approach, hackish or not, does state pretty clear what it does do and what not. If you run molly-guarded halt from a screen or ssh session it will ask you for the hostname you want to shutdown. I think this burns down to, what is it that molly-guard is trying to acomplish? a) Should it protect you from shuting down a/the wrong _remote_ machine? or b) Should it protect you from shuting down _the wrong_ machine? If a), well it fails when ssh is run from screen, which makes it unusable at least for me, because it provides me with a false feeling of security. If b), then it's more of a --hostname approach. HTH Stefan -- Your manuscript is both good and original, but the part that is good is not original and the part that is original is not good. -- Samuel Johnson -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#552321: Patch works only partly
also sprach b...@bc-bd.org b...@bc-bd.org [2010.02.01.2237 +1300]: Well, this feels to me like trying to prove a negative, which is always hard or impossible. Actually, I thought that is what we are doing now: the impossible. Think about a firewall: there, you'd configure it to REJECT all packages it does not ACCEPT. So why should molly-guard not be equally careful and REJECT (ask for confirmation) everything except when it knows for sure that it can ACCEPT (continue without confirmation)? a) Should it protect you from shuting down a/the wrong _remote_ machine? or b) Should it protect you from shuting down _the wrong_ machine? If a), well it fails when ssh is run from screen, which makes it unusable at least for me, because it provides me with a false feeling of security. If b), then it's more of a --hostname approach. (b) is already handled with ALWAYS_QUERY_HOSTNAME. -- .''`. martin f. krafft madd...@d.o Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduckhttp://vcs-pkg.org `- Debian - when you have better things to do than fixing systems ah, but a man's reach should exceed his grasp, or what's a heaven for? -- robert browning digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Bug#552321: Patch works only partly
tags 552321 help moreinfo thanks also sprach Stefan Völkel b...@bc-bd.org [2009.12.11.0029 +1300]: after playing around with this, it looks like this will only work as long as the screen session has not been detached. […] Now if you run molly-guard from bash (PID 4986) it will walk up the process hierarchy and _NOT_ encounter ssh, since SCREENs parent is now init. I changed the patch to walk up the process hierarchy and molly-guard the machine if screen or sshd is found. While I appreciate your work, this is very much going into the direction of a hack (if molly-guard isn't a giant hack already). I was thinking that we should take a different approach: prompt UNLESS we can verify that the current tty is local. Any ideas how to accomplish that? -- .''`. martin f. krafft madd...@d.o Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduckhttp://vcs-pkg.org `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Bug#552321: Patch works only partly
Hi, after playing around with this, it looks like this will only work as long as the screen session has not been detached. Before detaching the screen session it looks like this in ps fax: 2580 ?Ss 0:00 /usr/sbin/sshd 3568 ?Ss 0:00 \_ sshd: bd [priv] 3570 ?S 0:03 \_ sshd: b...@pts/0 3571 pts/0Ss 0:00 \_ -bash 4982 pts/0S+ 0:00 \_ screen -U -S work ... 4983 ?Ss 0:00 \_ SCREEN -U -S work ... 4984 pts/1Ss+0:00 \_ ssh *** 4985 pts/2Ss+0:00 \_ ssh *** 4986 pts/3Ss 0:00 \_ bash 5025 pts/3R+ 0:00 \_ ps fax 5026 pts/3S+ 0:00 \_ less After a detach/attach it looks like this: 2580 ?Ss 0:00 /usr/sbin/sshd 3568 ?Ss 0:00 \_ sshd: bd [priv] 3570 ?S 0:03 \_ sshd: b...@pts/0 3571 pts/0Ss 0:00 \_ -bash 5031 pts/0S+ 0:00 \_ screen -Udr work ... 4983 ?Ss 0:00 SCREEN -U -S work ... 4984 pts/1Ss+0:00 \_ ssh *** 4985 pts/2Ss+0:00 \_ ssh *** 4986 pts/3Ss 0:00 \_ bash 5033 pts/3R+ 0:00 \_ ps fax 5034 pts/3S+ 0:00 \_ less Now if you run molly-guard from bash (PID 4986) it will walk up the process hierarchy and _NOT_ encounter ssh, since SCREENs parent is now init. I changed the patch to walk up the process hierarchy and molly-guard the machine if screen or sshd is found. regards Stefan diff --git a/rc b/rc index d5b87cc..eb456ed 100644 --- a/rc +++ b/rc @@ -4,3 +4,9 @@ # when set, causes the 30-query-hostname script to always ask for the # hostname, even if no SSH session was detected. #ALWAYS_QUERY_HOSTNAME=true +# +# CHECK_IMAGES +# +# Space seperated list of image names to look for and if found to protect +# against. +CHECK_IMAGES=sshd screen diff --git a/run.d/30-query-hostname b/run.d/30-query-hostname index d040603..fddf54c 100755 --- a/run.d/30-query-hostname +++ b/run.d/30-query-hostname @@ -3,6 +3,7 @@ # 30-ask-hostname - request the user to type in the hostname of the local host # # Copyright © martin f. krafft madd...@madduck.net +# Copyright © 2009 Stefan Völkel b...@bc-bd.org # Released under the terms of the Artistic Licence 2.0 # set -eu @@ -21,28 +22,57 @@ done # require an interactive terminal connected to stdin test -t 0 || exit 0 -# we've been asked to always protect this host +# whether we should check for an ssh session or not +CHECK=1 + +# should we bypass ssh session checking and handle as if we found one? +if [ $PRETEND_SSH -eq 1 ]; then + CHECK=0 + echo I: $ME: --pretend-ssh was given, handling as ssh session 2 +fi + +# should this hostname always be guarded? case ${ALWAYS_QUERY_HOSTNAME:-0} in 0|false|False|no|No|off|Off) -# only run if we are being called over SSH, that is if the current terminal -# was created by sshd. -PTS=$(readlink /proc/$$/fd/0) -if ! pgrep -f ^sshd.+${PTS#/dev/}\ /dev/null \ - [ -z ${SSH_CONNECTION:-} ]; then -if [ $PRETEND_SSH -eq 1 ]; then - echo I: $ME: this is not an SSH session, but --pretend-ssh was given... 2 -else - exit 0 -fi -else - echo W: $ME: SSH session detected! 2 -fi -;; + ;; *) +CHECK=0 echo I: $ME: $MOLLYGUARD_CMD is always molly-guarded on this system. 2 ;; esac +# bypass image check? +if [ $CHECK -ne 0 ]; then + # no, set parent pid + PARENT=$$ + + FOUND= + # keep looking at parent pid until ... + while [ -z $FOUND ]; do +# ... no more parents +# = molly-guard was NOT started as child of sshd +# = this is NOT an ssh/screen/whatever session +# = reboot/halt/... as requested +[ $PARENT -eq 0 ] exit 0 + +# find out image name +EXE=$(basename $(readlink /proc/$PARENT/exe) ) + +# ... parent image is one of sshd, screen +for p in $CHECK_IMAGES; do + if [ $p == $EXE ]; then +FOUND=$p +break; + fi +done + +# get next pid +PARENT=$(ps -o ppid= $PARENT | sed 's/^ \+//') + done + + echo I: $ME: $FOUND found. 2 +fi + HOSTNAME=$(hostname --short) sigh()