Bug#552321: Patch works only partly

[Ludovico Gardenghi]

Hello!

On Wed, Feb 03, 2010 at 21:37:08 +, b...@bc-bd.org wrote:

 Attached is an updated version of the patch fixing said bash-ism.

I've just uploaded a new version of molly-guard (0.4.5-1); my intention
was to close the release critical bug #548099, so I focused on letting
molly-guard work on Debian GNU/kFreeBSD with the same set of
functionalities as the previous version, rather than adding new
features.

Mine was meant to be a small and non-intrusive non-maintainer upload (as
the author and maintainer is Martin), but I got a sort of field
promotion ;-) and uploaded it as a co-maintainer.

So: your work has been ignored in this release (including the look for
a sshd parent part, which is in 0.4.5-1 as well but with a different
implementation) just because the aim was to get rid of a RC bug.

I see that you and Martin already discussed (and I'd personally
appreciate some support for screen/tmux) so I'd prefer to leave to him
the choice of adding non-ssh support to molly-guard, unless I receive an
explicit authorization to do so on his behalf. :-)

In any case, thanks for your contribution!

Ludovico
-- 
l...@dovi.coIRC: garden@freenode
OpenPGP: 1024D/63D2D5D907F89BB8 Jabber/gtalk: garde...@gmail.com



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#552321: Patch works only partly

[martin f krafft]

also sprach b...@bc-bd.org b...@bc-bd.org [2010.02.03.0021 +1300]:
 I still think the patch is a valuable addition to molly-guard, as
 it fixes a problem I and maybe others have. I think that holding
 this patch back because you feel molly-guard needs to be rewritten
 is the wrong thing to do.

There is no reason for me *not* to include it, so I will.

However, there is one remaining problem, as far as I can see. While
your patch gets rid of the pgrep-based approach and hence solves the
kFreeBSD-problem, where the tty-name of the sshd process is not
exported by ps, it introduces another Linux-ism:

  EXE=$(basename $(readlink /proc/$PARENT/exe) )

/proc/$PARENT/exe does not exist on FreeBSD. Can you fathom another
way to achieve this?

-- 
 .''`.   martin f. krafft madd...@d.o  Related projects:
: :'  :  proud Debian developer   http://debiansystem.info
`. `'`   http://people.debian.org/~madduckhttp://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
 
moderation is a fatal thing. enough is as bad as a meal. more than
 enough is as good as a feast.
-- oscar wilde


digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)

Bug#552321: Patch works only partly

[bd]

On Thu, Feb 04, 2010 at 09:40:08AM +1300, martin f krafft wrote:
 also sprach b...@bc-bd.org b...@bc-bd.org [2010.02.03.0021 +1300]:
  I still think the patch is a valuable addition to molly-guard, as
  it fixes a problem I and maybe others have. I think that holding
  this patch back because you feel molly-guard needs to be rewritten
  is the wrong thing to do.
 
 There is no reason for me *not* to include it, so I will.

Great :).

 However, there is one remaining problem, as far as I can see. While
 your patch gets rid of the pgrep-based approach and hence solves the
 kFreeBSD-problem, where the tty-name of the sshd process is not
 exported by ps, it introduces another Linux-ism:
 
   EXE=$(basename $(readlink /proc/$PARENT/exe) )
 
 /proc/$PARENT/exe does not exist on FreeBSD. Can you fathom another
 way to achieve this?

Since I don't have a kfreebsd machine I asked in irc.debian.org/#debian-kbsd,
where I have been told that kfreebsd normally does have /proc mounted and the
exe link exists.

We discovered one bash-ism, but the test for /proc/$PID/exe worked.

Attached is an updated version of the patch fixing said bash-ism.

regards

Stefan
-- 
You will be winged by an anti-aircraft battery.
diff --git a/rc b/rc
index d5b87cc..eb456ed 100644
--- a/rc
+++ b/rc
@@ -4,3 +4,9 @@
 # when set, causes the 30-query-hostname script to always ask for the
 # hostname, even if no SSH session was detected.
 #ALWAYS_QUERY_HOSTNAME=true
+#
+# CHECK_IMAGES
+#
+# Space seperated list of image names to look for and if found to protect
+# against.
+CHECK_IMAGES=sshd screen
diff --git a/run.d/30-query-hostname b/run.d/30-query-hostname
index d040603..0aa9833 100755
--- a/run.d/30-query-hostname
+++ b/run.d/30-query-hostname
@@ -3,6 +3,7 @@
 # 30-ask-hostname - request the user to type in the hostname of the local host
 #
 # Copyright © martin f. krafft madd...@madduck.net
+# Copyright © 2009-2010 Stefan Völkel b...@bc-bd.org
 # Released under the terms of the Artistic Licence 2.0
 #
 set -eu
@@ -21,28 +22,57 @@ done
 # require an interactive terminal connected to stdin
 test -t 0 || exit 0
 
-# we've been asked to always protect this host
+# whether we should check for an ssh session or not
+CHECK=1
+
+# should we bypass ssh session checking and handle as if we found one?
+if [ $PRETEND_SSH -eq 1 ]; then
+  CHECK=0
+  echo I: $ME: --pretend-ssh was given, handling as ssh session 2
+fi
+
+# should this hostname always be guarded?
 case ${ALWAYS_QUERY_HOSTNAME:-0} in
   0|false|False|no|No|off|Off)
-# only run if we are being called over SSH, that is if the current terminal
-# was created by sshd.
-PTS=$(readlink /proc/$$/fd/0)
-if ! pgrep -f ^sshd.+${PTS#/dev/}\ /dev/null \
-   [ -z ${SSH_CONNECTION:-} ]; then
-if [ $PRETEND_SSH -eq 1 ]; then
-  echo I: $ME: this is not an SSH session, but --pretend-ssh was given... 2
-else
-  exit 0
-fi
-else
-  echo W: $ME: SSH session detected! 2
-fi
-;;
+  ;;
   *)
+CHECK=0
 echo I: $ME: $MOLLYGUARD_CMD is always molly-guarded on this system. 2
 ;;
 esac
 
+# bypass image check?
+if [ $CHECK -ne 0 ]; then
+  # no, set parent pid
+  PARENT=$$
+
+  FOUND=
+  # keep looking at parent pid until ...
+  while [ -z $FOUND ]; do
+# ... no more parents
+#   = molly-guard was NOT started as child of sshd
+#   = this is NOT an ssh/screen/whatever session
+#   = reboot/halt/... as requested
+[ $PARENT -eq 0 ]  exit 0
+
+# find out image name
+EXE=$(basename $(readlink /proc/$PARENT/exe) )
+
+# ... parent image is one of sshd, screen
+for p in $CHECK_IMAGES; do
+  if [ $p = $EXE ]; then
+FOUND=$p
+break;
+  fi
+done
+
+# get next pid
+PARENT=$(ps -o ppid= $PARENT | sed 's/^ \+//')
+  done
+
+  echo I: $ME: $FOUND found. 2
+fi
+
 HOSTNAME=$(hostname --short)
 
 sigh()

Bug#552321: Patch works only partly

[bd]

On Tue, Feb 02, 2010 at 08:32:20AM +1300, martin f krafft wrote:
 also sprach b...@bc-bd.org b...@bc-bd.org [2010.02.01.2237 +1300]:
  Well, this feels to me like trying to prove a negative, which is
  always hard or impossible.
 
 Actually, I thought that is what we are doing now: the impossible.
 
 Think about a firewall: there, you'd configure it to REJECT all
 packages it does not ACCEPT. So why should molly-guard not be
 equally careful and REJECT (ask for confirmation) everything except
 when it knows for sure that it can ACCEPT (continue without
 confirmation)?

As I see it, a Firewall tests for the presence of things (certain port, IP,
protocol, etc) molly-guard tests for the absence of things (ssh ENV, etc).

Now, to get back to what this bug was originally about.

I still think the patch is a valuable addition to molly-guard, as it fixes a
problem I and maybe others have. I think that holding this patch back because
you feel molly-guard needs to be rewritten is the wrong thing to do.

regards

Stefan
-- 
BOFH excuse #239:

CPU needs bearings repacked



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#552321: Patch works only partly

[martin f krafft]

also sprach b...@bc-bd.org b...@bc-bd.org [2010.02.03.0021 +1300]:
 As I see it, a Firewall tests for the presence of things (certain
 port, IP, protocol, etc) molly-guard tests for the absence of
 things (ssh ENV, etc).

Molly-guard currently tests to see if it runs remotely. Previously,
this was done with $SSH_CONNECTION, but now it checks for the PTY of
the sshd daemon, which is not checking for absence.

 I still think the patch is a valuable addition to molly-guard, as
 it fixes a problem I and maybe others have. I think that holding
 this patch back because you feel molly-guard needs to be rewritten
 is the wrong thing to do.

I'll take another look today.

-- 
 .''`.   martin f. krafft madd...@d.o  Related projects:
: :'  :  proud Debian developer   http://debiansystem.info
`. `'`   http://people.debian.org/~madduckhttp://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
 
if voting could really change things, it would be illegal.
 -- revolution books, new york



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#552321: Patch works only partly

[bd]

On Mon, Feb 01, 2010 at 04:49:34PM +1300, martin f krafft wrote:
 tags 552321 help moreinfo
 thanks
 
 also sprach Stefan Völkel b...@bc-bd.org [2009.12.11.0029 +1300]:
  after playing around with this, it looks like this will only work
  as long as the screen session has not been detached.
 [???]
  Now if you run molly-guard from bash (PID 4986) it will walk up
  the process hierarchy and _NOT_ encounter ssh, since SCREENs
  parent is now init.
  
  I changed the patch to walk up the process hierarchy and
  molly-guard the machine if screen or sshd is found.
 
 While I appreciate your work, this is very much going into the
 direction of a hack (if molly-guard isn't a giant hack already).

I guess one could patch /sbin/halt to accept a --hostname parameter:

r...@foo $ /sbin/halt --hostname bar
E: dude, no, wrong machine.

 I was thinking that we should take a different approach: prompt
 UNLESS we can verify that the current tty is local. Any ideas how to
 accomplish that?

Well, this feels to me like trying to prove a negative, which is always hard or
impossible.

The current approach, hackish or not, does state pretty clear what it does do 
and
what not. If you run molly-guarded halt from a screen or ssh session it will ask
you for the hostname you want to shutdown.

I think this burns down to, what is it that molly-guard is trying to acomplish?

  a) Should it protect you from shuting down a/the wrong _remote_ machine?

or

 b) Should  it protect you from shuting down _the wrong_ machine?

If a), well it fails when ssh is run from screen, which makes it unusable at
least for me, because it provides me with a false feeling of security.

If b), then it's more of a --hostname approach.

HTH

Stefan
-- 
Your manuscript is both good and original, but the part that is good is not
original and the part that is original is not good.
-- Samuel Johnson



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#552321: Patch works only partly

[martin f krafft]

also sprach b...@bc-bd.org b...@bc-bd.org [2010.02.01.2237 +1300]:
 Well, this feels to me like trying to prove a negative, which is
 always hard or impossible.

Actually, I thought that is what we are doing now: the impossible.

Think about a firewall: there, you'd configure it to REJECT all
packages it does not ACCEPT. So why should molly-guard not be
equally careful and REJECT (ask for confirmation) everything except
when it knows for sure that it can ACCEPT (continue without
confirmation)?

   a) Should it protect you from shuting down a/the wrong _remote_ machine?
 
 or
 
  b) Should  it protect you from shuting down _the wrong_ machine?
 
 If a), well it fails when ssh is run from screen, which makes it unusable at
 least for me, because it provides me with a false feeling of security.
 
 If b), then it's more of a --hostname approach.

(b) is already handled with ALWAYS_QUERY_HOSTNAME.

-- 
 .''`.   martin f. krafft madd...@d.o  Related projects:
: :'  :  proud Debian developer   http://debiansystem.info
`. `'`   http://people.debian.org/~madduckhttp://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
 
ah, but a man's reach should exceed his grasp,
 or what's a heaven for?
-- robert browning


digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)

Bug#552321: Patch works only partly

[martin f krafft]

tags 552321 help moreinfo
thanks

also sprach Stefan Völkel b...@bc-bd.org [2009.12.11.0029 +1300]:
 after playing around with this, it looks like this will only work
 as long as the screen session has not been detached.
[…]
 Now if you run molly-guard from bash (PID 4986) it will walk up
 the process hierarchy and _NOT_ encounter ssh, since SCREENs
 parent is now init.
 
 I changed the patch to walk up the process hierarchy and
 molly-guard the machine if screen or sshd is found.

While I appreciate your work, this is very much going into the
direction of a hack (if molly-guard isn't a giant hack already).

I was thinking that we should take a different approach: prompt
UNLESS we can verify that the current tty is local. Any ideas how to
accomplish that?

-- 
 .''`.   martin f. krafft madd...@d.o  Related projects:
: :'  :  proud Debian developer   http://debiansystem.info
`. `'`   http://people.debian.org/~madduckhttp://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems


digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)

Bug#552321: Patch works only partly

[Stefan Völkel]

Hi,

after playing around with this, it looks like this will only work as
long as the screen session has not been detached.

Before detaching the screen session it looks like this in ps fax:

 2580 ?Ss 0:00 /usr/sbin/sshd
 3568 ?Ss 0:00  \_ sshd: bd [priv]
 3570 ?S  0:03  \_ sshd: b...@pts/0
 3571 pts/0Ss 0:00  \_ -bash
 4982 pts/0S+ 0:00  \_ screen -U -S work ...
 4983 ?Ss 0:00  \_ SCREEN -U -S work ...
 4984 pts/1Ss+0:00  \_ ssh  ***
 4985 pts/2Ss+0:00  \_ ssh ***
 4986 pts/3Ss 0:00  \_ bash
 5025 pts/3R+ 0:00  \_ ps fax
 5026 pts/3S+ 0:00  \_ less

After a detach/attach it looks like this:

 2580 ?Ss 0:00 /usr/sbin/sshd
 3568 ?Ss 0:00  \_ sshd: bd [priv]
 3570 ?S  0:03  \_ sshd: b...@pts/0
 3571 pts/0Ss 0:00  \_ -bash
 5031 pts/0S+ 0:00  \_ screen -Udr work
 ...
 4983 ?Ss 0:00 SCREEN -U -S work ...
 4984 pts/1Ss+0:00  \_ ssh ***
 4985 pts/2Ss+0:00  \_ ssh ***
 4986 pts/3Ss 0:00  \_ bash
 5033 pts/3R+ 0:00  \_ ps fax
 5034 pts/3S+ 0:00  \_ less

Now if you run molly-guard from bash (PID 4986) it will walk up the
process hierarchy and _NOT_ encounter ssh, since SCREENs parent is now init.

I changed the patch to walk up the process hierarchy and molly-guard the
machine if screen or sshd is found.

regards

Stefan
diff --git a/rc b/rc
index d5b87cc..eb456ed 100644
--- a/rc
+++ b/rc
@@ -4,3 +4,9 @@
 # when set, causes the 30-query-hostname script to always ask for the
 # hostname, even if no SSH session was detected.
 #ALWAYS_QUERY_HOSTNAME=true
+#
+# CHECK_IMAGES
+#
+# Space seperated list of image names to look for and if found to protect
+# against.
+CHECK_IMAGES=sshd screen
diff --git a/run.d/30-query-hostname b/run.d/30-query-hostname
index d040603..fddf54c 100755
--- a/run.d/30-query-hostname
+++ b/run.d/30-query-hostname
@@ -3,6 +3,7 @@
 # 30-ask-hostname - request the user to type in the hostname of the local host
 #
 # Copyright © martin f. krafft madd...@madduck.net
+# Copyright © 2009 Stefan Völkel b...@bc-bd.org
 # Released under the terms of the Artistic Licence 2.0
 #
 set -eu
@@ -21,28 +22,57 @@ done
 # require an interactive terminal connected to stdin
 test -t 0 || exit 0
 
-# we've been asked to always protect this host
+# whether we should check for an ssh session or not
+CHECK=1
+
+# should we bypass ssh session checking and handle as if we found one?
+if [ $PRETEND_SSH -eq 1 ]; then
+  CHECK=0
+  echo I: $ME: --pretend-ssh was given, handling as ssh session 2
+fi
+
+# should this hostname always be guarded?
 case ${ALWAYS_QUERY_HOSTNAME:-0} in
   0|false|False|no|No|off|Off)
-# only run if we are being called over SSH, that is if the current terminal
-# was created by sshd.
-PTS=$(readlink /proc/$$/fd/0)
-if ! pgrep -f ^sshd.+${PTS#/dev/}\ /dev/null \
-   [ -z ${SSH_CONNECTION:-} ]; then
-if [ $PRETEND_SSH -eq 1 ]; then
-  echo I: $ME: this is not an SSH session, but --pretend-ssh was 
given... 2
-else
-  exit 0
-fi
-else
-  echo W: $ME: SSH session detected! 2
-fi
-;;
+  ;;
   *)
+CHECK=0
 echo I: $ME: $MOLLYGUARD_CMD is always molly-guarded on this system. 2
 ;;
 esac
 
+# bypass image check?
+if [ $CHECK -ne 0 ]; then
+  # no, set parent pid
+  PARENT=$$
+
+  FOUND=
+  # keep looking at parent pid until ...
+  while [ -z $FOUND ]; do
+# ... no more parents
+#   = molly-guard was NOT started as child of sshd
+#   = this is NOT an ssh/screen/whatever session
+#   = reboot/halt/... as requested
+[ $PARENT -eq 0 ]  exit 0
+
+# find out image name
+EXE=$(basename $(readlink /proc/$PARENT/exe) )
+
+# ... parent image is one of sshd, screen
+for p in $CHECK_IMAGES; do
+  if [ $p == $EXE ]; then
+FOUND=$p
+break;
+  fi
+done
+
+# get next pid
+PARENT=$(ps -o ppid= $PARENT | sed 's/^ \+//')
+  done
+
+  echo I: $ME: $FOUND found. 2
+fi
+
 HOSTNAME=$(hostname --short)
 
 sigh()