subject:"Bug#661844\: please respect sys admin set perms in \/var\/lib\/shorewall"

Bug#661844: please respect sys admin set perms in /var/lib/shorewall

2012-04-22 Thread Jeffrey Sheinberg

On Sat, Apr 21, 2012 at 08:28:19PM -0400, Roberto C. S?nchez wrote:

 These files are regenerated everytime Shorewall is started/restarted.
 The only way to achieve the behavior you describe is to change the umask
 prior to starting/restarting Shorewall.  Because this is external to
 Shorewall, I am closing this report.

Hi Roberto,

This is a shorewall problem - the files are being regenerated, this is
the problem.

The files in question should simply be truncated when opened.  This is normal
behavior of most unix programs, unless they have a good reason to do
otherwise.

From the open(2) man page,

   O_TRUNC
  If the file already exists and is a regular file  and  the  open
  mode  allows  writing  (i.e.,  is O_RDWR or O_WRONLY) it will be
  truncated to length 0.  If the file is a FIFO or terminal device
  file,  the  O_TRUNC  flag  is  ignored.  Otherwise the effect of
  O_TRUNC is unspecified.

   creat() is equivalent to open() with flags equal to O_CREAT|O_WRONLY|O_TRUNC.

Using the shell, it works like this,

$ umask
0022

$ touch aa

$ ls -l aa
-rw-r--r-- 1 jeff jeff 0 Apr 22 17:05 aa

$ umask 777

$ : | aa

$ ls -l aa
-rw-r--r-- 1 jeff jeff 0 Apr 22 17:06 aa

$ touch bb

$ ls -l bb
-- 1 jeff jeff 0 Apr 22 17:06 bb

$ umask 022

For open(2), the umask has no effect unless the file being created did not
originally exist.

This means that shorewall is deleting these files, then creating them,
rather than just opening with O_CREAT|O_WRONLY|O_TRUNC flags.

This is a bug in shorewall.  Please re-open.

Thanks,
-- 
Jeffrey Sheinberg




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#661844: please respect sys admin set perms in /var/lib/shorewall

2012-04-22 Thread Roberto C . Sánchez

On Sun, Apr 22, 2012 at 05:21:53PM -0400, Jeffrey Sheinberg wrote:
 On Sat, Apr 21, 2012 at 08:28:19PM -0400, Roberto C. S?nchez wrote:
 
  These files are regenerated everytime Shorewall is started/restarted.
  The only way to achieve the behavior you describe is to change the umask
  prior to starting/restarting Shorewall.  Because this is external to
  Shorewall, I am closing this report.
 
 Hi Roberto,
 
 This is a shorewall problem - the files are being regenerated, this is
 the problem.
 
 The files in question should simply be truncated when opened.  This is normal
 behavior of most unix programs, unless they have a good reason to do
 otherwise.
 

Except that would result in a wiping out known good configurations
before it is known that the new configuration is good (in the chase of a
restart).  This would not be acceptable, as it could eliminate the
administrators capability to safely restart.  What Shorewall does is to
create the new files under temporary names, and on successful completion
removing the old file and moving the new file into place.  Truncation
would not work in that case.

I recommend that you look at placing any 'chmod' commands that you
require into /etc/shorewall/started.

Please see http://shorewall.net/shorewall_extension_scripts.htm for
additional information.

Regards,

-Roberto
-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


signature.asc
Description: Digital signature

Bug#661844: please respect sys admin set perms in /var/lib/shorewall

2012-04-03 Thread Roberto C . Sánchez

On Thu, Mar 01, 2012 at 03:09:14PM -0500, Jeffrey Sheinberg wrote:
 
 Plain file /var/lib/shorewall/.restart had permission 700, changed it to 
 740
 Plain file /var/lib/shorewall/nat had permission 600, changed it to 640
 Plain file /var/lib/shorewall/.start had permission 700, changed it to 740
 Plain file /var/lib/shorewall/proxyarp had permission 600, changed it to 
 640
 Plain file /var/lib/shorewall6/proxyndp had permission 600, changed it to 
 640
 Plain file /var/lib/shorewall6/.start had permission 700, changed i t to 
 740
 

Those files are created or re-created each time that Shorewall runs.  
Perhaps you can achieve your objective by setting the permissions you 
want on the directory /var/lib/shorewall and /var/lib/shorewall6.  
Another possibility would be to adjust the umask of the shell or script
from which you run Shorewall.  One other possibility would be to submit
a patch upstream that allows the admin to specify the desired 
permissions in Shorewall's configuration and then it can set its own 
umask appropriately.

Regards,

-Roberto

P.S. My apologies for the delay in responding.  I somehow overlooked
that this bug had even been filed and only noticed it last night.

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


signature.asc
Description: Digital signature

Bug#661844: please respect sys admin set perms in /var/lib/shorewall

2012-03-01 Thread Jeffrey Sheinberg

Package: shorewall
Version: 4.4.27.3-1
Severity: normal

Hi,

Please respect the sys admin set perms for the files in /var/lib/shorewall.

I set these perms so that they satisfy my own security requirements by using
cfengine.  I maintain that it is not appropriate for shorewall to change them
whenever it runs, other than on initial install or re-install.

Plain file /var/lib/shorewall/.restart had permission 700, changed it to 740
Plain file /var/lib/shorewall/nat had permission 600, changed it to 640
Plain file /var/lib/shorewall/.start had permission 700, changed it to 740
Plain file /var/lib/shorewall/proxyarp had permission 600, changed it to 640
Plain file /var/lib/shorewall6/proxyndp had permission 600, changed it to 
640
Plain file /var/lib/shorewall6/.start had permission 700, changed i t to 740

Thanks,
--
Jeffrey Sheinberg


-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages shorewall depends on:
ii  bc 1.06.95-2 The GNU bc arbitrary precision cal
ii  debconf [debconf-2.0]  1.5.36.1  Debian configuration management sy
ii  iproute20100519-3networking and traffic control too
ii  iptables   1.4.8-3   administration tools for packet fi
ii  perl-modules   5.10.1-17squeeze3 Core Perl modules

shorewall recommends no packages.

Versions of packages shorewall suggests:
ii  linux-image-2.6.39-bpo. 2.6.39-3~bpo60+1 Linux 2.6.39 for 64-bit PCs
ii  linux-image-3.2.0-0.bpo 3.2.4-1~bpo60+1  Linux 3.2 for 64-bit PCs
ii  make3.81-8   An utility for Directing compilati
ii  shorewall-doc   4.4.27-1 documentation for Shoreline Firewa

-- Configuration Files:
/etc/default/shorewall changed:
startup=1
SAFESTOP=1
OPTIONS=

/etc/shorewall/shorewall.conf changed:
STARTUP_ENABLED=Yes
VERBOSITY=1
BLACKLIST_LOGLEVEL=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOGALLNEW=
LOGFILE=/var/log/iptables.log
LOGFORMAT=SW %s:%s 
LOGTAGONLY=No
LOGLIMIT=
MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
IPTABLES=
IP=
IPSET=
MODULESDIR=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
PERL=/usr/bin/perl
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=
TC=
ACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=No
AUTO_COMMENT=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
CLAMPMSS=No
CLEAR_TC=Yes
COMPLETE=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=No
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No
IP_FORWARDING=On
KEEP_RT_TABLES=No
LEGACY_FASTSTART=Yes
LOAD_HELPERS_ONLY=No
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MAPOLDACTIONS=No
MARK_IN_FORWARD_CHAIN=No
MODULE_SUFFIX=ko
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=0
OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=Yes
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP=2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2
TRACK_PROVIDERS=No
USE_DEFAULT_RT=No
USE_PHYSICAL_NAMES=No
ZONE2ZONE=2
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0
IPSECFILE=zones


-- debconf information:
  shorewall/invalid_config:
  shorewall/dont_restart:
  shorewall/major_release:



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#661844: please respect sys admin set perms in /var/lib/shorewall

Bug#661844: please respect sys admin set perms in /var/lib/shorewall

Bug#661844: please respect sys admin set perms in /var/lib/shorewall

Bug#661844: please respect sys admin set perms in /var/lib/shorewall

4 matches

Site Navigation

Mail list logo

Footer information