Bug#661844: please respect sys admin set perms in /var/lib/shorewall
On Sat, Apr 21, 2012 at 08:28:19PM -0400, Roberto C. S?nchez wrote: These files are regenerated everytime Shorewall is started/restarted. The only way to achieve the behavior you describe is to change the umask prior to starting/restarting Shorewall. Because this is external to Shorewall, I am closing this report. Hi Roberto, This is a shorewall problem - the files are being regenerated, this is the problem. The files in question should simply be truncated when opened. This is normal behavior of most unix programs, unless they have a good reason to do otherwise. From the open(2) man page, O_TRUNC If the file already exists and is a regular file and the open mode allows writing (i.e., is O_RDWR or O_WRONLY) it will be truncated to length 0. If the file is a FIFO or terminal device file, the O_TRUNC flag is ignored. Otherwise the effect of O_TRUNC is unspecified. creat() is equivalent to open() with flags equal to O_CREAT|O_WRONLY|O_TRUNC. Using the shell, it works like this, $ umask 0022 $ touch aa $ ls -l aa -rw-r--r-- 1 jeff jeff 0 Apr 22 17:05 aa $ umask 777 $ : | aa $ ls -l aa -rw-r--r-- 1 jeff jeff 0 Apr 22 17:06 aa $ touch bb $ ls -l bb -- 1 jeff jeff 0 Apr 22 17:06 bb $ umask 022 For open(2), the umask has no effect unless the file being created did not originally exist. This means that shorewall is deleting these files, then creating them, rather than just opening with O_CREAT|O_WRONLY|O_TRUNC flags. This is a bug in shorewall. Please re-open. Thanks, -- Jeffrey Sheinberg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#661844: please respect sys admin set perms in /var/lib/shorewall
On Sun, Apr 22, 2012 at 05:21:53PM -0400, Jeffrey Sheinberg wrote: On Sat, Apr 21, 2012 at 08:28:19PM -0400, Roberto C. S?nchez wrote: These files are regenerated everytime Shorewall is started/restarted. The only way to achieve the behavior you describe is to change the umask prior to starting/restarting Shorewall. Because this is external to Shorewall, I am closing this report. Hi Roberto, This is a shorewall problem - the files are being regenerated, this is the problem. The files in question should simply be truncated when opened. This is normal behavior of most unix programs, unless they have a good reason to do otherwise. Except that would result in a wiping out known good configurations before it is known that the new configuration is good (in the chase of a restart). This would not be acceptable, as it could eliminate the administrators capability to safely restart. What Shorewall does is to create the new files under temporary names, and on successful completion removing the old file and moving the new file into place. Truncation would not work in that case. I recommend that you look at placing any 'chmod' commands that you require into /etc/shorewall/started. Please see http://shorewall.net/shorewall_extension_scripts.htm for additional information. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Bug#661844: please respect sys admin set perms in /var/lib/shorewall
On Thu, Mar 01, 2012 at 03:09:14PM -0500, Jeffrey Sheinberg wrote: Plain file /var/lib/shorewall/.restart had permission 700, changed it to 740 Plain file /var/lib/shorewall/nat had permission 600, changed it to 640 Plain file /var/lib/shorewall/.start had permission 700, changed it to 740 Plain file /var/lib/shorewall/proxyarp had permission 600, changed it to 640 Plain file /var/lib/shorewall6/proxyndp had permission 600, changed it to 640 Plain file /var/lib/shorewall6/.start had permission 700, changed i t to 740 Those files are created or re-created each time that Shorewall runs. Perhaps you can achieve your objective by setting the permissions you want on the directory /var/lib/shorewall and /var/lib/shorewall6. Another possibility would be to adjust the umask of the shell or script from which you run Shorewall. One other possibility would be to submit a patch upstream that allows the admin to specify the desired permissions in Shorewall's configuration and then it can set its own umask appropriately. Regards, -Roberto P.S. My apologies for the delay in responding. I somehow overlooked that this bug had even been filed and only noticed it last night. -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Bug#661844: please respect sys admin set perms in /var/lib/shorewall
Package: shorewall Version: 4.4.27.3-1 Severity: normal Hi, Please respect the sys admin set perms for the files in /var/lib/shorewall. I set these perms so that they satisfy my own security requirements by using cfengine. I maintain that it is not appropriate for shorewall to change them whenever it runs, other than on initial install or re-install. Plain file /var/lib/shorewall/.restart had permission 700, changed it to 740 Plain file /var/lib/shorewall/nat had permission 600, changed it to 640 Plain file /var/lib/shorewall/.start had permission 700, changed it to 740 Plain file /var/lib/shorewall/proxyarp had permission 600, changed it to 640 Plain file /var/lib/shorewall6/proxyndp had permission 600, changed it to 640 Plain file /var/lib/shorewall6/.start had permission 700, changed i t to 740 Thanks, -- Jeffrey Sheinberg -- System Information: Debian Release: 6.0.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 3.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages shorewall depends on: ii bc 1.06.95-2 The GNU bc arbitrary precision cal ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy ii iproute20100519-3networking and traffic control too ii iptables 1.4.8-3 administration tools for packet fi ii perl-modules 5.10.1-17squeeze3 Core Perl modules shorewall recommends no packages. Versions of packages shorewall suggests: ii linux-image-2.6.39-bpo. 2.6.39-3~bpo60+1 Linux 2.6.39 for 64-bit PCs ii linux-image-3.2.0-0.bpo 3.2.4-1~bpo60+1 Linux 3.2 for 64-bit PCs ii make3.81-8 An utility for Directing compilati ii shorewall-doc 4.4.27-1 documentation for Shoreline Firewa -- Configuration Files: /etc/default/shorewall changed: startup=1 SAFESTOP=1 OPTIONS= /etc/shorewall/shorewall.conf changed: STARTUP_ENABLED=Yes VERBOSITY=1 BLACKLIST_LOGLEVEL= LOG_MARTIANS=Yes LOG_VERBOSITY=2 LOGALLNEW= LOGFILE=/var/log/iptables.log LOGFORMAT=SW %s:%s LOGTAGONLY=No LOGLIMIT= MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL=info CONFIG_PATH=/etc/shorewall:/usr/share/shorewall IPTABLES= IP= IPSET= MODULESDIR= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PERL=/usr/bin/perl RESTOREFILE=restore SHOREWALL_SHELL=/bin/sh SUBSYSLOCK= TC= ACCEPT_DEFAULT=none DROP_DEFAULT=Drop NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none REJECT_DEFAULT=Reject RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ACCOUNTING=Yes ACCOUNTING_TABLE=filter ADD_IP_ALIASES=No ADD_SNAT_ALIASES=No ADMINISABSENTMINDED=No AUTO_COMMENT=Yes AUTOMAKE=No BLACKLISTNEWONLY=Yes CLAMPMSS=No CLEAR_TC=Yes COMPLETE=No DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No DISABLE_IPV6=No DONT_LOAD= DYNAMIC_BLACKLIST=Yes EXPAND_POLICIES=Yes EXPORTMODULES=Yes FASTACCEPT=No FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=No IP_FORWARDING=On KEEP_RT_TABLES=No LEGACY_FASTSTART=Yes LOAD_HELPERS_ONLY=No MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX=ko MULTICAST=No MUTEX_TIMEOUT=60 NULL_ROUTE_RFC1918=No OPTIMIZE=0 OPTIMIZE_ACCOUNTING=No REQUIRE_INTERFACE=No RESTORE_DEFAULT_ROUTE=Yes RETAIN_ALIASES=No ROUTE_FILTER=Yes SAVE_IPSETS=No TC_ENABLED=Internal TC_EXPERT=No TC_PRIOMAP=2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2 TRACK_PROVIDERS=No USE_DEFAULT_RT=No USE_PHYSICAL_NAMES=No ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP TC_BITS= PROVIDER_BITS= PROVIDER_OFFSET= MASK_BITS= ZONE_BITS=0 IPSECFILE=zones -- debconf information: shorewall/invalid_config: shorewall/dont_restart: shorewall/major_release: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org