subject:"Bug#886568\: exabgp is not able to create its command pipe"

Bug#886568: exabgp is not able to create its command pipe

2021-05-02 Thread Marco d'Itri

On May 02, Marco d'Itri  wrote:

> > Adding this to exabgp.service will take care of it.
> Do you have any plans to fix this? As far as I can see exabgp is broken 
> out of the box.
I have wasted a couple of hours today because the version currently in 
testing is broken in a different way and it crashes with Python 
tracebacks due to /run/exabgp/ != /run/.
The exabgp package is not fit to be released.

PermissionsStartOnly and all the ExecStartPre directives in the systemd 
unit must be replaced with:

User=exabgp
Group=exabgp
RuntimeDirectory=exabgp
RuntimeDirectoryMode=0750
ExecStartPre=-/usr/bin/mkfifo /run/exabgp/exabgp.in
ExecStartPre=-/usr/bin/mkfifo /run/exabgp/exabgp.out

This is all that is needed to securely create the pipes.

Optionally, add hardening:

ProtectSystem=strict
ProtectHome=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#886568: exabgp is not able to create its command pipe

2021-05-01 Thread Marco d'Itri

On Dec 23, Marco d'Itri  wrote:

> Adding this to exabgp.service will take care of it.
Do you have any plans to fix this? As far as I can see exabgp is broken 
out of the box.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#886568: exabgp is not able to create its command pipe

2019-12-22 Thread Marco d'Itri

On Jan 07, Alfredo Sola  wrote:

> exabgp does not create its pipeby default. These commands need to be 
> run as root before exabgp can start correctly:
Adding this to exabgp.service will take care of it.
I also added some hardening.
AmbientCapabilities and CapabilityBoundingSet are not needed unless 
exabgp needs to be listening on port 179.

[Service]
User=exabgp
Group=exabgp
#AmbientCapabilities=CAP_NET_BIND_SERVICE
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
RuntimeDirectory=exabgp
RuntimeDirectoryMode=0750
ExecStartPre=-/usr/bin/mkfifo /run/exabgp/exabgp.in
ExecStartPre=-/usr/bin/mkfifo /run/exabgp/exabgp.out
ProtectSystem=strict
ProtectHome=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#886568: exabgp is not able to create its command pipe

2018-01-07 Thread Alfredo Sola

Package: exabgp
Version: 3.4.17-3
Severity: normal

Dear Maintainer,

exabgp does not create its pipeby default. These commands need to be run as 
root before exabgp can start correctly:
mkdir /run/exabgp && chown exabgp /run/exabgp

After that, service starts:
service exabgp start

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages exabgp depends on:
ii  adduser   3.115
ii  debconf   1.5.61
ii  dpkg  1.18.24
ii  lsb-base  9.20161125
ii  python2.7.13-2
ii  python-pkg-resources  33.1.1-1
ii  ucf   3.0036

exabgp recommends no packages.

exabgp suggests no packages.

-- Configuration Files:
/etc/init.d/exabgp changed:
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="BGP route injector"
NAME=exabgp
CONFIG="/etc/exabgp/exabgp.conf"
DAEMON=/usr/sbin/exabgp
DAEMON_OPTS="--folder /etc/exabgp $CONFIG"
PIDFILE=/run/$NAME/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
[ -x $DAEMON ] || exit 0
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
. /lib/init/vars.sh
. /lib/lsb/init-functions
[ -f "$CONFIG" ] || exit 0
RUNDIR=$(dirname ${PIDFILE})
[ ! -d ${RUNDIR} ] && mkdir -p ${RUNDIR} && chown exabgp:exabgp ${RUNDIR}
do_start()
{
# Return
#   0 if daemon has been started
#   1 if daemon was already running
#   2 if daemon could not be started
# We create the PID file and we do background thanks to 
start-stop-daemon
start-stop-daemon --start --quiet --pidfile $PIDFILE -b -m --exec 
$DAEMON -- $DAEMON_OPTS
return $?
}
do_stop()
{
# Return
#   0 if daemon has been stopped
#   1 if daemon was already stopped
#   2 if daemon could not be stopped
#   other if a failure occurred
start-stop-daemon --stop --quiet --signal TERM --pidfile $PIDFILE
RETVAL="$?"
sleep 1
# clean stale PID file
rm $PIDFILE 2> /dev/null
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently.  A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec 
$DAEMON
[ "$?" = 2 ] && return 2
sleep 1
return "$RETVAL"
}
do_reload() {
start-stop-daemon --stop --signal USR1 --quiet --pidfile $PIDFILE
return 0
}
do_force_reload() {
start-stop-daemon --stop --signal USR2 --quiet --pidfile $PIDFILE
return 0
}
case "$1" in
  start)
start-stop-daemon --status --quiet --pidfile $PIDFILE
retval=$?
if [ $retval -eq 0 ] ; then
log_warning_msg "$NAME is already running"
log_end_msg 1
else
log_daemon_msg "Starting $DESC" "$NAME "
do_start
case "$?" in
0|1) log_end_msg 0 ;;
2) log_end_msg 1 ;;
esac
fi
;;
  stop)
log_daemon_msg "Stopping $DESC" "$NAME "
do_stop
case "$?" in
0) log_end_msg 0 ;;
1|2) log_end_msg 1 ;;
esac
;;
  status)
status_of_proc -p "$PIDFILE" "$DAEMON" "$NAME" && exit 0 || exit $?
;;
  reload)
log_daemon_msg "Reloading $DESC" "$NAME "
do_reload
log_end_msg $?
;;
  force-reload)
log_daemon_msg "Reloading $DESC (and subprocesses)" "$NAME "
do_force_reload
log_end_msg $?
;;
  restart)
log_daemon_msg "Restarting $DESC" "$NAME "
do_stop
case "$?" in
  0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
  *)
# Failed to stop
log_end_msg 1
;;
esac
;;
  *)
log_warning_msg "Usage: $SCRIPTNAME 
{start|stop|restart|reload|force-reload|status}"
log_end_msg 3
exit 3
;;
esac
exit 0


-- no debconf information

Bug#886568: exabgp is not able to create its command pipe

Bug#886568: exabgp is not able to create its command pipe

Bug#886568: exabgp is not able to create its command pipe

Bug#886568: exabgp is not able to create its command pipe

4 matches

Site Navigation

Mail list logo

Footer information