#12 Running fwbuilder as root hardcodes batch install user

closed-fixed
None
1
2010-03-10
2009-12-03
No

If you run fwbuilder as root, and attempt to do a batch install, fwbuilder hard-codes the remote username to root instead of the username that you enter in the dialog box.

Version:
fwbuilder-3.0.7-b1516.el53
libfwbuilder-3.0.7-b1516.el53

OS: CentOS 5.x, iptables

Discussion

  • Vadim Kurland

    Vadim Kurland - 2009-12-07
    • assigned_to: nobody --> vkurland
     
  • Vadim Kurland

    Vadim Kurland - 2009-12-07

    I can;t reproduce this. Please provide more details. How exactly do you run the installer ? Please run installer in verbose mode and send the output that appears in the installer dialog to me. You should see the actual command it runs to copy the script to the firewall. In this command, the user name it uses should be visible.

     
  • Jeremy Mueller

    Jeremy Mueller - 2009-12-07

    My test firewall file.

     
  • Jeremy Mueller

    Jeremy Mueller - 2009-12-07

    Output for a verbose install.

     
  • Jeremy Mueller

    Jeremy Mueller - 2009-12-07

    I've attached a test FWB file that I used to reproduce this issue. The file contains two firewalls based on the "host fw template 1", with the only changes being their dynamic interfaces are marked as the management interface, and the alternate contact address is set to their IP address.

    To load the FWB file, I run the command "sudo fwbuilder", then go click on Open, and load my test.fwb file.

    To perform my install, I use the following steps:
    1) Right-click on a firewall name and click on Install.
    2) Check the "Perform batch install" checkbox and check the other firewall's compile and install checkboxes.
    3) Click Next twice.
    4) Set the username to "jeremy" and the password to that user's password and check Verbose, then click "OK".
    5) The output from the verbose command is in the attached file output.txt

    More details on the CentOS 5.4 boxes I'm testing on:

    FWBuilder RPMs installed:
    fwbuilder-3.0.7-b1516.el53.i386.rpm
    libfwbuilder-3.0.7-b1516.el53.i386.rpm

    Rule in sudoers for the jeremy user:
    jeremy ALL=(ALL) ALL

    Muell64 is running CentOS 5.4 x86_64
    Muell32 is running CentOS 5.4 i386

    Both boxes have the same errors.

     
  • Vadim Kurland

    Vadim Kurland - 2009-12-07

    thank you for the information. Could you please also attach a screenshot of the dialog where you entered the user name for the installer to use.

    As a side note I would like to point out that running fwbuilder GUI as root is not recommended. There is no reason to do that, especially since you use regular user account to actually install generated policy.

     
  • Jeremy Mueller

    Jeremy Mueller - 2009-12-07

    I've added a screen shot of the Install Options screen right before I hit Ok.

    As for fwbuilder as root, it's not our intention to run it as root, we like using normal users. It's just a temporary work around to an error we're having in our production version of our FWB file. As soon as we can finish tracking the error down (and have a reliable reproduction case), we'll be moving back to using non-root users for all fwbuilder usage.

     
  • Vadim Kurland

    Vadim Kurland - 2009-12-07

    I tracked down this problem, it is fixed in the next major release v4.0. Given that it appears in a rare situation and there is recommended workaround, I am inclined to avoid back-porting the fix. Please let me know if this is urgent and critical, I'll fix it in v3.0.8 then. Otherwise, testing packages of v4.0 are available on the nightly builds site at

    http://www.fwbuilder.org/nightly_builds/fwbuilder-3.1/

    (the version is v3.1 for the period of internal testing, it will change to v4.0 when the program reaches public beta)

    I'll generate the packages for the latest build of 3.1 tonight, including CentOS 5.x

     
  • Jeremy Mueller

    Jeremy Mueller - 2009-12-07

    Thanks for tracking this down. I don't think that it's urgent enough to be in v3.0.8, being fixed in v4.0 will be great. I'll try the nightly build tomorrow and verify if it fixes the issue for us.

     
  • Vadim Kurland

    Vadim Kurland - 2009-12-07

    thank you, I appreciate it. It would be great if you could try the new version. Actually I started the build process, the packages for CentOS should be on the server momentarily.

    The data file will be upgraded when you load it in the new version and won't be usable with the old version, so please make a backup copy before you try it.

     
  • Jeremy Mueller

    Jeremy Mueller - 2009-12-07

    I just tried the RPMs from build 2049 and am getting the same error. Here is the list of the RPMs and their MD5sums that I tried:

    09b0fd5ddf6795e55eccf89775156811 fwbuilder-3.1.0-b2049.el5.i386.rpm
    fd346b5ab0ec2a996abbe993db19ffb0 libfwbuilder-3.1.0-b2049.el5.i386.rpm

     
  • Vadim Kurland

    Vadim Kurland - 2009-12-07

    weird, I tested this scenario with v3.1 and it worked. Let me try this CentOS build.

     
  • Jeremy Mueller

    Jeremy Mueller - 2009-12-07

    Here's the output log for the command. The options screen is the same as I've already posted:

    Summary:
    * firewall name : muell32
    * user name :
    * management address : 10.99.120.109
    * platform : iptables
    * host OS : linux24
    * Loading configuration from file /home/jeremy/test.fwb

    Installation plan:
    Copy file: /home/jeremy/muell32.fw --> /etc/muell32.fw
    Run script
    echo '--**--**--';
    chmod +x /etc/muell32.fw;
    sudo -S /etc/muell32.fw && ( which pkill > /dev/null && sudo -S pkill shutdown; echo 'Policy activated' )

    Copying /home/jeremy/muell32.fw -> 10.99.120.109:/etc/muell32.fw
    Running command '/usr//bin/fwbuilder -Y -q /home/jeremy/muell32.fw 10.99.120.109:/etc/muell32.fw'
    root@10.99.120.109's password:
    root@10.99.120.109's password:
    root@10.99.120.109's password:
    lost connection
    SSH session terminated, exit status: 1

     
  • Vadim Kurland

    Vadim Kurland - 2009-12-07

    oh, yes. I got fooled by my test data set. My firewall objects have user name configured in the "Installer" tab of the firewall object dialog, and batch installer used that.

    The problem manifests itself if user name is not configured in the firewall object settings. I'll fix in 3.1

     
  • Jeremy Mueller

    Jeremy Mueller - 2009-12-07

    I didn't even think about the firewall object config, we don't set the user there since it could be any of a number of users that are compiling / installing a firewall.

    Thanks for your help on this!

     
  • Vadim Kurland

    Vadim Kurland - 2009-12-07

    I have a fix in 3.1 build 2051. Build process has started.

     
  • Jeremy Mueller

    Jeremy Mueller - 2009-12-08

    I tested build 2054 and this worked great.

    Thanks!

     
  • Vadim Kurland

    Vadim Kurland - 2009-12-08
    • priority: 5 --> 1
    • status: open --> open-fixed
     
  • Vadim Kurland

    Vadim Kurland - 2010-03-10
    • status: open-fixed --> closed-fixed
     

Log in to post a comment.