Re: [Fwknop-discuss] Could not open digest cache
Brought to you by:
mbr
From: Stephen I. <xky...@sn...> - 2016-10-10 02:34:17
|
On Sun, 9 Oct 2016, Michael Rash michael.rash-at-gmail.com |fwknop| wrote: ... > Ok, that is useful information. It sounds like fwknopd is not exiting after > calling fork() when running the command. Is it possible that the script you > are running is getting held up on something? Like expecting a password via > sudo or something like this? Maybe something on those lines, but I don't think that either the script or sudo is involved. I'm not calling sudo for the "bad" command, and the user doesn't have permission to run the script without sudo. If I run sudo -u fakeuser testscript either as myself or as root, I get sudo: unable to execute testscript: Permission denied so I imagine that that is essentially what happens when fwknopd tries to run the script. The script is in /usr/sbin, owned by root.root, with permissions 0500. > By default, under autoconf, fwknopd looks for execvpe() and uses it to > execute all sub-commands so that it doesn't have to use the shell > environment. But, if execvpe() is not available for some strange reason, it > punts and just uses system() for this. If system() is used, then the child > doesn't call exit() until after system(), so if the command that is > executed is really long running, then there would be two fwknopd processes > along with the command that is being executed. On the other hand, if > execvpe() is used, then there should only be one fwknopd process even if > the command hangs. At least, this is what appears to happen during my > testing. > > If you run fwknopd in the foreground in --verbose --verbose mode, then it > should produce output that shows which style of execution is being used. > For example - this is for the system() type of execution: > > # fwknopd -i lo --foreground --verbose --verbose > > [127.0.0.1] (stanza #1) setuid/setgid user/group to nobody/nobody > (UID=65534,GID=65534) before running command. > > run_extcmd() (without execvpe()): running CMD: /tmp/test.sh > > run_extcmd(): returning 0, pid_status: 0 > > [127.0.0.1] (stanza #1) CMD_EXEC: command returned 0, pid_status: 0 With the illegal command I get [127.0.0.1] (stanza #2) setuid/setgid user/group to fakeuser/fakeuser (UID=495,GID=490) before running command. [+] add_argv() + arg: testscript run_extcmd() (with execvpe()): running CMD: testscript run_extcmd(): returning 0, pid_status: 0 [127.0.0.1] (stanza #2) CMD_EXEC: command returned 0, pid_status: 0 and then have two fwknopd processes. By the way, ignore the pid_status 2 for the successful command that I reported in the previous message. That was a byproduct of the fact that the patched fwknop installed itself under /usr/local. I've made a correction and now get pid_status 0 when the command succeeds. Stephen Isard |