Re: [Fwknop-discuss] Could not open digest cache
Brought to you by:
mbr
From: Stephen I. <xky...@sn...> - 2016-10-10 14:40:08
|
On Mon, 10 Oct 2016, Michael Rash michael.rash-at-gmail.com |fwknop| wrote: > On Sun, Oct 9, 2016 at 10:34 PM, Stephen Isard <xky...@sn...> > wrote: > >> On Sun, 9 Oct 2016, Michael Rash michael.rash-at-gmail.com |fwknop| wrote: >> ... >>> Ok, that is useful information. It sounds like fwknopd is not exiting >> after >>> calling fork() when running the command. Is it possible that the script >> you >>> are running is getting held up on something? Like expecting a password >> via >>> sudo or something like this? You are probably onto this already, but I followed up your suggestion by putting fwknopd in the foreground and running fwknop -n testcommand -a 127.0.0.1 -C cat I get [127.0.0.1] (stanza #2) Processing SPA Command message: command='cat'. [127.0.0.1] (stanza #2) setuid/setgid user/group to fakeuser/fakeuser (UID=495,GID=490) before running command. [+] add_argv() + arg: cat run_extcmd() (with execvpe()): running CMD: cat fwknopd then just hangs and there is no further output in response to any fwknop commands of any sort. This might be an argument in favor of making ENABLE_CMD_SUDO_EXEC and friends mandatory, or at least the default, so that the server can be configured to restrict the commands that the user can attempt. (The epel repository that supplies fwknop for RHEL/Centos/SL 6 is still on fwknop 2.6.5, and ENABLE_CMD_SUDO_EXEC isn't available in that version, but they will probably catch up eventually.) I've seen a reference to CMD_REGEX in an ubuntu man page on the web for fwknop-server_1.9.12-3, but it appears to have dropped out of more recent versions. That would have the advantage of keeping all configuration within fwknop(d) itself, rather than spreading some of it to /etc/sudoers. Stephen Isard |