sshguard-users

[SSHGuard-users] Latest update check

[Jos C. <tri...@cl...>]

After the update of sshguard, I noticed this while running

# pkg check -Bdsr

(sshguard-2.4.3,1) /usr/local/libexec/sshg-blocker - required shared 
library libcap_net.so.1 not found
(sshguard-2.4.3,1) /usr/local/libexec/sshg-fw-hosts - required shared 
library libcap_net.so.1 not found
(sshguard-2.4.3,1) /usr/local/libexec/sshg-parser - required shared 
library libcap_net.so.1 not found

Can you tell me if this is just due to the upgrade or should these 
libraries have been updated during that upgrade?

Best, Jos


-- With both feed on the ground you can never make a step forward

Re: [SSHGuard-users] Latest update check

[Kevin Z. <kev...@gm...>]

Hi Jos.

On 11/8/23 7:07 AM, Jos Chrispijn via sshguard-users wrote:
> After the update of sshguard, I noticed this while running
> 
> # pkg check -Bdsr
> 
> (sshguard-2.4.3,1) /usr/local/libexec/sshg-blocker - required shared 
> library libcap_net.so.1 not found
> (sshguard-2.4.3,1) /usr/local/libexec/sshg-fw-hosts - required shared 
> library libcap_net.so.1 not found
> (sshguard-2.4.3,1) /usr/local/libexec/sshg-parser - required shared 
> library libcap_net.so.1 not found
> 
> Can you tell me if this is just due to the upgrade or should these 
> libraries have been updated during that upgrade?

Thanks for the report. This looks like a FreeBSD-specific issue related 
to the latest release, which updated the Capsicum-sandboxed DNS lookup 
to use libcasper.

I've managed to reproduce the issue and will be investigating.

libcap_net.so.1 is typically provided by the base system, located e.g. 
at /lib/casper/libcap_net.so.1

Regards,
Kevin

Re: [SSHGuard-users] Latest update check

[Jos C. <tri...@cl...>]

Hi Kevin,
> Thanks for the report. This looks like a FreeBSD-specific issue 
> related to the latest release, which updated the Capsicum-sandboxed 
> DNS lookup to use libcasper.
>
> I've managed to reproduce the issue and will be investigating.
> libcap_net.so.1 is typically provided by the base system, located e.g. 
> at /lib/casper/libcap_net.so.1

Next week I will upgrade FreeBSD to v14-p5
Might be that the libcap is added. Can you add it in the next sshguard 
version or should I report this to BSD maintainer(s)?

Thanks
Jos

-- With both feed on the ground you can never make a step forward

Re: [SSHGuard-users] Latest update check

[Kevin Z. <kev...@gm...>]

Hi Jos,

On 11/11/23 12:43 PM, Jos Chrispijn wrote:
>> I've managed to reproduce the issue and will be investigating.
>> libcap_net.so.1 is typically provided by the base system, located e.g. 
>> at /lib/casper/libcap_net.so.1
> 
> Next week I will upgrade FreeBSD to v14-p5
> Might be that the libcap is added. Can you add it in the next sshguard 
> version or should I report this to BSD maintainer(s)?

I'm still troubleshooting the issue. As I mentioned, I'm a bit confused 
why pkg is reporting this as an issue since libcap_net is part of the 
FreeBSD base system.

As long as SSHGuard appears to be working with you, I don't think this 
issue is very serious. You can double check that you have libcap_net 
located at that path, which you probably do because it's part of the 
base system.

I'll let you know what I find.

Regards,
Kevin

Re: [SSHGuard-users] Latest update check

[Jos C. <tri...@cl...>]

Kevin Zheng:
> I'm still troubleshooting the issue. As I mentioned, I'm a bit 
> confused why pkg is reporting this as an issue since libcap_net is 
> part of the FreeBSD base system.
>
> As long as SSHGuard appears to be working with you, I don't think this 
> issue is very serious. You can double check that you have libcap_net 
> located at that path, which you probably do because it's part of the 
> base system.

As far as I can check SSHGuard works ok.
Just checked FreeBSD 13.2-RELEASE-p4 and found the following casper 
related files:

/lib/casper
/lib/casper/libcap_dns.so.2
/lib/casper/libcap_fileargs.so.1
/lib/casper/libcap_grp.so.1
/lib/casper/libcap_net.so.1
/lib/casper/libcap_pwd.so.1
/lib/casper/libcap_sysctl.so.2
/lib/casper/libcap_syslog.so.1
/lib/libcasper.so.1

/usr/include/casper
/usr/include/casper/cap_dns.h
/usr/include/casper/cap_fileargs.h
/usr/include/casper/cap_grp.h
/usr/include/casper/cap_net.h
/usr/include/casper/cap_pwd.h
/usr/include/casper/cap_sysctl.h
/usr/include/casper/cap_syslog.h
/usr/include/libcasper.h
/usr/include/libcasper_service.h

/usr/lib/libcasper.so

/usr/local/lib/perl5/site_perl/mach/5.36/libcasper.ph
/usr/local/lib/perl5/site_perl/mach/5.36/libcasper_service.ph

/usr/share/man/man3/caph_enter_casper.3.gz
/usr/share/man/man3/libcasper.3.gz
/usr/share/man/man3/libcasper_service.3.gz

/usr/tests/lib/libcasper
/usr/tests/lib/libcasper/services
/usr/tests/lib/libcasper/services/cap_dns
/usr/tests/lib/libcasper/services/cap_grp
/usr/tests/lib/libcasper/services/cap_pwd
/usr/tests/lib/libcasper/services/cap_sysctl

Best, Jos

-- With both feed on the ground you can never make a step forward