knockd can't use ufw

Bug #1823051 reported by Dan Streetman
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
knockd (Debian)
Fix Released
Unknown
knockd (Ubuntu)
Medium
Dan Streetman
Bionic
Medium
Dan Streetman
Cosmic
Medium
Dan Streetman
Disco
Medium
Dan Streetman
Eoan
Medium
Dan Streetman

Bug Description

[impact]

any knockd configuration rules that call ufw fail because any ufw changes always update the ufw conf files in /etc/ufw/, but the knockd systemd service is started with ProtectSystem=full.

[test case]

on a bionic or later system install knockd, edit /etc/default/knockd to enable it, and edit /etc/knockd.conf to add a rule that calls ufw to do something (e.g. ufw allow <SOME FIREWALL RULE>).

trigger the rule by using 'knock' to send the rule's knock sequence and observe /var/log/syslog to verify the knock sequence packets were received and the rule triggered. The log will show:

Apr 3 11:59:29 quassel knockd[1270]: ERROR: '/etc/ufw/user.rules' is not writable

[regression potential]

low - this only gives knockd access to read/write files under /etc/

[other info]

the /etc/ufw/ permissions should be added to knockd's service file because the use case of knockd is almost always to modify the system's firewall after a successful knock sequence, either by directly calling iptables, or by calling ufw. Since iptables does not make any persistent changes, no extra filesystem access is needed; but ufw always makes persistent changes.

Note also that it's possible someone might want to modify iptables and then also save the new iptables rules using netfilter-persistent, in which case knockd would also need r/w access to /etc/iptables/.

The fix of relaxing ProtectSystem down to 'true' instead of 'full' addresses both use cases.

Dan Streetman (ddstreet)
Changed in knockd (Ubuntu Disco):
assignee: nobody → Dan Streetman (ddstreet)
Changed in knockd (Ubuntu Cosmic):
assignee: nobody → Dan Streetman (ddstreet)
Changed in knockd (Ubuntu Bionic):
assignee: nobody → Dan Streetman (ddstreet)
importance: Undecided → Medium
Changed in knockd (Ubuntu Cosmic):
importance: Undecided → Medium
Changed in knockd (Ubuntu Disco):
importance: Undecided → Medium
Changed in knockd (Ubuntu Bionic):
status: New → In Progress
Changed in knockd (Ubuntu Cosmic):
status: New → In Progress
Changed in knockd (Ubuntu Disco):
status: New → In Progress
Revision history for this message
Dan Streetman (ddstreet) wrote :

Two possible fixes for this are 1) to add ReadWritePaths=-/etc/ufw to the knockd.service, or 2) change the knockd.service from ProtectSystem=full to ProtectSystem=true. Relaxing the ProtectSystem might actually be the best approach since the only change between 'full' and 'true' is allowing r/w access to /etc.

Dan Streetman (ddstreet)
no longer affects: knockd (Ubuntu Ee-series)
Revision history for this message
Dan Streetman (ddstreet) wrote :
description: updated
tags: added: patch
Revision history for this message
Eric Desrochers (slashd) wrote :

Sponsored in 'Eoan'

Proposal patch LGTM.

https://www.freedesktop.org/software/systemd/man/systemd.exec.html
...
ProtectSystem=
... If true, mounts the /usr and /boot directories read-only for processes invoked by this unit. If set to "full", the /etc directory is mounted read-only, too

I don't see any debian bug against 'knockd'. Could you please make sure to forward the patch to debian as well for future sync/merge.

- Eric

Changed in knockd (Ubuntu Eoan):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package knockd - 0.7-1ubuntu3

---------------
knockd (0.7-1ubuntu3) eoan; urgency=medium

  * d/knockd.service:
    - Change ProtectSystem to 'true', to allow using ufw in knockd rules
      (LP: #1823051)
    - Add CAP_SYS_MODULE so knockd can load iptables modules if needed
      (LP: #1825974)

 -- Dan Streetman <email address hidden> Tue, 23 Apr 2019 06:31:56 -0400

Changed in knockd (Ubuntu Eoan):
status: Fix Committed → Fix Released
Changed in knockd (Debian):
status: Unknown → New
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Dan, or anyone else affected,

Accepted knockd into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/knockd/0.7-1ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in knockd (Ubuntu Disco):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-disco
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Dan, or anyone else affected,

Accepted knockd into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/knockd/0.7-1ubuntu1.18.10.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in knockd (Ubuntu Cosmic):
status: In Progress → Fix Committed
tags: added: verification-needed-cosmic
Changed in knockd (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Dan, or anyone else affected,

Accepted knockd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/knockd/0.7-1ubuntu1.18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Dan Streetman (ddstreet) wrote :

disco verified using steps from test case:

ubuntu@lp1823051-d:~$ dpkg -l | grep knockd
ii knockd 0.7-1ubuntu2 amd64 small port-knock daemon

May 8 21:53:45 lp1823051-d knockd: openSSH: running command: ufw allow from any to any proto tcp port 1234
May 8 21:53:45 lp1823051-d knockd[8321]: ERROR: '/etc/ufw/user.rules' is not writable

ubuntu@lp1823051-d:~$ dpkg -l | grep knockd
ii knockd 0.7-1ubuntu2.1 amd64 small port-knock daemon

May 8 22:02:05 lp1823051-d knockd: openSSH: running command: ufw allow from any to any proto tcp port 1234
May 8 22:02:05 lp1823051-d knockd[20024]: Rules updated
May 8 22:02:05 lp1823051-d knockd[20024]: Rules updated (v6)

tags: added: verification-done-disco
removed: verification-needed-disco
Revision history for this message
Dan Streetman (ddstreet) wrote :

cosmic:

ubuntu@lp1823051-c:~$ dpkg -l |grep knockd
ii knockd 0.7-1ubuntu1.18.10.1 amd64 small port-knock daemon

May 8 22:08:05 lp1823051-c knockd: openSSH: running command: ufw allow from any to any proto tcp port 1234
May 8 22:08:06 lp1823051-c knockd[3487]: ERROR: '/etc/ufw/user.rules' is not writable

ubuntu@lp1823051-c:~$ dpkg -l |grep knockd
ii knockd 0.7-1ubuntu1.18.10.2 amd64 small port-knock daemon

May 8 22:10:23 lp1823051-c knockd: openSSH: running command: ufw allow from any to any proto tcp port 1234
May 8 22:10:23 lp1823051-c knockd[4196]: Rules updated
May 8 22:10:23 lp1823051-c knockd[4196]: Rules updated (v6)

Revision history for this message
Dan Streetman (ddstreet) wrote :

bionic:

ubuntu@lp1823051-b:~$ dpkg -l |grep knockd
ii knockd 0.7-1ubuntu1.18.04.1 amd64 small port-knock daemon

May 8 22:16:00 lp1823051-b knockd: openSSH: running command: ufw allow from any to any proto tcp port 1234
May 8 22:16:00 lp1823051-b knockd[19108]: ERROR: '/etc/ufw/user.rules' is not writable

ubuntu@lp1823051-b:~$ dpkg -l |grep knockd
ii knockd 0.7-1ubuntu1.18.04.2 amd64 small port-knock daemon

May 8 22:17:09 lp1823051-b knockd: openSSH: running command: ufw allow from any to any proto tcp port 1234
May 8 22:17:09 lp1823051-b kernel: [ 2069.534229] ip6_tables: (C) 2000-2006 Netfilter Core Team
May 8 22:17:09 lp1823051-b knockd[19771]: Rules updated
May 8 22:17:09 lp1823051-b knockd[19771]: Rules updated (v6)

tags: added: verification-done verification-done-bionic verification-done-cosmic
removed: verification-needed verification-needed-bionic verification-needed-cosmic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package knockd - 0.7-1ubuntu2.1

---------------
knockd (0.7-1ubuntu2.1) disco; urgency=medium

  * d/knockd.service:
    - Change ProtectSystem to 'true', to allow using ufw in knockd rules
      (LP: #1823051)
    - Add CAP_SYS_MODULE so knockd can load iptables modules if needed
      (LP: #1825974)

 -- Dan Streetman <email address hidden> Tue, 23 Apr 2019 06:31:56 -0400

Changed in knockd (Ubuntu Disco):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for knockd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package knockd - 0.7-1ubuntu1.18.10.2

---------------
knockd (0.7-1ubuntu1.18.10.2) cosmic; urgency=medium

  * d/knockd.service:
    - Change ProtectSystem to 'true', to allow using ufw in knockd rules
      (LP: #1823051)
    - Add CAP_SYS_MODULE so knockd can load iptables modules if needed
      (LP: #1825974)

 -- Dan Streetman <email address hidden> Tue, 23 Apr 2019 06:40:46 -0400

Changed in knockd (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package knockd - 0.7-1ubuntu1.18.04.2

---------------
knockd (0.7-1ubuntu1.18.04.2) bionic; urgency=medium

  * d/knockd.service:
    - Change ProtectSystem to 'true', to allow using ufw in knockd rules
      (LP: #1823051)
    - Add CAP_SYS_MODULE so knockd can load iptables modules if needed
      (LP: #1825974)

 -- Dan Streetman <email address hidden> Tue, 23 Apr 2019 06:41:54 -0400

Changed in knockd (Ubuntu Bionic):
status: Fix Committed → Fix Released
Changed in knockd (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.