knockd can't use ufw
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
knockd (Debian) |
Fix Released
|
Unknown
|
|||
knockd (Ubuntu) |
Fix Released
|
Medium
|
Dan Streetman | ||
Bionic |
Fix Released
|
Medium
|
Dan Streetman | ||
Cosmic |
Fix Released
|
Medium
|
Dan Streetman | ||
Disco |
Fix Released
|
Medium
|
Dan Streetman | ||
Eoan |
Fix Released
|
Medium
|
Dan Streetman |
Bug Description
[impact]
any knockd configuration rules that call ufw fail because any ufw changes always update the ufw conf files in /etc/ufw/, but the knockd systemd service is started with ProtectSystem=full.
[test case]
on a bionic or later system install knockd, edit /etc/default/knockd to enable it, and edit /etc/knockd.conf to add a rule that calls ufw to do something (e.g. ufw allow <SOME FIREWALL RULE>).
trigger the rule by using 'knock' to send the rule's knock sequence and observe /var/log/syslog to verify the knock sequence packets were received and the rule triggered. The log will show:
Apr 3 11:59:29 quassel knockd[1270]: ERROR: '/etc/ufw/
[regression potential]
low - this only gives knockd access to read/write files under /etc/
[other info]
the /etc/ufw/ permissions should be added to knockd's service file because the use case of knockd is almost always to modify the system's firewall after a successful knock sequence, either by directly calling iptables, or by calling ufw. Since iptables does not make any persistent changes, no extra filesystem access is needed; but ufw always makes persistent changes.
Note also that it's possible someone might want to modify iptables and then also save the new iptables rules using netfilter-
The fix of relaxing ProtectSystem down to 'true' instead of 'full' addresses both use cases.
Changed in knockd (Ubuntu Disco): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in knockd (Ubuntu Cosmic): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in knockd (Ubuntu Bionic): | |
assignee: | nobody → Dan Streetman (ddstreet) |
importance: | Undecided → Medium |
Changed in knockd (Ubuntu Cosmic): | |
importance: | Undecided → Medium |
Changed in knockd (Ubuntu Disco): | |
importance: | Undecided → Medium |
Changed in knockd (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in knockd (Ubuntu Cosmic): | |
status: | New → In Progress |
Changed in knockd (Ubuntu Disco): | |
status: | New → In Progress |
no longer affects: | knockd (Ubuntu Ee-series) |
tags: | added: patch |
Changed in knockd (Debian): | |
status: | Unknown → New |
Changed in knockd (Debian): | |
status: | New → Fix Released |
Two possible fixes for this are 1) to add ReadWritePaths= -/etc/ufw to the knockd.service, or 2) change the knockd.service from ProtectSystem=full to ProtectSystem=true. Relaxing the ProtectSystem might actually be the best approach since the only change between 'full' and 'true' is allowing r/w access to /etc.