2019-04-03 16:42:03 |
Dan Streetman |
bug |
|
|
added bug |
2019-04-03 16:42:18 |
Dan Streetman |
nominated for series |
|
Ubuntu Ee-series |
|
2019-04-03 16:42:18 |
Dan Streetman |
bug task added |
|
knockd (Ubuntu Ee-series) |
|
2019-04-03 16:42:18 |
Dan Streetman |
nominated for series |
|
Ubuntu Bionic |
|
2019-04-03 16:42:18 |
Dan Streetman |
bug task added |
|
knockd (Ubuntu Bionic) |
|
2019-04-03 16:42:18 |
Dan Streetman |
nominated for series |
|
Ubuntu Disco |
|
2019-04-03 16:42:18 |
Dan Streetman |
bug task added |
|
knockd (Ubuntu Disco) |
|
2019-04-03 16:42:18 |
Dan Streetman |
nominated for series |
|
Ubuntu Cosmic |
|
2019-04-03 16:42:18 |
Dan Streetman |
bug task added |
|
knockd (Ubuntu Cosmic) |
|
2019-04-03 16:42:25 |
Dan Streetman |
knockd (Ubuntu Ee-series): assignee |
|
Dan Streetman (ddstreet) |
|
2019-04-03 16:42:26 |
Dan Streetman |
knockd (Ubuntu Disco): assignee |
|
Dan Streetman (ddstreet) |
|
2019-04-03 16:42:28 |
Dan Streetman |
knockd (Ubuntu Cosmic): assignee |
|
Dan Streetman (ddstreet) |
|
2019-04-03 16:42:32 |
Dan Streetman |
knockd (Ubuntu Bionic): assignee |
|
Dan Streetman (ddstreet) |
|
2019-04-03 16:42:34 |
Dan Streetman |
knockd (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2019-04-03 16:42:35 |
Dan Streetman |
knockd (Ubuntu Cosmic): importance |
Undecided |
Medium |
|
2019-04-03 16:42:38 |
Dan Streetman |
knockd (Ubuntu Disco): importance |
Undecided |
Medium |
|
2019-04-03 16:42:39 |
Dan Streetman |
knockd (Ubuntu Ee-series): importance |
Undecided |
Medium |
|
2019-04-03 16:42:41 |
Dan Streetman |
knockd (Ubuntu Bionic): status |
New |
In Progress |
|
2019-04-03 16:42:43 |
Dan Streetman |
knockd (Ubuntu Cosmic): status |
New |
In Progress |
|
2019-04-03 16:42:45 |
Dan Streetman |
knockd (Ubuntu Disco): status |
New |
In Progress |
|
2019-04-03 16:42:47 |
Dan Streetman |
knockd (Ubuntu Ee-series): status |
New |
In Progress |
|
2019-04-03 20:29:39 |
Dan Streetman |
bug task deleted |
knockd (Ubuntu Ee-series) |
|
|
2019-04-23 10:30:50 |
Dan Streetman |
nominated for series |
|
Ubuntu Eoan |
|
2019-04-23 10:30:50 |
Dan Streetman |
bug task added |
|
knockd (Ubuntu Eoan) |
|
2019-04-23 11:21:09 |
Dan Streetman |
attachment added |
|
lp1823051-eoan.debdiff https://bugs.launchpad.net/ubuntu/+source/knockd/+bug/1823051/+attachment/5258212/+files/lp1823051-eoan.debdiff |
|
2019-04-23 11:23:11 |
Dan Streetman |
description |
[impact]
any knockd configuration rules that call ufw fail because any ufw changes always update the ufw conf files in /etc/ufw/, but the knockd systemd service is started with ProtectSystem=full.
[test case]
on a bionic or later system install knockd, edit /etc/default/knockd to enable it, and edit /etc/knockd.conf to add a rule that calls ufw to do something (e.g. ufw allow <SOME FIREWALL RULE>).
trigger the rule by using 'knock' to send the rule's knock sequence and observe /var/log/syslog to verify the knock sequence packets were received and the rule triggered. The log will show:
Apr 3 11:59:29 quassel knockd[1270]: ERROR: '/etc/ufw/user.rules' is not writable
[regression potential]
very low - this only gives knockd access to read/write files under /etc/ufw. Any regression would be around problems with ufw's firewall rules, or possibly problems with systemd starting knockd because of the new param in the service file.
[other info]
the /etc/ufw/ permissions should be added to knockd's service file because the use case of knockd is almost always to modify the system's firewall after a successful knock sequence, either by directly calling iptables, or by calling ufw. Since iptables does not make any persistent changes, no extra filesystem access is needed; but ufw always makes persistent changes.
Note also that it's possible someone might want to modify iptables and then also save the new iptables rules using netfilter-persistent, in which case knockd would also need r/w access to /etc/iptables/. This bug does not address that possible need. |
[impact]
any knockd configuration rules that call ufw fail because any ufw changes always update the ufw conf files in /etc/ufw/, but the knockd systemd service is started with ProtectSystem=full.
[test case]
on a bionic or later system install knockd, edit /etc/default/knockd to enable it, and edit /etc/knockd.conf to add a rule that calls ufw to do something (e.g. ufw allow <SOME FIREWALL RULE>).
trigger the rule by using 'knock' to send the rule's knock sequence and observe /var/log/syslog to verify the knock sequence packets were received and the rule triggered. The log will show:
Apr 3 11:59:29 quassel knockd[1270]: ERROR: '/etc/ufw/user.rules' is not writable
[regression potential]
low - this only gives knockd access to read/write files under /etc/
[other info]
the /etc/ufw/ permissions should be added to knockd's service file because the use case of knockd is almost always to modify the system's firewall after a successful knock sequence, either by directly calling iptables, or by calling ufw. Since iptables does not make any persistent changes, no extra filesystem access is needed; but ufw always makes persistent changes.
Note also that it's possible someone might want to modify iptables and then also save the new iptables rules using netfilter-persistent, in which case knockd would also need r/w access to /etc/iptables/.
The fix of relaxing ProtectSystem down to 'true' instead of 'full' addresses both use cases. |
|
2019-04-23 12:27:21 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2019-04-24 15:15:18 |
Eric Desrochers |
knockd (Ubuntu Eoan): status |
In Progress |
Fix Committed |
|
2019-04-24 15:15:23 |
Eric Desrochers |
bug |
|
|
added subscriber Eric Desrochers |
2019-04-24 15:29:41 |
Dan Streetman |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927883 |
|
2019-04-24 15:29:41 |
Dan Streetman |
bug task added |
|
knockd (Debian) |
|
2019-04-24 16:15:31 |
Launchpad Janitor |
knockd (Ubuntu Eoan): status |
Fix Committed |
Fix Released |
|
2019-04-24 18:53:42 |
Bug Watch Updater |
knockd (Debian): status |
Unknown |
New |
|
2019-04-30 22:52:40 |
Brian Murray |
knockd (Ubuntu Disco): status |
In Progress |
Fix Committed |
|
2019-04-30 22:52:44 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-04-30 22:52:47 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2019-04-30 22:52:50 |
Brian Murray |
tags |
patch |
patch verification-needed verification-needed-disco |
|
2019-04-30 22:58:30 |
Brian Murray |
knockd (Ubuntu Cosmic): status |
In Progress |
Fix Committed |
|
2019-04-30 22:58:37 |
Brian Murray |
tags |
patch verification-needed verification-needed-disco |
patch verification-needed verification-needed-cosmic verification-needed-disco |
|
2019-04-30 23:01:09 |
Brian Murray |
knockd (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2019-04-30 23:01:16 |
Brian Murray |
tags |
patch verification-needed verification-needed-cosmic verification-needed-disco |
patch verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-disco |
|
2019-05-08 22:04:50 |
Dan Streetman |
tags |
patch verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-disco |
patch verification-done-disco verification-needed verification-needed-bionic verification-needed-cosmic |
|
2019-05-08 22:18:53 |
Dan Streetman |
tags |
patch verification-done-disco verification-needed verification-needed-bionic verification-needed-cosmic |
patch verification-done verification-done-bionic verification-done-cosmic verification-done-disco |
|
2019-05-09 09:04:06 |
Launchpad Janitor |
knockd (Ubuntu Disco): status |
Fix Committed |
Fix Released |
|
2019-05-09 09:04:16 |
Ćukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2019-05-09 09:21:46 |
Launchpad Janitor |
knockd (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
2019-05-09 09:25:58 |
Launchpad Janitor |
knockd (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2019-05-25 14:27:57 |
Dan Streetman |
removed subscriber Dan Streetman |
|
|
|
2021-11-07 15:41:54 |
Bug Watch Updater |
knockd (Debian): status |
New |
Fix Released |
|