Comment 0 for bug 1823051

[impact]

any knockd configuration rules that call ufw fail because any ufw changes always update the ufw conf files in /etc/ufw/, but the knockd systemd service is started with ProtectSystem=full.

[test case]

on a bionic or later system install knockd, edit /etc/default/knockd to enable it, and edit /etc/knockd.conf to add a rule that calls ufw to do something (e.g. ufw allow <SOME FIREWALL RULE>).

trigger the rule by using 'knock' to send the rule's knock sequence and observe /var/log/syslog to verify the knock sequence packets were received and the rule triggered. The log will show:

Apr 3 11:59:29 quassel knockd[1270]: ERROR: '/etc/ufw/user.rules' is not writable

[regression potential]

very low - this only gives knockd access to read/write files under /etc/ufw. Any regression would be around problems with ufw's firewall rules, or possibly problems with systemd starting knockd because of the new param in the service file.

[other info]

the /etc/ufw/ permissions should be added to knockd's service file because the use case of knockd is almost always to modify the system's firewall after a successful knock sequence, either by directly calling iptables, or by calling ufw. Since iptables does not make any persistent changes, no extra filesystem access is needed; but ufw always makes persistent changes.

Note also that it's possible someone might want to modify iptables and then also save the new iptables rules using netfilter-persistent, in which case knockd would also need r/w access to /etc/iptables/. This bug does not address that possible need.