[quagga-dev 1735] Re: Permissions of /etc/quagga with/-out integrated config and multiuser vtysh

Greg Troxel gdt at ir.bbn.com
Sun Oct 31 16:01:40 GMT 2004


> On 2004-10-31 Greg Troxel wrote:
> > In my view, 'vtysh' , at least when 'enabled', is supposed  to give
> > someone access to the daemons as the 'quagga' user.  So saving configs
> > from vtysh really should write them as user quagga.  I don't know
> > enough about how things work to know how hard this would be.
> 
> The normal user should still be in a separated group than the config files
> so that modifying them is only possible through vtysh. This means that vtysh
> has to be either
>  - suid-quagga because the normal user may not chown to a group he's not in
>    (really not preferred from a security point of view)
>  - a daemon which is started by root and therefore may be write as quagga
>    but be accessible by the normal user

Let's step back a moment - I think we are broadly in agreement.
Summarizing various things so far:

* There should be a 'quagga' user, that owns the config dir if not the
  config files, and under whose uid the daemons run.

* Some (uid != quagga) users should be able to run vtysh to connect to
  the 'router console', and should have some level of privs (read
  only, or 'enable' where they can change the config and see private
  data).

Things I'm not so sure there is agreement, but my opinion (for now) at
least:

* vtysh is kind of a combination of 'su quagga' and 'kermit to router
  console'.  On a real router, there aren't the ideas of various user
  ids.

* Anyone with enable access to vtysh can change things, and taking
  someone out of the vtysh acl should be sufficient to remove
  permission to change config information.

* I find it awkward that vtysh writes the integrated config, rather
  than the daemons, but I realize why that's the case.

I think it's cleanest for vtysh to write config files as the quagga
uid.  That may mean making it suid-quagga, perhaps 4750, so that only
group quagga users may run it.

Alternatively, we could require zebra to run, but have an option for
it not to touch the kernel routing table.



More information about the Quagga-dev mailing list