[quagga-dev 12952] Re: [PATCH] Restrict Shell access from vtysh

Martin Winter mwinter at opensourcerouting.org
Thu Aug 20 09:42:55 BST 2015


On 19 Aug 2015, at 16:00, Donald Sharp wrote:
> I disagree, it's a security risk.  Attackers can and will get root access
> from elevated permissions with ssh/telnet/shell access.

You are assuming systems configured with vtysh access, but no intention to
give shell access. I assume that this is the “unusual” deployment and that
most people accessing vtysh will already have shell access.

On the other hand I expect this change to break existing deployments
during the upgrade because of a change of the default.
 
> If you are going to be choosing non-smart security practices,
> I want it to be an affirmative action on your part.

I’m not arguing against the patch - just questioning if it is wise to
change the default immediately. I assume people building packages where
this is needed will enable it.

Would love to hear opinions from others on this list…

- Martin


> In fact this is bad enough I suggest that we roll a new release immediately
> with this.
>
> donald
>
> On Wed, Aug 19, 2015 at 5:55 PM, Martin Winter <
> mwinter at opensourcerouting.org> wrote:
>
>> I would prefer the default for configure to be the same as now
>> (= unrestricted).
>>
>> So rather have an option for “—disable-shell-access” and have the
>> default to be as it is today.
>>
>> - Martin
>>
>>
>> On 12 Aug 2015, at 16:37, Donald Sharp wrote:
>>
>> Restrict shell access from vtysh to those that intentionally turn it
>>> on via a ./configure option.  A suid vtysh without this change could
>>> potentially allow an attacker to elevate his priviledges.
>>>
>>> Signed-off-by: Donald Sharp <sharpd at cumulusnetworks.com>
>>> ---
>>> configure.ac  | 6 ++++++
>>> vtysh/vtysh.c | 8 +++++++-
>>> 2 files changed, 13 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/configure.ac b/configure.ac
>>> index 8a88047..b2e174d 100755
>>> --- a/configure.ac
>>> +++ b/configure.ac
>>> @@ -274,6 +274,8 @@ AC_ARG_ENABLE(configfile_mask,
>>> AS_HELP_STRING([--enable-configfile-mask=ARG], [set mask for config
>>> files]))
>>> AC_ARG_ENABLE(logfile_mask,
>>> AS_HELP_STRING([--enable-logfile-mask=ARG], [set mask for log files]))
>>> +AC_ARG_ENABLE(shell_access,
>>> +  AS_HELP_STRING([--enable-shell-access], [Allow user to use
>>> ssh/telnet/bash]))
>>>
>>> AC_ARG_ENABLE(rtadv,
>>> AS_HELP_STRING([--disable-rtadv], [disable IPV6 router advertisement
>>> feature]))
>>> @@ -316,6 +318,10 @@ if test x"${enable_time_check}" != x"no" ; then
>>> fi
>>> fi
>>>
>>> +if test "${enable_shell_access}" = "yes"; then
>>> +   AC_DEFINE(HAVE_SHELL_ACCESS,,Allow user to use ssh/telnet/bash)
>>> +fi
>>> +
>>> if test "${enable_fpm}" = "yes"; then
>>> AC_DEFINE(HAVE_FPM,,Forwarding Plane Manager support)
>>> fi
>>> diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
>>> index 04ac550..757176a 100644
>>> --- a/vtysh/vtysh.c
>>> +++ b/vtysh/vtysh.c
>>> @@ -2051,6 +2051,7 @@ DEFUN (vtysh_traceroute6,
>>> }
>>> #endif
>>>
>>> +#if defined(HAVE_SHELL_ACCESS)
>>> DEFUN (vtysh_telnet,
>>>    vtysh_telnet_cmd,
>>>    "telnet WORD",
>>> @@ -2110,6 +2111,7 @@ DEFUN (vtysh_start_zsh,
>>> execute_command ("zsh", 0, NULL, NULL);
>>> return CMD_SUCCESS;
>>> }
>>> +#endif
>>>
>>> static void
>>> vtysh_install_default (enum node_type node)
>>> @@ -2429,9 +2431,11 @@ vtysh_init_vty (void)
>>> install_element (VIEW_NODE, &vtysh_ping6_cmd);
>>> install_element (VIEW_NODE, &vtysh_traceroute6_cmd);
>>> #endif
>>> +#if defined(HAVE_SHELL_ACCESS)
>>> install_element (VIEW_NODE, &vtysh_telnet_cmd);
>>> install_element (VIEW_NODE, &vtysh_telnet_port_cmd);
>>> install_element (VIEW_NODE, &vtysh_ssh_cmd);
>>> +#endif
>>> install_element (ENABLE_NODE, &vtysh_ping_cmd);
>>> install_element (ENABLE_NODE, &vtysh_ping_ip_cmd);
>>> install_element (ENABLE_NODE, &vtysh_traceroute_cmd);
>>> @@ -2440,13 +2444,15 @@ vtysh_init_vty (void)
>>> install_element (ENABLE_NODE, &vtysh_ping6_cmd);
>>> install_element (ENABLE_NODE, &vtysh_traceroute6_cmd);
>>> #endif
>>> +#if defined(HAVE_SHELL_ACCESS)
>>> install_element (ENABLE_NODE, &vtysh_telnet_cmd);
>>> install_element (ENABLE_NODE, &vtysh_telnet_port_cmd);
>>> install_element (ENABLE_NODE, &vtysh_ssh_cmd);
>>> install_element (ENABLE_NODE, &vtysh_start_shell_cmd);
>>> install_element (ENABLE_NODE, &vtysh_start_bash_cmd);
>>> install_element (ENABLE_NODE, &vtysh_start_zsh_cmd);
>>> -
>>> +#endif
>>> +
>>> install_element (VIEW_NODE, &vtysh_show_memory_cmd);
>>> install_element (ENABLE_NODE, &vtysh_show_memory_cmd);
>>>
>>> --
>>> 1.9.1
>>>
>>>
>>> _______________________________________________
>>> Quagga-dev mailing list
>>> Quagga-dev at lists.quagga.net
>>> https://lists.quagga.net/mailman/listinfo/quagga-dev
>>>
>>




More information about the Quagga-dev mailing list