[quagga-users 9711] quagga (vtysh) and grsec

Jonathan Fournier jonathan.fournier at windriver.com
Mon Jul 14 22:18:55 IST 2008


Hi,

I was wondering if someone ran into a similar issue before.

I'm running the zebra daemon under the user "quagga:quagga", starting
vtysh (PAM auth enabled), I edit the running-config, and then try to
issue the "write" command.

I then get a grsec error complaining about link creation:

localhost# write
Building Configuration...
Can't save configuration file /etc/quagga/zebra.conf.
[OK]
localhost# Jul 11 19:59:50 localhost kernel: grsec: From 128.224.146.14:
denied hardlink of /etc/quagga/zebra.conf.ajkfKp (owned by 0.0)
to /etc/quagga/zebra.conf for /usr/sbin/zebra[zebra:8463] uid/euid:92/92
gid/egid:92/92, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Jul 11 19:59:50 localhost kernel: grsec: From 128.224.146.14: denied
hardlink of /etc/quagga/zebra.conf.ajkfKp (owned by 0.0)
to /etc/quagga/zebra.conf for /usr/sbin/zebra[zebra:8463] uid/euid:92/92
gid/egid:92/92, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

The file /etc/quagga/zebra.conf.ajkfKp got created by mkstemp() in
lib/command.c (DEFUN (config_write_file, config_write_file_cmd, ...)

This code then fails:

  if (link (config_file_tmp, config_file) != 0)
    {
      vty_out (vty, "Can't save configuration file %s.%s", config_file,
          VTY_NEWLINE);
      goto finished;
    }

>From "man mkstemp", The file is created with mode read/write and
permissions 0666 (glibc 2.0.6 and earlier), 0600 (glibc 2.0.7 and
later).

Why is that file owned by root:root even if the vtysh client and zebra
daemon are not running as root? (init, the parent process is running
root...)

Cheers,

/jonathan



More information about the Quagga-users mailing list