PacketFence - BTS - PacketFence |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0001424 | PacketFence | inline | public | 2012-04-16 12:31 | 2012-10-19 10:14 |
|
| Reporter | obilodeau | |
| Assigned To | | |
| Priority | high | Severity | major | Reproducibility | random |
| Status | resolved | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | | |
| Target Version | 3.6.0 | Fixed in Version | 3.6.0 | |
| fixed in git revision | 3e4cf73908019527f60785aa1ac2cba7d260bd86 |
| fixed in mtn revision | |
|
| Summary | 0001424: obtaining a node's current mark fails from non-root |
| Description | When the captive portal tries to re-evaluate the posture of a node, it does so from a pf uid process.
Turns out that fetching firewall rules w/o root fails but what made it worse is that IPTables::ChainMgr instead of letting us know it failed is returning the last temporary file generated by root (at least in ipt_exec_style 'system' mode). Since temporary file names are predictable and world-readable, it is possible for the root user to write the temp file and to have a non-root read it. I'll check to report upstream.
I'll try the other mode of operations for ChainMgr and see if they still badly report permission problems. We might have to force temp files to be appended with a pid and/or randomness or even generate their names through an empty open (which is perl's way to do mktemp).
Then, we'll need to ensure that get_mark... is always run in a privileged mode either through a pf password-less sudo or by adding a hook into bin/pfcmd. This might be delayed if our 'app server' model moves along quickly and we'll just push it as a WebService right there. |
| Steps To Reproduce | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | has duplicate | 0001522 | closed | obilodeau | Redirect does not work after login in inline mode, access delayed or fails afterwards. |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2012-04-16 12:31 | obilodeau | New Issue | |
| 2012-04-16 12:31 | obilodeau | Status | new => assigned |
| 2012-04-16 12:31 | obilodeau | Assigned To | => obilodeau |
| 2012-08-28 09:05 | obilodeau | Relationship added | has duplicate 0001522 |
| 2012-08-28 09:07 | obilodeau | Note Added: 0002976 | |
| 2012-10-11 09:00 | fgaudreault | git revision | => 3e4cf73908019527f60785aa1ac2cba7d260bd86 |
| 2012-10-11 09:00 | fgaudreault | Note Added: 0003116 | |
| 2012-10-11 09:00 | fgaudreault | Status | assigned => resolved |
| 2012-10-11 09:00 | fgaudreault | Fixed in Version | => devel |
| 2012-10-11 09:00 | fgaudreault | Resolution | open => fixed |
| 2012-10-19 10:14 | fgaudreault | Assigned To | obilodeau => |
| 2012-10-19 10:14 | fgaudreault | Fixed in Version | devel => 3.6.0 |
| 2012-10-19 10:14 | fgaudreault | Target Version | +1 => 3.6.0 |