0001370: Net::Appliance::Session privilege detection broken resulting into a thread crash - PacketFence

thread failed to start: Failed to get first privileged prompt at /usr/local/pf/lib/pf/SNMP/Cisco/Catalyst_2950.pm line 678 (0000001) (W threads)(S) The entry point function of threads->create() failed for some reason.

# # old_revision [0544757e0c99f59496082b8fca638b9bf4547fad] # # patch "pf/lib/pf/SNMP/AeroHIVE.pm" # from [3f488e068e862e100d4b5635950077d1a453336a] # to [184ee86cfccce3cd3b0b1edac282b6fbed4faca2] # # patch "pf/lib/pf/SNMP/Cisco/Catalyst_2950.pm" # from [88c7d5886a6faf3bd53bb49840c145f28a460057] # to [919f1bd1b0429ffbe15d7d2e237575f2862ff2d5] # # patch "pf/lib/pf/SNMP/Cisco/Catalyst_3500XL.pm" # from [afd873fb6b319cf890cad8d3c3a6579bbe2c45f1] # to [a1fda26055fe3818fbfe2d2e6fe01f07b392204e] # # patch "pf/lib/pf/SNMP/Cisco/ISR_1800.pm" # from [b52cf40a14276ec13afae0a45c12fb75cb108695] # to [7cf45f6aae7aa8aa5b7d38aa919fc9bcc09434c0] # # patch "pf/lib/pf/SNMP/Cisco/WLC_2106.pm" # from [ad6b3bff69de98de90463739c5536648b542f6cc] # to [34aa610cd893c63c79427b3ff4bdf03fb62f43c1] # # patch "pf/lib/pf/SNMP/Extreme.pm" # from [359edbbc24e0e42af83199f1cff20979bc119348] # to [ea3b4ea0f9592e6618cffa1a7328de8635b31b10] # # patch "pf/lib/pf/SNMP/Meru.pm" # from [de0b534622be99341e96e45927c184d2364e0341] # to [082f6738a7f4d33a23bbfd7e0ae9476e5b6be148] # ============================================================ --- pf/lib/pf/SNMP/AeroHIVE.pm 3f488e068e862e100d4b5635950077d1a453336a +++ pf/lib/pf/SNMP/AeroHIVE.pm 184ee86cfccce3cd3b0b1edac282b6fbed4faca2 @@ -124,6 +124,8 @@ Right now te only way to do it is from t Right now te only way to do it is from the CLi (through Telnet or SSH). +Warning: this code doesn't support elevating to privileged mode. See #900 and #1370. + =cut sub _deauthenticateMacTelnet { my ( $this, $mac ) = @_; ============================================================ --- pf/lib/pf/SNMP/Cisco/Catalyst_2950.pm 88c7d5886a6faf3bd53bb49840c145f28a460057 +++ pf/lib/pf/SNMP/Cisco/Catalyst_2950.pm 919f1bd1b0429ffbe15d7d2e237575f2862ff2d5 @@ -204,7 +204,8 @@ sub clearMacAddressTable { Name => $this->{_cliUser}, Password => $this->{_cliPwd} ); - $session->begin_privileged( $this->{_cliEnablePwd} ); + # Session not already privileged are not supported at this point. See #1370 + # $session->begin_privileged( $this->{_cliEnablePwd} ); }; if ($@) { @@ -480,11 +481,12 @@ sub ping { return 1; } - if ( !$session->begin_privileged( $this->{_cliEnablePwd} ) ) { - $logger->error( "ERROR: Cannot enable: " . $session->errmsg ); - $session->close(); - return 1; - } + # Session not already privileged are not supported at this point. See #1370 + #if ( !$session->begin_privileged( $this->{_cliEnablePwd} ) ) { + # $logger->error( "ERROR: Cannot enable: " . $session->errmsg ); + # $session->close(); + # return 1; + #} $session->cmd("ping $ip timeout 0 repeat 1"); $session->close(); @@ -638,6 +640,10 @@ Sets the maximum number of MAC addresses Sets the maximum number of MAC addresses on the data vlan for port-security on a port +Warning: this method should _never_ be called in a thread. Net::Appliance::Session is not thread safe: + +L<http://www.cpanforum.com/threads/6909/> + =cut sub setPortSecurityMaxSecureMacAddrVlanAccessByIfIndex { my ( $this, $ifIndex, $maxSecureMac ) = @_; @@ -671,17 +677,18 @@ sub setPortSecurityMaxSecureMacAddrVlanA $logger->error("Error connecting to " . $this->{'_ip'} . " using ".$this->{_cliTransport} . ". Error: $!"); } + # Session not already privileged are not supported at this point. See #1370 # are we in enabled mode? - if (!$session->in_privileged_mode()) { + #if (!$session->in_privileged_mode()) { - # let's try to enable - if (!$session->enable($this->{_cliEnablePwd})) { - $logger->error("Cannot get into privileged mode on ".$this->{'ip'}. - ". Are you sure you provided enable password in configuration?"); - $session->close(); - return 0; - } - } + # # let's try to enable + # if (!$session->enable($this->{_cliEnablePwd})) { + # $logger->error("Cannot get into privileged mode on ".$this->{'ip'}. + # ". Are you sure you provided enable password in configuration?"); + # $session->close(); + # return 0; + # } + #} eval { $session->cmd(String => "conf t", Timeout => '10'); ============================================================ --- pf/lib/pf/SNMP/Cisco/Catalyst_3500XL.pm afd873fb6b319cf890cad8d3c3a6579bbe2c45f1 +++ pf/lib/pf/SNMP/Cisco/Catalyst_3500XL.pm a1fda26055fe3818fbfe2d2e6fe01f07b392204e @@ -146,7 +146,8 @@ sub clearMacAddressTable { Name => $this->{_cliUser}, Password => $this->{_cliPwd} ); - $session->begin_privileged( $this->{_cliEnablePwd} ); + # Session not already privileged are not supported at this point. See #1370 + #$session->begin_privileged( $this->{_cliEnablePwd} ); }; if ($@) { $logger->error( ============================================================ --- pf/lib/pf/SNMP/Cisco/ISR_1800.pm b52cf40a14276ec13afae0a45c12fb75cb108695 +++ pf/lib/pf/SNMP/Cisco/ISR_1800.pm 7cf45f6aae7aa8aa5b7d38aa919fc9bcc09434c0 @@ -134,17 +134,18 @@ sub getMacBridgePortHash { return %macBridgePortHash; } + # Session not already privileged are not supported at this point. See #1370 # are we in enabled mode? - if (!$session->in_privileged_mode()) { + #if (!$session->in_privileged_mode()) { - # let's try to enable - if (!$session->enable($this->{_cliEnablePwd})) { - $logger->error("Cannot get into privileged mode on ".$this->{'ip'}. - ". Are you sure you provided enable password in configuration?"); - $session->close(); - return %macBridgePortHash; - } - } + # # let's try to enable + # if (!$session->enable($this->{_cliEnablePwd})) { + # $logger->error("Cannot get into privileged mode on ".$this->{'ip'}. + # ". Are you sure you provided enable password in configuration?"); + # $session->close(); + # return %macBridgePortHash; + # } + #} # command that allows us to get MAC to ifIndex information my $command = "show mac-address-table"; ============================================================ --- pf/lib/pf/SNMP/Cisco/WLC_2106.pm ad6b3bff69de98de90463739c5536648b542f6cc +++ pf/lib/pf/SNMP/Cisco/WLC_2106.pm 34aa610cd893c63c79427b3ff4bdf03fb62f43c1 @@ -82,7 +82,9 @@ sub deauthenticateMac { Name => $this->{_cliUser}, Password => $this->{_cliPwd} ); - $session->begin_privileged( $this->{_cliEnablePwd} ); + # Session not already privileged are not supported at this point. See #1370 + #$session->begin_privileged( $this->{_cliEnablePwd} ); + $session->->do_privileged_mode(0); $session->begin_configure(); }; ============================================================ --- pf/lib/pf/SNMP/Extreme.pm 359edbbc24e0e42af83199f1cff20979bc119348 +++ pf/lib/pf/SNMP/Extreme.pm ea3b4ea0f9592e6618cffa1a7328de8635b31b10 @@ -1392,6 +1392,8 @@ On this switch, the lock-learning is a p On this switch, the lock-learning is a per-vlan attribute so it performs it on the current untagged VLAN of the ifIndex +Warning: this code doesn't support elevating to privileged mode. See #900 and #1370. + =cut sub _setPortSecurityByIfIndexCLI { my ( $this, $ifIndex, $enable ) = @_; ============================================================ --- pf/lib/pf/SNMP/Meru.pm de0b534622be99341e96e45927c184d2364e0341 +++ pf/lib/pf/SNMP/Meru.pm 082f6738a7f4d33a23bbfd7e0ae9476e5b6be148 @@ -157,6 +157,7 @@ sub deauthenticateMac { return; } + # Session not already privileged are not supported at this point. See #1370 #if (!$session->in_privileged_mode()) { # if (!$session->enable($this->{_cliEnablePwd})) { # $logger->error("Cannot get into privileged mode on ".$this->{'ip'}.

Notes
(0002547) obilodeau (reporter) 2012-01-25 12:29	in_privileged_mode() doesn't do a verification on the remote end. It simply reflects the state of what was done with the module so far. See http://search.cpan.org/~oliver/Net-Appliance-Session-1.36/lib/Net/Appliance/Session/Cookbook/Recipe05.pod [^] I filed an upstream ticket: https://github.com/ollyg/Net-Appliance-Session/issues/13 [^] For now, I'll disable all privileged mode escalation in the code and document that until I hear from what the Net::Appliance guys think about my issue. Anyway, if they fix it upstream and release i'll still have to get the new version packaged up because rpmforge is stuck at 1.36 and there's an API breakage between 1.36 and later.

(0002548) obilodeau (reporter) 2012-01-25 14:47	workaround to disable all begin_privilege calls patch attached.

(0002549) obilodeau (reporter) 2012-01-25 14:48	All except Trapeze since by default users get in unprivileged.

(0002551) obilodeau (reporter) 2012-01-25 15:18	disabled privilege detection in all but trapeze. Once I get upstream's opinion on the issue we'll see what we'll do. commit contains changes to docs, upgrade, etc. which the attached patch doesn't have.

(0002553) obilodeau (reporter) 2012-01-26 14:29	oops, yesterday's fix introduced a problem. here's the blurb to fix it: --- pf/lib/pf/SNMP/Cisco/WLC_2106.pm 7547d8900dbfc841f270d05056f46f3fecb65b88 +++ pf/lib/pf/SNMP/Cisco/WLC_2106.pm 87810d1392683519de0550517bff2af107cbbb36 @@ -86,7 +86,7 @@ sub deauthenticateMac { ); # Session not already privileged are not supported at this point. See 0001370 #$session->begin_privileged( $this->{_cliEnablePwd} ); - $session->->do_privileged_mode(0); + $session->do_privileged_mode(0); $session->begin_configure(); };

(0002584) obilodeau (reporter) 2012-02-28 14:31	Fixed in recently released 3.2.0.

Issue History
Date Modified	Username	Field	Change
2012-01-24 15:31	obilodeau	New Issue
2012-01-24 15:31	obilodeau	Status	new => assigned
2012-01-24 15:31	obilodeau	Assigned To	=> obilodeau
2012-01-24 15:32	obilodeau	Relationship added	related to 0000900
2012-01-24 15:33	obilodeau	Description Updated
2012-01-25 12:29	obilodeau	Note Added: 0002547
2012-01-25 14:46	obilodeau	File Added: net-appliance-session-disable-begin-privilege-fix-1370.patch
2012-01-25 14:47	obilodeau	Note Added: 0002548
2012-01-25 14:48	obilodeau	Note Added: 0002549
2012-01-25 15:18	obilodeau	mtn revision	=> 5b3395f89f9fff65ed9bdd165e11a4688f599d73
2012-01-25 15:18	obilodeau	Note Added: 0002551
2012-01-25 15:18	obilodeau	Status	assigned => resolved
2012-01-25 15:18	obilodeau	Fixed in Version	=> trunk
2012-01-25 15:18	obilodeau	Resolution	open => fixed
2012-01-26 14:29	obilodeau	Note Added: 0002553
2012-02-28 14:22	obilodeau	Target Version	+1 => 3.2.0
2012-02-28 14:22	obilodeau	Fixed in Version	trunk => 3.2.0
2012-02-28 14:31	obilodeau	Note Added: 0002584
2012-02-28 14:31	obilodeau	Status	resolved => closed