PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001424PacketFenceinlinepublic2012-04-16 12:312012-10-19 10:14
Reporterobilodeau 
Assigned To 
PriorityhighSeveritymajorReproducibilityrandom
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version3.6.0Fixed in Version3.6.0 
Summary0001424: obtaining a node's current mark fails from non-root
DescriptionWhen the captive portal tries to re-evaluate the posture of a node, it does so from a pf uid process.

Turns out that fetching firewall rules w/o root fails but what made it worse is that IPTables::ChainMgr instead of letting us know it failed is returning the last temporary file generated by root (at least in ipt_exec_style 'system' mode). Since temporary file names are predictable and world-readable, it is possible for the root user to write the temp file and to have a non-root read it. I'll check to report upstream.

I'll try the other mode of operations for ChainMgr and see if they still badly report permission problems. We might have to force temp files to be appended with a pid and/or randomness or even generate their names through an empty open (which is perl's way to do mktemp).

Then, we'll need to ensure that get_mark... is always run in a privileged mode either through a pf password-less sudo or by adding a hook into bin/pfcmd. This might be delayed if our 'app server' model moves along quickly and we'll just push it as a WebService right there.
TagsNo tags attached.
fixed in git revision3e4cf73908019527f60785aa1ac2cba7d260bd86
fixed in mtn revision
Attached Files

- Relationships
has duplicate 0001522closedobilodeau Redirect does not work after login in inline mode, access delayed or fails afterwards. 

-  Notes
(0002976)
obilodeau (reporter)
2012-08-28 09:07

The feature/ipset branch apparently fixes that issue. Review is on going: https://github.com/inverse-inc/packetfence/pull/41 [^]
(0003116)
fgaudreault (viewer)
2012-10-11 09:00

Fixed in Devel for CentOS6/Debian. Cannot fix for RHEL/CentOS 5

- Issue History
Date Modified Username Field Change
2012-04-16 12:31 obilodeau New Issue
2012-04-16 12:31 obilodeau Status new => assigned
2012-04-16 12:31 obilodeau Assigned To => obilodeau
2012-08-28 09:05 obilodeau Relationship added has duplicate 0001522
2012-08-28 09:07 obilodeau Note Added: 0002976
2012-10-11 09:00 fgaudreault git revision => 3e4cf73908019527f60785aa1ac2cba7d260bd86
2012-10-11 09:00 fgaudreault Note Added: 0003116
2012-10-11 09:00 fgaudreault Status assigned => resolved
2012-10-11 09:00 fgaudreault Fixed in Version => devel
2012-10-11 09:00 fgaudreault Resolution open => fixed
2012-10-19 10:14 fgaudreault Assigned To obilodeau =>
2012-10-19 10:14 fgaudreault Fixed in Version devel => 3.6.0
2012-10-19 10:14 fgaudreault Target Version +1 => 3.6.0


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker