This switch should not be used during the build of quagga, accordig to Paul Jakma, one of hte senior on #quagga/freenode.net. This is an open security risk and should be used only with extreme caution and a well reasoned case. Reproducible: Always Steps to Reproduce: 1. 2. 3.
configure --help says: --enable-tcp-zebra enable TCP/IP socket connection between zebra and protocol daemon I will talk to paul. Looks like >quagga-0.90 changed to unix domain sockets. I found this in the NEW file: * Changes in zebra-0.90 ** From this beta release, --enable-unixdomain and --enable-newrib becomes default. So both options are removed from configure.in. To revert old behavior please specify below option. --enable-tcp-zebra # TCP/IP socket is used for protocol daemon and zebra. --enable-oldrib # Turn on old RIB implementation. So, we could change ebuilds for >0.90 to use unix domain sockets instad of tcp sockets. Do we want this?
The tcp sockets get bound to 127.0.0.1, so it's only in question for boxes having local users which probably is not the case for most routers.
server ~ # strace -e bind /usr/sbin/ospfd -f /etc/quagga/ospfd.conf --pid_file /var/run/quagga/ospfd.pid bind(6, {sa_family=AF_INET, sin_port=htons(2604), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 bind(7, {sa_family=AF_FILE, path="/var/run/quagga/ospfd.vty"}, 27) = 0 127.0.0.1?
Hmmm... I took a look at my running quagga 0.98.2 installation. netstat -nl says: tcp 0 0 127.0.0.1:2600 0.0.0.0:* LISTEN lsof zebra says: zebra 6654 quagga 4u IPv4 8655 TCP 127.0.0.1:hpstgmgr (LISTEN) zebra 6654 quagga 12u IPv4 8705 TCP 127.0.0.1:hpstgmgr->127.0.0.1:32768 (ESTABLISHED) llsof quagga says: ospfd 6664 quagga 9u IPv4 8704 TCP localhost:32768->localhost:hpstgmgr (ESTABLISHED) Looks like 127.0.0.1 to me. What quagga version are you looking at?
Aehmm... Port 2604 is the OSPFD vty port. That port has a login prompt. So it's no security problem. I thought we are talking about port 2600 the zebra/protocol-daemon communication port?
I've talked to Paul, one of the main developers of Quagga. He states that unix domain sockets are more secure than tcp ip port 2600 on 127.0.0.1 cause it protects against local users injecting routes over the zserv interface. This only applies when there are local users existing on the router, which is mostly not the case on routers. I will change this to unix domain sockets so that we are also save on those boxes allowing local users.
UNIX domain sockets would be better, as permissions are easier to control. Also the assumption that rounter != local users, is weak; it creates prsumptions on how the pacage is to be used securely. I initially filed this after a discussion wiht Paul on #quagga, as he felt that using tcp-sockets for this on 0.98.5 was not a good idea in any case.
Implemented in quagga-0.98.5-r2.ebuild. Unix domain sockets are used by default for Zebra/protocol-daemon communication now. Added a local use flag named 'tcp-zebra' which allows to switch to Zebra/protocol-daemon communication on tcp port 2600 bound to 127.0.0.1, which is the old behavior.
