Firehol won't run with stable bash due to errors with printf it seems reverting to 3.0 works fine. You get lots of these errors: "/usr/sbin/firehol: line 2354: printf: write error: Success" And the every iptables command fails to run. emerge --info: Gentoo Base System version 1.6.14 Portage 2.1-r1 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r4, 2.6.14-hardened-r1 i686) ================================================================= System uname: 2.6.14-hardened-r1 i686 VIA Nehemiah ccache version 2.3 [enabled] dev-lang/python: 2.3.5-r2, 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r2 sys-devel/gcc-config: 1.3.13-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="" ARCH="x86" AUTOCLEAN="yes" CBUILD="i386-pc-linux-gnu" CCACHE_SIZE="2G" CFLAGS="-Os -march=c3-2 -fomit-frame-pointer -fforce-addr" CHOST="i386-pc-linux-gnu" CLEAN_DELAY="5" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf" CXXFLAGS="-Os -march=c3-2 -fomit-frame-pointer -fforce-addr" DISTDIR="/usr/portage/distfiles" ELIBC="glibc" EMERGE_WARNING_DELAY="10" FEATURES="autoconfig ccache distlocks metadata-transfer sandbox sfperms strict userpriv usersandbox" FETCHCOMMAND="/usr/bin/wget -t 5 -T 60 --passive-ftp -P ${DISTDIR} ${URI}" GENTOO_MIRRORS="http://gentoo.blueyonder.co.uk" GRP_STAGE23_USE="x86 x86 berkdb crypt dlloader hardened nls pam pic readline ssl tcpd userlocales zlib" HOME="/home/peter" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LINGUAS="en" LOGNAME="root" MAKEOPTS="-j2" PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin:/usr/i386-pc-linux-gnu/gcc-bin/3.3.6" PKGDIR="/usr/portage//packages/x86/" PORTAGE_ARCHLIST="ppc s390 amd64 ppc64 x86-fbsd m68k arm sparc sh mips ia64 alpha ppc-macos hppa x86" PORTAGE_BINHOST_CHUNKSIZE="3000" PORTAGE_BIN_PATH="/usr/lib/portage/bin" PORTAGE_CALLER="emerge" PORTAGE_CONFIGROOT="/" PORTAGE_ELOG_CLASSES="log warn error" PORTAGE_ELOG_MAILFROM="portage" PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}" PORTAGE_ELOG_MAILURI="root" PORTAGE_GID="250" PORTAGE_INST_GID="0" PORTAGE_INST_UID="0" PORTAGE_PYM_PATH="/usr/lib/portage/pym" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_RSYNC_RETRIES="3" PORTAGE_TMPDIR="/var/tmp" PORTAGE_WORKDIR_MODE="0700" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" PRELINK_PATH="" PRELINK_PATH_MASK="" RESUMECOMMAND="/usr/bin/wget -c -t 5 -T 60 --passive-ftp -P ${DISTDIR} ${URI}" ROOT="/" RPMDIR="/usr/portage/rpm" SHELL="/bin/bash" STAGE1_USE="hardened pic userlocales" SUDO_COMMAND="/usr/bin/emerge -av --info" SUDO_GID="100" SUDO_UID="1000" SUDO_USER="peter" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" TERM="screen" USE="apache2 authdaemond bash-completion berkdb cgi crypt curl dar64 dlloader encode ffmpeg flac gd hardened hardenedphp imap jpeg live maildir mp3 mysql network nls nptl pam php pic png python readline sasl snmp spell ssl tcpd unicode userlocales vhosts x86 xml xorg zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_en userland_GNU" USER="root" USERLAND="GNU" USE_EXPAND="DVB_CARDS ELIBC FCDSL_CARDS FRITZCAPI_CARDS INPUT_DEVICES KERNEL LINGUAS LIRC_DEVICES USERLAND VIDEO_CARDS" USE_EXPAND_HIDDEN="ELIBC KERNEL USERLAND" USE_ORDER="env:pkg:conf:defaults" XARGS="xargs -r"
Which exact version of bash are you using? I'm at 3.1_p17 and don't see this problem, firehol starts ok. A post in the forum indicates that p16 is used. Can you try upgrading to p17 of bash to see if that fixes the problem.
(In reply to comment #1) > Which exact version of bash are you using? I'm at 3.1_p17 and don't see this > problem, firehol starts ok. A post in the forum indicates that p16 is used. Can > you try upgrading to p17 of bash to see if that fixes the problem. > I was using 3.1_p16 which is the latest stable x86 bash. I am currently using 3.0-r12 which works fine. I'll give 3.1_p17 a go and let you know how I get on.
(In reply to comment #2) > (In reply to comment #1) > > Which exact version of bash are you using? I'm at 3.1_p17 and don't see this > > problem, firehol starts ok. A post in the forum indicates that p16 is used. Can > > you try upgrading to p17 of bash to see if that fixes the problem. > > > > I was using 3.1_p16 which is the latest stable x86 bash. > I am currently using 3.0-r12 which works fine. > > I'll give 3.1_p17 a go and let you know how I get on. > Ok tested with 3.1_p17 and still doesn't work. I've captured the errors from restarting firehol and will attach.
Created attachment 92596 [details] Errors on starting firehol with bash-3.1_p17 installed
Can you please additionally provide your firehol configuration (/etc/firehol/firehol.conf). You can change sensitive information if you want, I just would like to see which services you are using to let me find out why I am not seeing these errors.
Created attachment 93012 [details] firehol config file Here is my config file
Unfortunately, my machine died a few weeks ago and I am still trying to resurrect it so I can take a closer look at this problem. In the meantime, can you try to find out if any of the "server" protocols that you are using is causing this? I.e. by commenting them all out and see if you still get it and then comment in one by one?
(In reply to comment #7) > Unfortunately, my machine died a few weeks ago and I am still trying to > resurrect it so I can take a closer look at this problem. > > In the meantime, can you try to find out if any of the "server" protocols that > you are using is causing this? I.e. by commenting them all out and see if you > still get it and then comment in one by one? > Commenting out server lines didn't seem to help. However the following change to the firehol script did. ----------------------------------------------------------------- @@ -2326,7 +2351,7 @@ printf "runcmd '${check}' '${FIREHOL_LINEID}' " >>${FIREHOL_OUTPUT} fi - printf "%q " "$@" >>${FIREHOL_OUTPUT} + printf "%q " $@ >>${FIREHOL_OUTPUT} printf "\n" >>${FIREHOL_OUTPUT} if [ ${FIREHOL_EXPLAIN} -eq 1 ] ----------------------------------------------------------------- Removing the quotes around the $@ fixes it for me.
Bumping bash to p17 did not help me either. I edited the firehol script thanks to comment #8, but I had to edit a few other lines (where the LOG target had spaces in it) that are affected by this patch With "MALFORMED NULL" => "MALFORMED_NULL", "SYN FLOOD" => "SYN_FLOOD", etc... everything is now working fine here (with protection strong) Portage 2.1-r2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-gentoo-r6_dedibox_voya i686) ================================================================= System uname: 2.6.17-gentoo-r6_dedibox_voya i686 VIA Esther processor 2000MHz Gentoo Base System version 1.12.4 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: 0.4.2-r1 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -march=i686 -pipe -fomit-frame-pointer -mmmx -msse -msse2 -msse3" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-Os -march=i686 -pipe -fomit-frame-pointer -mmmx -msse -msse2 -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache confcache distlocks fixpackages metadata-transfer parallel-fetch prelink sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.dedibox.fr/gentoo" LINGUAS="fr fr_FR" MAKEOPTS="-j2" PKGDIR="/usr/portage//packages/x86/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/webapps-experimental" SYNC="rsync://rsync.fr.gentoo.org/gentoo-portage" USE="a52 aac aalib apache2 bash-completion bcmath berkdb bzip2 calendar cddb crypt curl dlloader dts encode exif fam ffmpeg flac flash ftp gd gnutls hardened hardenedphp hash httpd imagemagick imap ipv6 javascript jpeg libcaca libwww live maildir matroska mcal memlimit mmx mod mp3 mpeg mysql ncurses network nls nptl nptlonly offensive ogg openssh pam pcntl pcre pdf perl pic png posix python quicktime readline real recode rtsp ruby sasl shout simplexml snmp sockets spamassassin speex spell sqlite sse ssl stream tcpd theora threads tidy tiff tokenizer truetype unicode userlocales vhosts vorbis win32codecs x264 x86 xml xmlreader xmlrpc xmlwriter xvid zip zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_fr linguas_fr_FR userland_GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Ok, I'm back in a state where I can start looking at this, sorry for the delay. I had to put my disk into an old machine (P2 266Mhz, not very fast!) to at least start working on this. First, it seems the printf-command does not come from bash itself, but from coreutils: # equery b /usr/bin/printf [ Searching for file(s) /usr/bin/printf in *... ] sys-apps/coreutils-5.97 (/usr/bin/printf) I tried your configuration and it seems to work for me. So let's compare coreutils-versions. Which version of coreutils do you use? It seems the latest stable ones are 5.94, see http://packages.gentoo.org/search/?sstring=coreutil Can you try with 5.97 or newer? I'll try to downgrade to 5.94 in order to reproduce this.
(In reply to comment #10) > Ok, I'm back in a state where I can start looking at this, sorry for the delay. > I had to put my disk into an old machine (P2 266Mhz, not very fast!) to at > least start working on this. > > First, it seems the printf-command does not come from bash itself, but from > coreutils: but printf is a bash built command? > > # equery b /usr/bin/printf > [ Searching for file(s) /usr/bin/printf in *... ] > sys-apps/coreutils-5.97 (/usr/bin/printf) > > I tried your configuration and it seems to work for me. So let's compare > coreutils-versions. Which version of coreutils do you use? > > It seems the latest stable ones are 5.94, see > http://packages.gentoo.org/search/?sstring=coreutil > > Can you try with 5.97 or newer? I'll try to downgrade to 5.94 in order to > reproduce this. > I have coreutils 5.94-r1
(In reply to comment #11) > but printf is a bash built command? yes, you're right, it's provided twice and the script will take the builtin one. So why are you seeing this problem and I am not, even if I use the exact same configuration? For me the debug-mode of firehol creates "/sbin/iptables -t filter -A in_internet_dns_s1 -p udp --dport 53 -m state --state NEW\,ESTABLISHED -j ACCEPT", for you it seems to create "/sbin/iptables -t filter -A in_internet_dns_s1 -p udp --dport 53 -m state ", i.e. there is something cut off at the end. Can you additionally run "firehol debug" and attach the output? Sorry for letting you do things all the time. I know it can be worked around by adjusting the firehol-script, but I would like to know why it happens before doing a patch. I want to make sure this is secure, as firehol is quite a sensitive application to patch.
I had he himself problem with all system with hardened, I recompiled all wihtout it, and run ok Sorry I not find best solution! than remove hardened :-(
(In reply to comment #12) > (In reply to comment #11) > > but printf is a bash built command? > > For me the debug-mode of firehol creates "/sbin/iptables -t filter -A > in_internet_dns_s1 -p udp --dport 53 -m state --state NEW\,ESTABLISHED -j > ACCEPT", > for you it seems to create "/sbin/iptables -t filter -A in_internet_dns_s1 -p > udp --dport 53 -m state ", i.e. there is something cut off at the end. > I also get the error message "/usr/sbin/firehol: line 2354: printf: write error: Erfolg" with firehol and bash version 3.1.16(1)-release. My firehol debug output contains a number of lines that end with "-m state " and no entry with "--state NEW" or similar at all. Downgrading bash helped for a while but as the new version is required by other packages now this becomes a real problem. My system also uses the hardened use flag, but I don't want to drop that because on a system that hosts a firewall any additional security is helpful.
I'm not sure how hardened effects this as I don't have experience with it (yet). Maybe the hardened-herd can comment on what differences are there that could cause this? Meanwhile I will take a look if patching firehol as suggested is possible.
Created attachment 101408 [details] Testscript to test for problem with bash Can somebody that sees this problem please run the attached test-script and post the output to the bug? I cannot reproduce this here and am trying to get a grip at what is wrong here.
(In reply to comment #16) > Created an attachment (id=101408) [edit] > Testscript to test for problem with bash > > Can somebody that sees this problem please run the attached test-script and > post the output to the bug? > > I cannot reproduce this here and am trying to get a grip at what is wrong here. > peter@epia (wireless:S.2) ~ 2 0.04 s $ curl -s "http://bugs.gentoo.org/attachment.cgi?id=101408&action=view" | bash -m state --state NEW,ESTABLISHED bash: line 8: printf: write error: Success peter@epia (wireless:S.2) ~ 0 0.04 s $ bash --version GNU bash, version 3.1.17(1)-release (i386-pc-linux-gnu) Copyright (C) 2005 Free Software Foundation, Inc. peter@epia (wireless:S.2) ~ 0 0.02 s $
(In reply to comment #17) > -m state --state NEW,ESTABLISHED > bash: line 8: printf: write error: Success Same error confirmed here
(In reply to comment #16) > Created an attachment (id=101408) [edit] > Testscript to test for problem with bash > > Can somebody that sees this problem please run the attached test-script and > post the output to the bug? # bash ./testbash2.sh -m state --state NEW,ESTABLISHED '' -A '' -m state '' --state NEW\,ESTABLISHED -j app-shells/bash-3.2_p3-r1 net-firewall/firehol-1.226-r1 The change suggested in comment #8 did dropped the number of errors from 192 to 7. The remaining errors were from escaped quotes surrounding log prefixes which contain spaces. Instead of removing the quotes from "$@" I changed the format used in the printf from "%q " to "%b " which stops all errors for me. I have not had time to trace this further to verify the lines are properly formed but a scan through "iptables -nL" seems to produce similar output to what I had before the updates.
I have now added Version 1.250 as "~x86 ~ppc" and replaced %q with %b in the printf-statements. Please check if this solves your problem. The new version should be available on the mirrors soon.
Good news, will test and report as soon as bug #159311 is fixed
