Summary: | net-dns/ddclient-3.8.0: fails to update IP on hardened-gentoo | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | cilly <cilly> |
Component: | New packages | Assignee: | Aaron W. Swenson <titanofold> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | cheepeero, hardened, kfm, lars.lindley, matthewsmith |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
changed ebuild to use iproute2
patch for ddclient to use iproute2 |
Description
cilly
2009-02-09 17:04:01 UTC
Created attachment 181456 [details, diff]
changed ebuild to use iproute2
Created attachment 181457 [details, diff]
patch for ddclient to use iproute2
The patch was created for ddclient 3.7.1 but applies fine to ddclient 3.8.0, too. Cilly, are you sure this is caused by the use of a hardened setup? The log excerpt conveys the real issue which is that ifconfig is segfaulting. However, no conclusion can be drawn as to why on the basis of that alone. Which parameters are passed to ifconfig at that point? You could turn on exec logging to find out. > Cilly, are you sure this is caused by the use of a hardened setup? The log
> excerpt conveys the real issue which is that ifconfig is segfaulting.
Talked a while ago with solar and the reason is, that ifconfig does not give the IP-address if executed as unprivileged user. This is a side-effect of hardened.
$ ifconfig
Warning: cannot open /proc/net/dev (No such file or directory). Limited output.
ddclient runs as user 'ddclient'.
Ah, yes - I remember now. Turning on /proc restrictions (CONFIG_GRKERNSEC_PROC) exposes (the very much related) bug 238363. The real problem here is ifconfig; it is in a thoroughly dilapidated state and I agree that making use of iproute2 is a sensible thing to do. I have just bumped into this very bug. I've checked the current 3.7.3-r1 and 3.8.0 ebuilds and neither include this patch. Any progress into releasing this? I'll be switching to use=web as a workaround in the meantime. As a workaround for now add CONFIG_GRKERNSEC_PROC_USERGROUP=y and CONFIG_GRKERNSEC_PROC_GID=<groupid> then add the ddclient user to the proc group to allow it to access /proc/net/dev. That's how I do it on my box currently. It's been a while now. Does this issue still persist? (In reply to comment #9) > It's been a while now. Does this issue still persist? Yes. I'd suggest to add a hardened useflag to ddclient which inherits iproute2 and adds iproute patch. For non-hardened users, ifconfig will work as unprivileged user ddclient. (In reply to comment #11) > I'd suggest to add a hardened useflag to ddclient which inherits iproute2 and > adds iproute patch. For non-hardened users, ifconfig will work as unprivileged > user ddclient. My thoughts exactly. Thanks for the quick response. Look for a fix tonight. 13 Aug 2011; Aaron W. Swenson <titanofold@gentoo.org> +files/iproute2.patch, +ddclient-3.8.1-r1.ebuild, metadata.xml: Fixes bug 258343 |