258343 – net-dns/ddclient-3.8.0: fails to update IP on hardened-gentoo

Bug 258343 - net-dns/ddclient-3.8.0: fails to update IP on hardened-gentoo

Summary: net-dns/ddclient-3.8.0: fails to update IP on hardened-gentoo

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Aaron W. Swenson

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-02-09 17:04 UTC by cilly
Modified:	2011-08-13 00:48 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
changed ebuild to use iproute2 (ddclient-ebuild.diff,538 bytes, patch) 2009-02-09 17:08 UTC, cilly	Details \| Diff
patch for ddclient to use iproute2 (ddclient-iproute2.patch,1.42 KB, patch) 2009-02-09 17:08 UTC, cilly	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description cilly 2009-02-09 17:04:01 UTC

Fails to update IP address on hardened-gentoo:

Feb  8 02:22:21 pluto [883845.727064] grsec: From 83.125.154.218: signal 11 sent to /sbin/ifconfig[ifconfig:25552] uid/euid:105/105 gid/egid:105/105, parent /bin/bash[sh:25551] uid/euid:105/105 gid/egid:105/105
Feb  8 02:22:21 pluto [883845.727110] grsec: From 83.125.154.218: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /sbin/ifconfig[ifconfig:25552] uid/euid:105/105 gid/egid:105/105, parent /bin/bash[sh:25551] uid/euid:105/105 gid/egid:105/105

ddclient should use iproute2 instead of ifconfig

Reproducible: Always

Comment 1 cilly 2009-02-09 17:08:05 UTC

Created attachment 181456 [details, diff]
changed ebuild to use iproute2

Comment 2 cilly 2009-02-09 17:08:45 UTC

Created attachment 181457 [details, diff]
patch for ddclient to use iproute2

Comment 3 cilly 2009-02-09 19:38:52 UTC

The patch was created for ddclient 3.7.1 but applies fine to ddclient 3.8.0, too.

Comment 4 kfm 2009-07-21 22:52:58 UTC

Cilly, are you sure this is caused by the use of a hardened setup? The log excerpt conveys the real issue which is that ifconfig is segfaulting. However, no conclusion can be drawn as to why on the basis of that alone. Which parameters are passed to ifconfig at that point? You could turn on exec logging to find out.

Comment 5 cilly 2009-07-22 06:57:37 UTC

> Cilly, are you sure this is caused by the use of a hardened setup? The log
> excerpt conveys the real issue which is that ifconfig is segfaulting. 

Talked a while ago with solar and the reason is, that ifconfig does not give the IP-address if executed as unprivileged user. This is a side-effect of hardened.

$ ifconfig
Warning: cannot open /proc/net/dev (No such file or directory). Limited output.

ddclient runs as user 'ddclient'.

Comment 6 kfm 2009-07-23 02:26:36 UTC

Ah, yes - I remember now. Turning on /proc restrictions (CONFIG_GRKERNSEC_PROC) exposes (the very much related) bug 238363. The real problem here is ifconfig; it is in a thoroughly dilapidated state and I agree that making use of iproute2 is a sensible thing to do.

Comment 7 Ciprian Ciubotariu 2010-12-29 23:18:25 UTC

I have just bumped into this very bug. I've checked the current 3.7.3-r1 and 3.8.0 ebuilds and neither include this patch. Any progress into releasing this?

I'll be switching to use=web as a workaround in the meantime.

Comment 8 Christian Ruppert (idl0r) gentoo-dev

2010-12-29 23:29:56 UTC

As a workaround for now add CONFIG_GRKERNSEC_PROC_USERGROUP=y and CONFIG_GRKERNSEC_PROC_GID=<groupid> then add the ddclient user to the proc group to allow it to access /proc/net/dev. That's how I do it on my box currently.

Comment 9 Aaron W. Swenson gentoo-dev

2011-08-12 12:34:57 UTC

It's been a while now. Does this issue still persist?

Comment 10 cilly 2011-08-12 13:00:41 UTC

(In reply to comment #9)
> It's been a while now. Does this issue still persist?

Yes.

Comment 11 cilly 2011-08-12 13:03:03 UTC

I'd suggest to add a hardened useflag to ddclient which inherits iproute2 and adds iproute patch. For non-hardened users, ifconfig will work as unprivileged user ddclient.

Comment 12 Aaron W. Swenson gentoo-dev

2011-08-12 13:05:14 UTC

(In reply to comment #11)
> I'd suggest to add a hardened useflag to ddclient which inherits iproute2 and
> adds iproute patch. For non-hardened users, ifconfig will work as unprivileged
> user ddclient.

My thoughts exactly. Thanks for the quick response. Look for a fix tonight.

Comment 13 Aaron W. Swenson gentoo-dev

2011-08-13 00:48:07 UTC

  13 Aug 2011; Aaron W. Swenson <titanofold@gentoo.org> +files/iproute2.patch,
  +ddclient-3.8.1-r1.ebuild, metadata.xml:
  Fixes bug 258343