Debian Bug report logs - #487434
vde ctl permission

Package: vde2; Maintainer for vde2 is Debian VSquare Team <virtualsquare@cs.unibo.it>; Source for vde2 is src:vde2 (PTS, buildd, popcon).

Reported by: Matthew King <matthew.king@monnsta.net>

Date: Sat, 21 Jun 2008 20:09:01 UTC

Severity: wishlist

Found in version vde2/2.2.1-1

Fixed in version vde2/2.2.2-2

Done: Filippo Giunchedi <filippo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian VSquare Team <pkg-vsquare-devel@lists.alioth.debian.org>:
Bug#487434; Package vde2. (full text, mbox, link).

Acknowledgement sent to Matthew King <matthew.king@monnsta.net>:
New Bug report received and forwarded. Copy sent to Debian VSquare Team <pkg-vsquare-devel@lists.alioth.debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: vde2
Version: 2.2.1-1
Severity: wishlist

Improve the permission on /var/run/vde2 and /var/run/vde2/*.ctl (or
whatever ctl file is chosen).

First I should indicate that I can see no reason why 2775 (ie. o+rx) is
a bad idea on /var/run/ctl. Any user who can run ps or ifconfig can
guess what's inside. If there is a compelling reason why this is a bad
thing then so be it.

On the other hand, if it remains 2770 then anybody who wishes to connect
a vde port must be in the vde2-net group, which also grants access to
write to the /var/run/vde2 directory and, by extension, connect to the
management port.

The attached patch allows one group (passed to vde_switch) to be given
rights to connect to ports while another (vde2-net) gets authority to
manage the switch itself.

If vde_switch is passed -g vmuser, then the various directories look
like (with one port attached):

drwxrwsr-x 3 vde2-net vde2-net 4096 2008-06-21 20:27 /var/run/vde2
drwxrws--- 2 root     vmuser   4096 2008-06-21 20:27 /var/run/vde2/vde_lego_kvm.ctl
srwx------ 1 mking    vmuser      0 2008-06-21 20:27 /var/run/vde2/vde_lego_kvm.ctl/002
srw-rw---- 1 root     vmuser      0 2008-06-21 20:27 /var/run/vde2/vde_lego_kvm.ctl/ctl
srw-rw---- 1 root     vde2-net    0 2008-06-21 20:27 /var/run/vde2/vde_lego_kvm.mgmt
-rw-r--r-- 1 root     vde2-net    6 2008-06-21 20:27 /var/run/vde2/vde_lego_kvm.pid

Matthew

diff -ur vde2-2.2.1/debian/network/if-pre-up.d/vde2 vde2-2.2.1-owner/debian/network/if-pre-up.d/vde2
--- vde2-2.2.1/debian/network/if-pre-up.d/vde2	2008-06-21 20:52:48.000000000 +0100
+++ vde2-2.2.1-owner/debian/network/if-pre-up.d/vde2	2008-06-21 19:58:17.000000000 +0100
@@ -21,7 +21,7 @@
 if [ ! -d /var/run/vde2 ]; then
     mkdir -p /var/run/vde2
     chown vde2-net:vde2-net /var/run/vde2
-    chmod 2770 /var/run/vde2
+    chmod 2775 /var/run/vde2
 fi
 
 # vde2-switch [-|<args>]
diff -ur vde2-2.2.1/debian/postinst vde2-2.2.1-owner/debian/postinst
--- vde2-2.2.1/debian/postinst	2008-06-21 20:52:48.000000000 +0100
+++ vde2-2.2.1-owner/debian/postinst	2008-06-21 20:58:55.000000000 +0100
@@ -13,7 +13,7 @@
 
     if ! dpkg-statoverride --list /var/run/vde2 >/dev/null; then
         chown vde2-net:vde2-net /var/run/vde2
-        chmod 2770 /var/run/vde2
+        chmod 2775 /var/run/vde2
     fi
 
     if [ ! -e /dev/.devfsd ] && [ ! -e /dev/net/tun ]; then
diff -ur vde2-2.2.1/src/vde_switch/datasock.c vde2-2.2.1-owner/src/vde_switch/datasock.c
--- vde2-2.2.1/src/vde_switch/datasock.c	2008-06-15 17:49:16.000000000 +0100
+++ vde2-2.2.1-owner/src/vde_switch/datasock.c	2008-06-21 20:22:19.000000000 +0100
@@ -418,6 +418,10 @@
 		printlog(LOG_ERR,"Could not set the VDE ctl directory '%s' permissions: %s", ctl_socket, strerror(errno));
 		exit(-1);
 	}
+	if(chown(ctl_socket,-1,grp_owner) < 0) {
+		printlog(LOG_ERR, "Could not chown the VDE ctl directory '%s': %s", ctl_socket, strerror(errno));
+		exit(-1);
+	}
 	sun.sun_family = AF_UNIX;
 	snprintf(sun.sun_path,sizeof(sun.sun_path),"%s/ctl",ctl_socket);
 	if(bind(connect_fd, (struct sockaddr *) &sun, sizeof(sun)) < 0){

-- 
I must take issue with the term "a mere child", for it has been my
invariable experience that the company of a mere child is infinitely
preferable to that of a mere adult.
                                           --  Fran Lebowitz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VSquare Team <pkg-vsquare-devel@lists.alioth.debian.org>:
Bug#487434; Package vde2. (full text, mbox, link).

Acknowledgement sent to Ludovico Gardenghi <garden@acheronte.it>:
Extra info received and forwarded to list. Copy sent to Debian VSquare Team <pkg-vsquare-devel@lists.alioth.debian.org>. (full text, mbox, link).

Message #10 received at 487434@bugs.debian.org (full text, mbox, reply):

On Sat, Jun 21, 2008 at 09:06:29PM +0100, Matthew King wrote:

> Improve the permission on /var/run/vde2 and /var/run/vde2/*.ctl (or
> whatever ctl file is chosen).

Could you please take a look to the SVN revision r310 and check if it
addresses the issue?

Thanks,
Ludovico
-- 
<garden@acheronte.it>        #acheronte (irc.freenode.net) ICQ: 64483080
GPG ID: 07F89BB8          Jabber: gardengl@gmail.com Yahoo: gardenghelle
-- This is signature nr. 4233

Reply sent to Filippo Giunchedi <filippo@debian.org>:
You have taken responsibility. (Wed, 08 Oct 2008 21:42:18 GMT) (full text, mbox, link).

Notification sent to Matthew King <matthew.king@monnsta.net>:
Bug acknowledged by developer. (Wed, 08 Oct 2008 21:42:18 GMT) (full text, mbox, link).

Message #15 received at 487434-close@bugs.debian.org (full text, mbox, reply):

Source: vde2
Source-Version: 2.2.2-2

We believe that the bug you reported is fixed in the latest version of
vde2, which is due to be installed in the Debian FTP archive:

libvdemgmt0-dev_2.2.2-2_amd64.deb
  to pool/main/v/vde2/libvdemgmt0-dev_2.2.2-2_amd64.deb
libvdemgmt0_2.2.2-2_amd64.deb
  to pool/main/v/vde2/libvdemgmt0_2.2.2-2_amd64.deb
libvdeplug2-dev_2.2.2-2_amd64.deb
  to pool/main/v/vde2/libvdeplug2-dev_2.2.2-2_amd64.deb
libvdeplug2_2.2.2-2_amd64.deb
  to pool/main/v/vde2/libvdeplug2_2.2.2-2_amd64.deb
vde2-cryptcab_2.2.2-2_amd64.deb
  to pool/main/v/vde2/vde2-cryptcab_2.2.2-2_amd64.deb
vde2_2.2.2-2.diff.gz
  to pool/main/v/vde2/vde2_2.2.2-2.diff.gz
vde2_2.2.2-2.dsc
  to pool/main/v/vde2/vde2_2.2.2-2.dsc
vde2_2.2.2-2_amd64.deb
  to pool/main/v/vde2/vde2_2.2.2-2_amd64.deb
vde_2.2.2-2_all.deb
  to pool/main/v/vde2/vde_2.2.2-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 487434@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Filippo Giunchedi <filippo@debian.org> (supplier of updated vde2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 01 Oct 2008 14:00:40 +0200
Source: vde2
Binary: vde2 vde vde2-cryptcab libvdeplug2-dev libvdeplug2 libvdemgmt0-dev libvdemgmt0
Architecture: source amd64 all
Version: 2.2.2-2
Distribution: unstable
Urgency: low
Maintainer: Debian VSquare Team <pkg-vsquare-devel@lists.alioth.debian.org>
Changed-By: Filippo Giunchedi <filippo@debian.org>
Description: 
 libvdemgmt0 - Virtual Distributed Ethernet - Management console library
 libvdemgmt0-dev - Virtual Distributed Ethernet - Mgmt console development files
 libvdeplug2 - Virtual Distributed Ethernet - Plug library
 libvdeplug2-dev - Virtual Distributed Ethernet - Plug development files
 vde        - transitional dummy package which can be safely removed
 vde2       - Virtual Distributed Ethernet
 vde2-cryptcab - Virtual Distributed Ethernet - CryptCab
Closes: 487434
Changes: 
 vde2 (2.2.2-2) unstable; urgency=low
 .
   * Add DM-Upload-Allowed field
   * Add Luca Bigliardi as Uploader/DM
   * Backport fixes from upstream 2.2.3 into debian/patches:
     - allow_mgmtgroup.patch:
         add options for group permission on sockets (Closes: #487434)
         fix a segfault in handle_input with commandline scripts
     - dbgout_prototype_change.patch:
         change debug function prototype to include port number
     - fix_loop_noarg.patch:
         fix an infinite loop in vdeq when provided wrong arguments
     - fix_output_cosmetic.patch:
         fix usage output in wirefilter
     - plugin_fixes.patch:
         various fixes in pdump and dump plugins
     - remove_numports_limit.patch:
         remove the 255 ports limit in vde_plug and vde_plug2tap
         fix a segfault while resizing the switch
     - vde_kvdeswitchfix.patch:
         fixes for kvde_switch
Checksums-Sha1: 
 ef6c44e28ec2c6ed4a32952160d9e9409ee0a662 1443 vde2_2.2.2-2.dsc
 f88adbfca86d128888ec5f9cae65b30860333125 20772 vde2_2.2.2-2.diff.gz
 0d590d1c4fd5e8d348da72811df9974751889bf9 204392 vde2_2.2.2-2_amd64.deb
 91750b70b76f40e7e21e2c5b778aac0116792c57 4996 vde_2.2.2-2_all.deb
 2524e72fb72a40492edf0ac44bc62aad26810a54 16760 vde2-cryptcab_2.2.2-2_amd64.deb
 2dc2795164c425b4caed7c9341ba9ea38a3bc37e 12858 libvdeplug2-dev_2.2.2-2_amd64.deb
 bc324c5814e899836bc4b170797d0d819f0a19ff 11842 libvdeplug2_2.2.2-2_amd64.deb
 ad05bc96455bf9d90c1c59ba8bf3e23905f9b2cd 14050 libvdemgmt0-dev_2.2.2-2_amd64.deb
 8c2c63643ef74a056a3ffda4afc28cf385103381 12956 libvdemgmt0_2.2.2-2_amd64.deb
Checksums-Sha256: 
 56175f466b4e080c3ea32f0a59a6a9b45da3b311c60ed723c12dbfe686e33e9e 1443 vde2_2.2.2-2.dsc
 f81921bf1575479f416f2c48d658fd0f55119bc5f536bd15e7a0e1afbfb4d1f6 20772 vde2_2.2.2-2.diff.gz
 b59a30bab8efa9fcffa8a3d5683f3add2e143ab3f44c47daa4c8cee2c18af299 204392 vde2_2.2.2-2_amd64.deb
 3a068d268ddcd289095aa71b428e42ea9f5e5a11427019727210930d27d6bba2 4996 vde_2.2.2-2_all.deb
 55bd82ba47b20c08192a00405d4781993d4700894bfa327d2b353e8ba5a16a72 16760 vde2-cryptcab_2.2.2-2_amd64.deb
 bd7ab54284a17f4e955c754913f1157a6831ef8617f75f95cfc2f424efc5c504 12858 libvdeplug2-dev_2.2.2-2_amd64.deb
 9a98f3a7e7b7b5eb00e4212ec930dfa1b9cec48789abeb4bde78ae92c845499d 11842 libvdeplug2_2.2.2-2_amd64.deb
 18d617e9f49d9e6d701823505eea73a515751c8ae73e4b7ac6559e505bbde16c 14050 libvdemgmt0-dev_2.2.2-2_amd64.deb
 f9ca5545dfb38944ab4e8c732401c1e71f94fc73d8242895de21829f6ff01fe9 12956 libvdemgmt0_2.2.2-2_amd64.deb
Files: 
 cf5087736f8c56487b7d1b2ce1af1583 1443 net optional vde2_2.2.2-2.dsc
 c904ec19f6ad8bd924dacd60b74b5e09 20772 net optional vde2_2.2.2-2.diff.gz
 81d6779ec2fbab546829cea937e5876c 204392 net optional vde2_2.2.2-2_amd64.deb
 42166b9df50a31de9d36fd2c98c43259 4996 net optional vde_2.2.2-2_all.deb
 d8d6456e3cf2b26e22b07bfae487d438 16760 net optional vde2-cryptcab_2.2.2-2_amd64.deb
 57208c07bd12e36637589f800300f693 12858 libdevel optional libvdeplug2-dev_2.2.2-2_amd64.deb
 d64d681122513e665baf76e8c6b241bd 11842 libs optional libvdeplug2_2.2.2-2_amd64.deb
 25d73e2c4688fa14dcaf69f701e5c58e 14050 libdevel optional libvdemgmt0-dev_2.2.2-2_amd64.deb
 725a33a9d200994e13ce854af95763a2 12956 libs optional libvdemgmt0_2.2.2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjtItkACgkQABzeamt51AH4TwCdHb/UuxcyV4Ys54z/7sW4ug7C
2MQAn2criL91KZlifZzsaQ6onwqqqXYL
=EvK5
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Nov 2008 07:53:18 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 04:08:48 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #487434 vde ctl permission

Debian Bug report logs - #487434
vde ctl permission