[Bug 820578] New: Wrong permission on hosts.deny
https://bugzilla.novell.com/show_bug.cgi?id=820578 https://bugzilla.novell.com/show_bug.cgi?id=820578#c0 Summary: Wrong permission on hosts.deny Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: k.fb@vink-slott.dk QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 The fail2ban update today from http://download.opensuse.org/repositories/security/openSUSE_12.2 broke my system. During startup permission on /etc/hosts.deny is set to 600 preventing openldap and other programs not running as root to run. Reproducible: Always Steps to Reproduce: 1.configure fail2ban to use denyhost /etc/fail2ban/jail.local: [ssh-tcpwrapper] enabled = true filter = sshd action = hostsdeny logpath = /var/log/messages 2.systemctl restart fail2ban.service Actual Results: ls -l /etc/hosts.deny -rw------- 1 root root 149 18 maj 19:01 /etc/hosts.deny Expected Results: ls -l /etc/hosts.deny -rw-r--r-- 1 root root 149 18 maj 19:01 /etc/hosts.deny -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=820578 https://bugzilla.novell.com/show_bug.cgi?id=820578#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |meissner@suse.com InfoProvider| |k.fb@vink-slott.dk --- Comment #1 from Marcus Meissner <meissner@suse.com> 2013-06-19 09:42:22 UTC --- any idea who wrote this /etc/hosts.deny dfile? (look inside to see if there a note on who wrote it) our standard is mode 644. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=820578 https://bugzilla.novell.com/show_bug.cgi?id=820578#c2 --- Comment #2 from Johannes Weberhofer <jweberhofer@weberhofer.at> 2013-06-19 15:38:11 CEST --- Klaus, can you please check /etc/fail2ban/action.d/hostsdeny.conf? All related commands are defined there. Did you modify the user's default file masks? fail2ban creates a new /etc/hosts.deny file upon removing entries which could happen on a restart of fail2ban... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=820578 https://bugzilla.novell.com/show_bug.cgi?id=820578#c3 --- Comment #3 from Johannes Weberhofer <jweberhofer@weberhofer.at> 2013-06-19 15:41:14 CEST --- You could try to modify use the following line to ensure keeping the old permissions (have not tested that): actionunban = IP=<ip> && sed /ALL:\ $IP/d <file> > <file>.new && chmod --reference <file>.new <file> && mv <file>.new <file> -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=820578 https://bugzilla.novell.com/show_bug.cgi?id=820578#c4 --- Comment #4 from Johannes Weberhofer <jweberhofer@weberhofer.at> 2013-06-19 19:37:35 CEST --- Sorry, must be the other way round: actionunban = IP=<ip> && sed /ALL:\ $IP/d <file> > <file>.new && chmod --reference <file> <file>.new && mv <file>.new <file> -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=820578 https://bugzilla.novell.com/show_bug.cgi?id=820578#c5 Klaus Vink Slott <k.fb@vink-slott.dk> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|k.fb@vink-slott.dk | --- Comment #5 from Klaus Vink Slott <k.fb@vink-slott.dk> 2013-06-25 08:00:59 UTC --- Sorry, I somehow missed feedback mail from bugzilla. As a reply to comment 1: /etc/hosts.deny is original as delivered with netcfg-11.5-12.1.1.noarch and subsequently only modified by fail2ban As reply to comment 2 I did not modify /etc/fail2ban/action.d/hostsdeny.conf in my first test. I dont remember modifying umask but I cant deny it. Currently it is 0002 As reply to comment 4 After I posted my first post I found the problematic line and replaced it by: actionunban = IP=<ip> && sed -i /ALL:\ $IP/d <file> Tested and working :-) I guess that your solution will work as well. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=820578 https://bugzilla.novell.com/show_bug.cgi?id=820578#c6 Johannes Weberhofer <jweberhofer@weberhofer.at> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |FIXED --- Comment #6 from Johannes Weberhofer <jweberhofer@weberhofer.at> 2013-06-25 10:18:36 CEST --- Thank you for reporting. I have opened an issue on github: https://github.com/fail2ban/fail2ban/issues/266 I think the issue can be closed, as seem to be related to your configuration. Please reopen, if you think a fix should be included into the RPM version. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com