[Bug 1232044] New: error using in ddclient due to systemd hardening effort
https://bugzilla.suse.com/show_bug.cgi?id=1232044 Bug ID: 1232044 Summary: error using in ddclient due to systemd hardening effort Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: gcomes.obs@gmail.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- After the recent update of ddclient to version 3.10.0 my configuration did not work properly anymore. In /var/log/messages I got: WARNING: found neither IPv4 nor IPv6 address WARNING: updating xxxxx: nochg: No update required; unnecessary attempts to change to the current address are considered abusive with the last message repeated every 5 minutes. At first I thought ddclient was at fault (version 3.10.0 has several issues), but then I figured out that the problem was due to the systemd hardening effort: https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort In ddclient.conf I use: use=cmd, cmd="ipmitool ...." In /usr/lib/systemd/system/ddclient.service there is: [Service] PrivateDevices=true which makes the ipmitool command executed by the ddclient process to not report the correct information. This bug report is therefore for the security team. Let them evaluate how to properly fix the use case I have. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 Chenzi Cao <chcao@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|screening-team-bugs@suse.de |valentin.lefebvre@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c1 Valentin Lefebvre <valentin.lefebvre@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de Flags| |needinfo?(security-team@sus | |e.de) --- Comment #1 from Valentin Lefebvre <valentin.lefebvre@suse.com> --- Thanks for the report! Indeed, `PrivateDevices=true` set in the ddclient service will cancel the access to the BMC interface, needed by ipmitool. SecurityTeam, could we have your light on the systemd hardening effort ? Could it be possible to keep this restriction but let access to network interface using the "DeviceAllow" into the systemd service file ? Otherwise, have you ideas how to correctly fix it ? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c2 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(security-team@sus | |e.de) | --- Comment #2 from Johannes Segitz <jsegitz@suse.com> --- Yes, adding a DeviceAllow exception seems to be the best way. Will you submit for this or should I? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsegitz@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c3 Valentin Lefebvre <valentin.lefebvre@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #3 from Valentin Lefebvre <valentin.lefebvre@suse.com> --- My apologies for the delay I just back from vacancy (In reply to Johannes Segitz from comment #2)
Yes, adding a DeviceAllow exception seems to be the best way. Will you submit for this or should I?
Thank you very much Johannes for your confirmation ! I can do that, I just need to find the correct Device to allow -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c4 --- Comment #4 from Giacomo Comes <gcomes.obs@gmail.com> --- That would be /dev/ipmi0 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c5 --- Comment #5 from Valentin Lefebvre <valentin.lefebvre@suse.com> --- (In reply to Giacomo Comes from comment #4)
That would be /dev/ipmi0
Many thanks ! Could it be also /dev/ipmidev/0 ? I am thinking also to take care of all possibility of ipmi devices and maybe these both lines could handle all ipmi devies: DeviceAllow=/dev/ipmi* rw DeviceAllow=/dev/ipmidev/* rw Unfortunately, I do not have any machines with BCM. Would you be willing to test these lines in /usr/lib/systemd/system/ddclient.service please? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c6 --- Comment #6 from Giacomo Comes <gcomes.obs@gmail.com> --- According to systemd.resource-control(5) globbing wildcards are not available for device node path specifications. The proper line should be: DeviceAllow=char-ipmidev rw However, adding such line alone does not work. I had to comment too: PrivateDevices=true Johannes, is PrivateDevices=false required when DeviceAllow is used? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c7 --- Comment #7 from Johannes Segitz <jsegitz@suse.com> --- No, PrivateDevices should be set and then DeviceAllow defines exceptions -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c8 --- Comment #8 from Giacomo Comes <gcomes.obs@gmail.com> --- Using: PrivateDevices=true DeviceAllow=char-ipmidev rw does not work. After further investigation I found that it is because in the new /dev mount created by PrivateDevices=true /dev/ipmi0 is missing. I did try with the line: DeviceAllow=/dev/ipmi0 rwm but still /dev/ipmi0 is missing from the /dev mount. Any suggestions? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c9 --- Comment #9 from Valentin Lefebvre <valentin.lefebvre@suse.com> --- (In reply to Giacomo Comes from comment #8)
Using: PrivateDevices=true DeviceAllow=char-ipmidev rw does not work. After further investigation I found that it is because in the new /dev mount created by PrivateDevices=true /dev/ipmi0 is missing. I did try with the line: DeviceAllow=/dev/ipmi0 rwm but still /dev/ipmi0 is missing from the /dev mount.
Any suggestions?
It seems that the mount should be done by the kernel module ipmi_(ipmi_devintf/ipmi_msghandler). Could you try to manualy check with the ipmitool ? Should be: ipmitool -I open chassis status Maybe there will be more information. If not, what is the output of dmesg | grep -i ipmi ? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c10 --- Comment #10 from Giacomo Comes <gcomes.obs@gmail.com> --- /dev/ipmi0 does normally exists. What I'm referring to is to the service started with PrivateDevices=true. In such case the /dev mount contains only: char core fd full hugepages log mqueue null ptmx pts random shm stderr stdin stdout tty urandom zero No impi0. Looks to me that for this particular use case the setting should be: PrivateDevices=false DevicePolicy=closed DeviceAllow=char-ipmidev rw systemd.exec(5) says: When access to some but not all devices must be possible, the DeviceAllow= setting might be used instead (of PrivateDevices) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c11 --- Comment #11 from Johannes Segitz <jsegitz@suse.com> --- I think systemd changed behaviour there. I'll spin up a VM and check it myself -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c12 --- Comment #12 from Johannes Segitz <jsegitz@suse.com> --- weird, I can't get this to work at all. The settings PrivateDevices=false DevicePolicy=closed DeviceAllow=char-ipmidev rw result in all devices being available to the service. I'll need to dig deeper -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c13 --- Comment #13 from Giacomo Comes <gcomes.obs@gmail.com> --- With PrivateDevices=false all the devices are available in /dev, but only access the one specified with DeviceAllow= works. For example, I tried with: PrivateDevices=false DevicePolicy=closed DeviceAllow=/dev/sda rw In this case, ipmitool didn't work although /dev/ipmi0 did exists. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232044 https://bugzilla.suse.com/show_bug.cgi?id=1232044#c14 --- Comment #14 from Johannes Segitz <jsegitz@suse.com> --- yes, that's what I figured out by now. I always assumed that DevicePolicy=closed DeviceAllow=/dev/sda rw would result in other devices not being available, similarly to PrivateDevices=true. But they're just not writeable. That confused me when I created a reverse shell from a service to be able to inspect it. PrivateDevices=true must not be used in conjunction with the other options, as it's intended as a one-stop flag for services that don't need any devices. So the settings in c10 are the correct settings -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com