Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Quagga>
  3. Dev
ripngd and privileged user
pingali at isi
Nov 12, 2003, 1:21 PM
Post #1 of 4 (820 views)
Permalink
Hi,

We have an ipv6-ipv6 tunnel network for which we are using quagga/ripngd.
We would like to run the daemon with zebra user privileges. while the
zebra daemon and ripd daemon seem to be working fine, ripngd is having an
issue - it is unable to send or receive any ripng messages. Upon
investigation I find that the multicast join is failing with permission
denied as the error. Further tracing showed that the ripngd is first doing
a setruid to the zebra user and then trying to add itself to the multicast
group. Apparently it is unable to join with the lower level of privileges.
When we ran ripngd with root privileges, everything is fine. I suspect
that I did not create zebra user in the "right" way. Has anybody seen this
kind of an error? or could suggest any solutions?

/etc/master.passwd
zebra:*:520:520::0:0:Zebra User:/nonexistent:/sbin/nologin

/etc/group
zebra:*:520:


thanks.
Venkata
Re: ripngd and privileged user [ In reply to ]
hasso at estpak
Nov 13, 2003, 12:11 AM
Post #2 of 4 (802 views)
Permalink
> We have an ipv6-ipv6 tunnel network for which we are using
> quagga/ripngd. We would like to run the daemon with zebra user
> privileges. while the zebra daemon and ripd daemon seem to be
> working fine, ripngd is having an issue - it is unable to send or
> receive any ripng messages. Upon investigation I find that the
> multicast join is failing with permission denied as the error.
> Further tracing showed that the ripngd is first doing a setruid to
> the zebra user and then trying to add itself to the multicast
> group. Apparently it is unable to join with the lower level of
> privileges. When we ran ripngd with root privileges, everything is
> fine. I suspect that I did not create zebra user in the "right"
> way. Has anybody seen this kind of an error? or could suggest any
> solutions?
>
> /etc/master.passwd
> zebra:*:520:520::0:0:Zebra User:/nonexistent:/sbin/nologin
>
> /etc/group
> zebra:*:520:

No. I'm aware of issue as well. What OS? Linux?

There is no problem with created user. Problem is in quagga or kernel.
Either ripngd is missing required capabilities or kernel is missing
capabilities bits. As far as I remember, second one ... (compiling
quagga without libcap-dev package solved problem).

I will look at issue in the weekend if nobody does it before.

--
Hasso Tepper
Elion Enterprises Ltd.
WAN administrator
Re: ripngd and privileged user [ In reply to ]
pingali at isi
Nov 13, 2003, 3:28 PM
Post #3 of 4 (798 views)
Permalink
> Date: Thu, 13 Nov 2003 09:11:46 +0200
> From: Hasso Tepper <hasso@estpak.ee>
> Subject: [quagga-dev 464] Re: ripngd and privileged user
> To: quagga-dev@lists.quagga.net
> Message-ID: <200311130911.46322.hasso@estpak.ee>
> Content-Type: text/plain; charset="iso-8859-1"
>
> > We have an ipv6-ipv6 tunnel network for which we are using
> > quagga/ripngd. We would like to run the daemon with zebra user
> > privileges. while the zebra daemon and ripd daemon seem to be
> > working fine, ripngd is having an issue - it is unable to send or
> > receive any ripng messages. Upon investigation I find that the
> > multicast join is failing with permission denied as the error.
> > Further tracing showed that the ripngd is first doing a setruid to
> > the zebra user and then trying to add itself to the multicast
> > group. Apparently it is unable to join with the lower level of
> > privileges. When we ran ripngd with root privileges, everything is
> > fine. I suspect that I did not create zebra user in the "right"
> > way. Has anybody seen this kind of an error? or could suggest any
> > solutions?
> >
> > /etc/master.passwd
> > zebra:*:520:520::0:0:Zebra User:/nonexistent:/sbin/nologin
> >
> > /etc/group
> > zebra:*:520:
>
> No. I'm aware of issue as well. What OS? Linux?

freebsd. quagga port (0.96.2 version)

>
> There is no problem with created user. Problem is in quagga or kernel.
> Either ripngd is missing required capabilities or kernel is missing
> capabilities bits. As far as I remember, second one ... (compiling
> quagga without libcap-dev package solved problem).
>
> I will look at issue in the weekend if nobody does it before.
>
> --
> Hasso Tepper
> Elion Enterprises Ltd.
> WAN administrator
Re: ripngd and privileged user [ In reply to ]
hasso at estpak
Nov 13, 2003, 5:05 PM
Post #4 of 4 (805 views)
Permalink
OK. Seems to be trivial problem. Can you try this patch? I could test
it briefly only.

--
Hasso Tepper
Elion Enterprises Ltd.
WAN administrator

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal