[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

story - part 3



Hi, this time few tests of rlinetd-199908051 snapshot.

1)
for my one bad service entry rlinetd said:
Aug  6 21:02:29 linstar rlinetd[4016]: socket() failed for service test: Bad file descriptor
Aug  6 21:02:29 linstar rlinetd[4016]: rlinetd configuration (re)loaded, 13864 bytes used

Fix for wrong error handling (grammar.y):

	if((fd = socket(family, socktype, protocol)) < 0) {
-		close(fd);
		lasterror = strerror(errno);
+		close(fd);
		errfunc = "socket()";
		goto out;

This fix should be added everywhere where is needed (ie after bind(), listen(), fcntl()
but most important is after socket()).

2)
This my "bad service entry" was duble file:
root@linstar /root# ls -l /etc/rlinetd.d/
razem 2
-rw-------    1 root     root          168 sie  6 22:18 test
-rw-------    1 root     root          168 sie  6 22:11 test~

IMHO rlinetd should ignore all files ".*~" || ".*.bak"
(".*rpmnew", ".*.rpmorig", ".*.rpmsave",too - files on system where
rpm packet manager is used) etc. These files are usually backups.

3) still existing bug. Now I have working getaddrinfo() - compilant with proper RFC.
family ipv6; and rlinetd listen on IPv4 addresses, too.
Trying 127.0.0.1.3000...
Connected to localhost.
Escape character is '^]'.

For new users on this list - binding (with family set to AF_INET6)
to "in6addr_any" (IN6ADDR_ANY_INIT) will cause binding to IPv4 interfaces,
too (this is RFC compilant) !!

So IMHO family ipv6; must be done in another way than only setting
ai_family to AF_INET6 before getaddrinfo(). Sorry - no bonus.

4) Setting limits still doesn't work.
if(setrlimit(*++op, rlimittab_get(*++op))) {
wrong args are passed to setrlimit() ...:

    rlimit nproc {
        soft 5;
        hard 10;
        }
and:
Aug  6 23:35:29 linstar rlinetd[12437]: Running setrlimit 0, rlim_cur 21, rlim_max 8
(0 == RLIMIT_CPU)

For example my change to bytecode.c:

	case OP_RLIMIT:
	if(setrlimit(*op, rlimittab_get(*(op+2))) < 0) {
		rl_fail1("setrlimit");
	}
        	op=op+2;
        break;

and this will work fine but _only_ if one rlimit xxx {} is specified in config.file for
specified service.... Now you know where is problem so fix it ;-)

5) chroot() is cool but when I run service as user "nobody":
Aug  7 11:42:50 linstar rlinetd[2111]: chroot("/test"): Permission denied
but service is executed and it's running in nonchroot()ed enviroment !!
IMHO it should fail (for security reason).

Another thing with chroot(). It's chroot()ing after setuid() so if I specify
user "some_user_other_than_root"; chrooting always fail ;-( IMHO chroot()
should be executed _before_ setuid(). 

6) on *BSD/KAME (www.kame.net) rlinetd should link with libinet6.a for
getaddrinfo() and other IPv6 functions...

More tests when I will get new snapshot ;-)

bye,

-- 
arkadiusz miśkiewicz        [misiek@misiek.eu.org]
[P]olish [L]inux [D]istribution with IPv6 support
http://www.ipv6.pld.org.pl/ http://www.pld.org.pl/