Package: powerman Version: 2.3.5-1 Severity: normal Dear Maintainer,
Although powermand uses tcpwrappers to control access to the server, some tcpwrappers features do not function. Notably "banners" does not cause a message to be produced on a refused connection, and powermand does not determine the user making the access. This latter means that even if access is restricted to "localhost", all users on the the local host will have unrestricted access to the powerman server. The following test script demonstrates the problems. Lines marked "expected behaviour" show where the bugs are demonstrated. * install test tools <pre> root@jessie:~# aptitude install ident2 strace telnet lsof </pre> * configure to use tcpwrappers: ** edit /etc/powerman/powerman.conf <pre> tcpwrappers yes </pre ** edit /etc/hosts.deny <pre> powermand : ALL EXCEPT localhost : banners /usr/local/tcpwrap : rfc931 </pre> * create /usr/local/tcpwrap/powermand <pre> root@jessie:~# mkdir -p /usr/local/tcpwrap root@jessie:~# echo 'Test: user: %u' >/usr/local/tcpwrap/powermand root@jessie:~# chmod 755 /usr/local/tcpwrap root@jessie:~# chmod 644 /usr/local/tcpwrap/powermand </pre> * restart powermand <pre> root@jessie:~# /etc/init.d/powerman stop root@jessie:~# /etc/init.d/powerman start </pre> * attempt to connect from another system <pre> wuth@wheezy:~$ telnet jessie 10101 Trying 192.168.23.90... telnet: Unable to connect to remote host: Connection refused wuth@wheezy:~$ </pre> ** Expected behaviour: contents of /usr/local/tcpwrap/powermand should be displayed and then connection closed. * attempt to connect from local system <pre> wuth@jessie:~$ telnet localhost 10101 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 001 2.3.5 powerman> </pre> * leave session connected and proceed in another shell. * identify source and destination ports <pre> root@jessie:~# ps ax | grep 10101 3596 console S+ 0:00 telnet localhost 10101 3608 pts/2 D+ 0:00 grep 10101 root@jessie:~# lsof | grep 3596 | grep 10101 telnet 3596 wuth 3u IPv4 915394 0t0 TCP localhost:42133->localhost:10101 (ESTABLISHED) root@jessie:~# </pre> ** in this case source is 42133; destination is 10101 * verify identd is working <pre> root@jessie:~# telnet localhost ident Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 42133,10101 42133 , 10101 : USERID : UNIX : wuth Connection closed by foreign host. root@jessie:~# </pre> * terminate session <pre> powerman> quit 101 Goodbye Connection closed by foreign host. wuth@jessie:~$ </pre> * restrict tcpwrappers access to specified user ** edit /etc/hosts.deny <pre> powermand : ALL EXCEPT wuth@localhost : banners /usr/local/tcpwrap : rfc931 </pre> * retest access <pre> wuth@jessie:~$ telnet localhost 10101 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. wuth@jessie:~$ </pre> ** expected behaviour: connection should be established * restrict tcpwrappers access to root ** edit /etc/hosts.deny <pre> powermand : ALL EXCEPT root@localhost : banners /usr/local/tcpwrap : rfc931 </pre> * instrument for debugging with strace ** create /usr/sbin/powermand-strace <pre> #!/bin/bash /usr/bin/strace -o /tmp/powermand.$$.strace /usr/sbin/powermand.true "$@" </pre> ** install <pre> root@jessie:~# chmod 755 /usr/sbin/powermand-strace root@jessie:~# mv /usr/sbin/powermand /usr/sbin/powermand.true root@jessie:~# ln -s /usr/sbin/powermand-strace /usr/sbin/powermand </pre> * restart powermand for debugging with strace <pre> root@jessie:~# /etc/init.d/powerman stop root@jessie:~# su -s /bin/bash powerman -c "PATH=/sbin:/usr/sbin:$PATH powermand -f" powermand.true: _pipe_connect(plm): opened on /dev/pts/1 </pre> * attempt connection <pre> wuth@jessie:~$ telnet localhost 10101 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. wuth@jessie:~$ </pre> * terminate powermand <pre> powermand.true: _create_client: tcp wrappers denies localhost:42310 ^C Session terminated, terminating shell...powermand.true: _pipe_disconnect(plm): /usr/sbin/plmpower terminated with signal 1 powermand.true: exiting on signal 2 ...terminated. ...killed. root@jessie:~# </pre> * examine /tmp/powermand.*.strace ** note lines where /usr/local/tcpwrap/powermand is processed <pre> read(7, "Test: user: %u\n", 4096) = 15 write(-1, "Test: user: unknown\r\n", 21) = -1 EBADF (Bad file descriptor) </pre> *** Expected behaviour: valid file description (not "-1") *** Expected behaviour: "unknown" should be user name "wuth" -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages powerman depends on: ii adduser 3.113+nmu3 ii libc6 2.19-18 ii libcurl3-gnutls 7.38.0-4+deb8u2 ii libgenders0 1.21-1+b1 ii libwrap0 7.6.q-25 powerman recommends no packages. powerman suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
