Bug#329304: fail2ban: fails to ban because iptables not in path

Tue, 20 Sep 2005 21:48:19 -0700 

Hi Jeroen,

I'm just trying to figure out where is the source of the problem because
you seems to be your case is quite unique -- as you will see, I am
running the same kind of Debian system and fail2ban without any such
weird side effect

Are you starting fail2ban manually or using /etc/init.d/fail2ban script
(shipped with the package) which DOES define the PATH to include
sbin in any case?

> Okay...  I don't think I've modified either from a standard Debian
> setup, but I'll see what I can find out.  Here's what I have in
> /etc/profile:
>       PATH="/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
indeed, on some debian systems which were installed a while ago I also
have just this definition of PATH, whenever on more or less fresh ones I
have

if [ "`id -u`" -eq 0 ]; then
  
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11"
else
  PATH="/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
fi

so for root shell sbin directtories are added  explicitely at that
point if it is root

the interesting point is that on "old" systems I run fail2ban without
any problem and sbin is withing PATH of that process (checked in
/proce/PID/environ), so it gets proper PATH.

I've moved /root/.profile away, became root and /etc/init.d/fail2ban
restart, it still works fine and sbin is within its PATH

I've stopped fail2ban and started it simply from command line from a
root session which has bad $PATH... and here where I've got the same
problem as you do -- fail2ban doesn't get proper sbin directories in its
path. That is why I asked you a question which I have above.

Although PATH is not exported in init.d/fail2ban, it does propagate into
fail2ban, probably start-stop-daemon does the trick somehow, or I am
just missing the basic understanding of handing of envir variables

P.S. I'm trying to get away from adding explicit /sbin into conf file
because I'm trying to keep it as close to upstream as possible, and
fixing path to iptables might not be a good idea in that case
because fail2ban is used on many other platforms and I'm not sure if all
of them have iptables in /sbin...
-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]

Attachment: pgphSvNfCbg8d.pgp
Description: PGP signature

Reply via email to