On Jun 5, 2011, at 2:42 PM, Stuart Henderson wrote:
> On 2011/06/05 13:09, Paul Suh wrote:
>> Stuart,
>>
>> I tried using a symlink, but isakmpd didn't seem to like it.
>
> For the file or the whole directory?
> It seems to work with /etc/isakmpd -> /somewhere/else.
Stuart,
Sorry about the delay but my day job has been busy. When I try to move the
isakmpd directory and make it a symlink, I get a series of errors that look
like:
> Jun 14 16:27:25 redoubt isakmpd[24833]: exchange_run: doi->initiator
(0x88ecda80) failed
> Jun 14 16:29:34 redoubt isakmpd[19190]: m_priv_getfd: illegal path
"/etc/isakmpd/private//71.163.154.173"
> Jun 14 16:29:34 redoubt isakmpd[24833]: ike_auth_get_key: failed opening
"/etc/isakmpd/private//71.163.154.173"
> Jun 14 16:29:34 redoubt isakmpd[19190]: m_priv_getfd: illegal path
"/etc/isakmpd/private/local.key"
> Jun 14 16:29:34 redoubt isakmpd[24833]: ike_auth_get_key: failed opening
"/etc/isakmpd/private/local.key"
> Jun 14 16:29:34 redoubt isakmpd[24833]: rsa_sig_encode_hash: could not get
private key
> Jun 14 16:29:34 redoubt isakmpd[24833]: exchange_run: doi->initiator
(0x88ecd580) failed
It looks to me like the check happens in monitor.c, in m_priv_getfd(), which
calls m_priv_local_sanitize_path():
> /* Check that path/mode is permitted. */
> static int
> m_priv_local_sanitize_path(char *path, size_t pmax, int flags)
> {
> char new_path[PATH_MAX], var_run[PATH_MAX];
>
> /*
> * We only permit paths starting with
> * /etc/isakmpd/ (read only)
> * /var/run/ (rw)
> */
...
> if (strncmp(ISAKMPD_ROOT, new_path, strlen(ISAKMPD_ROOT)) == 0 &&
> (flags & O_ACCMODE) == O_RDONLY)
> return 0;
>
> bad_path:
> return 1;
> }
>
So it's going to take a patch to the code. That said, to go back to my
original question, can anyone tell me why this would be implemented in such a
fashion that forces isakmpd to have its true directory in /etc/isakmpd? I can
understand why there would be a runtime check against ISAKMPD_ROOT, but what
if I want to move ISAKMPD_ROOT to somewhere else specified by a runtime flag
(but still fixed in place)? Does that have any negative security implications?
Thanks in advance to anyone who has any insights.
--Paul
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
