| View previous topic :: View next topic |
| Author |
Message |
Gentree
Watchman
Joined: 01 Jul 2003
Posts: 5350
Location: France, Old Europe
|
 Posted: Sun Jul 08, 2012 6:26 am Post subject: ddclient: damned if you do, damned if you don't |
 |
|
Hi,
after updating world last (ie most of last week) I notice that ddclient is displaying a message during boot and is not starting.
I ran /etc/init.d/ddclient start and could see the message was saying ddclient.conf should not be world readable and exiting without starting the client.
| Code: | bash-4.2#/etc/init.d/ddclient start
* /etc/ddclient/ddclient.conf must not be world or group readable. Try:
* chmod 600 /etc/ddclient/ddclient.conf
* chown ddclient:ddclient /etc/ddclient/ddclient.conf
* ERROR: ddclient failed to start
|
This is new. It is not clear why this is a show stopper.
So I followed the suggestion
| Code: | chmod 600 /etc/ddclient/ddclient.conf
|
But now it fails to start because it can't read it !!
| Code: |
bash-4.2#/etc/init.d/ddclient start
* Making /run/ddclient ... [ ok ]
* Changing permissions of /run/ddclient ... [ ok ]
* Starting ddclient ...
WARNING: file /etc/ddclient/ddclient.conf: Cannot open file '/etc/ddclient/ddclient.conf'. (Permission denied)
stat() on closed filehandle FD at /usr/sbin/ddclient line 986.
Use of uninitialized value $mode in bitwise and (&) at /usr/sbin/ddclient line 987.
readline() on closed filehandle FD at /usr/sbin/ddclient line 999.
WARNING: file /etc/ddclient/ddclient.conf: Cannot open file '/etc/ddclient/ddclient.conf'. (Permission denied)
stat() on closed filehandle FD at /usr/sbin/ddclient line 986.
Use of uninitialized value $mode in bitwise and (&) at /usr/sbin/ddclient line 987.
readline() on closed filehandle FD at /usr/sbin/ddclient line 999.
WARNING: file /var/cache/ddclient/ddclient.cache, line 1: program version mismatch; ignoring /var/cache/ddclient/ddclient.cache
* start-stop-daemon: failed to start `/usr/sbin/ddclient' [ !! ]
* ERROR: ddclient failed to start
|
So what's the game? Should it be group readable like it was before or not ?
TIA, Gentree. 
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
| Back to top |
|
 |
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Sun Jul 08, 2012 6:44 am Post subject: Re: ddclient: damned if you do, damned if you don't |
|
|
| Gentree wrote: | | Code: | bash-4.2#/etc/init.d/ddclient start
* /etc/ddclient/ddclient.conf must not be world or group readable. Try:
* chmod 600 /etc/ddclient/ddclient.conf
* chown ddclient:ddclient /etc/ddclient/ddclient.conf
* ERROR: ddclient failed to start |
[...]
So I followed the suggestion
| Code: | | chmod 600 /etc/ddclient/ddclient.conf |
|
Gentree ... you omited change owner ...
| Code: | | chown ddclient:ddclient /etc/ddclient/ddclient.conf |
best ... khay |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sun Jul 08, 2012 7:06 am Post subject: |
|
|
Haha, I remember this farce. I'm flabbergasted that this is still an issue 
Seems that someone decided to drop my reasonable security patch.
ddclient has strange security behaviour, as default. I run it as user ddclient, group ddclient (not in Gentoo).
This is the patch I'm using:
| Code: | diff -Naur ddclient-3.8.1.orig/ddclient ddclient-3.8.1/ddclient
--- ddclient-3.8.1.orig/ddclient 2011-07-12 04:04:21.000000000 +0700
+++ ddclient-3.8.1/ddclient 2012-06-28 16:02:32.676981665 +0700
@@ -982,16 +982,6 @@
# fatal("Cannot open file '%s'. ($!)", $file);
warning("Cannot open file '%s'. ($!)", $file);
}
- # Check for only owner has any access to config file
- my ($dev, $ino, $mode, @statrest) = stat(FD);
- if ($mode & 077) {
- if (-f FD && (chmod 0600, $file)) {
- warning("file $file must be accessible only by its owner (fixed).");
- } else {
- # fatal("file $file must be accessible only by its owner.");
- warning("file $file must be accessible only by its owner.");
- }
- }
local $lineno = 0;
my $continuation = '';
@@ -2497,7 +2487,6 @@
} elsif (exists $errors{$status}) {
if ($status eq 'nochg') {
- warning("updating %s: %s: %s", $h, $status, $errors{$status});
$config{$h}{'ip'} = $ip;
$config{$h}{'mtime'} = $now;
$config{$h}{'status'} = 'good'; |
|
|
| Back to top |
|
|
Gentree
Watchman
Joined: 01 Jul 2003
Posts: 5350
Location: France, Old Europe
|
| Posted: Sun Jul 08, 2012 8:58 am Post subject: |
|
|
thanks khay, having spent most of my time this week trying to update this system my attention to detail is showing signs of fatigue.
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
