Hello, please excuse me if this has been discussed or even solved before, but I could not find it in the archives. I''m in the process of migrating several gateways to shorewall-lite, keeping the configfiles on one central adminstrative machine, basically following the guide at http://www.shorewall.net/CompiledPrograms.html . As I understand it, the local /etc/shorewall directory on the administrative machine should not be used at all for the compilation. All that matters should the export directory for the host currently compiled. Because of that, I figured there should not be much reason to be root while compiling. (Deploying yes, but just preparing no, right?) I must have misunderstood something or nobody tried this before: % id -u 501 % cd ~/svn/admin/shorewall/hosts/tim % shorewall compile -e -C perl . firewall /sbin/shorewall: line 134: /etc/shorewall/params: Permission denied % shorewall version 4.0.5 This is shorewall-4.0.5 with the perl compiler, both from the shorewall rpm packages by Simon Matter. On a related note, I find installing /sbin/shorewall with permissions 0700 questionable - given that the code is publicly available to anybody through the web. Only makes it annoying for non-root users. Apart from that - we love shorewall over here, especially the shorewall-lite/perl-combination rocks! Many thanks for that, esp. Tom! regards, bkw ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Bernhard Weisshuhn wrote:> As I understand it, the local /etc/shorewall directory on the > administrative machine should not be used at all for the compilation.Not so -- see below.> All that matters should the export directory for the host currently > compiled. Because of that, I figured there should not be much reason > to be root while compiling. (Deploying yes, but just preparing no, right?)Correct> > I must have misunderstood something or nobody tried this before: > > % id -u > 501 > % cd ~/svn/admin/shorewall/hosts/tim > % shorewall compile -e -C perl . firewall > /sbin/shorewall: line 134: /etc/shorewall/params: Permission denied > % shorewall version > 4.0.5The non-priv user must have read access to /etc/shorewll/params and /etc/shorewall/shorewall.conf - /etc/shorewall/shorewall.conf contains the site-wide SHOREWALL_COMPILER directive and the default VERBOSITY settings. Both are needed by /sbin/shorewall. - /etc/shorewall/shorewall.conf can contain shell variable expansions; that requires that /etc/shorewall/params be processed before /etc/shorewall/shorewall.conf. ~/svn/admin/shorewall/hosts/tim/shorewall.conf should set the CONFIG_PATH in such a way that it omits /etc/shorewall/. That way, the compiler will not look in /etc/shorewall/ for any of the other files. The tarball installer and the RPM from shorewall.conf install both files with mode 0644.> > This is shorewall-4.0.5 with the perl compiler, both from the > shorewall rpm packages by Simon Matter. > > On a related note, I find installing /sbin/shorewall with permissions > 0700 questionable - given that the code is publicly available to anybody > through the web. Only makes it annoying for non-root users.These permission issues are particular to Simon''s RPMs. The tarball installer and the RPM from shorewall.net both install /sbin/shorewall with mode 0755. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep wrote:> Bernhard Weisshuhn wrote: > >> As I understand it, the local /etc/shorewall directory on the >> administrative machine should not be used at all for the compilation. > > Not so -- see below. > >> All that matters should the export directory for the host currently >> compiled. Because of that, I figured there should not be much reason >> to be root while compiling. (Deploying yes, but just preparing no, right?) > > Correct > >> I must have misunderstood something or nobody tried this before: >> >> % id -u >> 501 >> % cd ~/svn/admin/shorewall/hosts/tim >> % shorewall compile -e -C perl . firewall >> /sbin/shorewall: line 134: /etc/shorewall/params: Permission denied >> % shorewall version >> 4.0.5 > > The non-priv user must have read access to /etc/shorewll/params and > /etc/shorewall/shorewall.conf > > - /etc/shorewall/shorewall.conf contains the site-wide SHOREWALL_COMPILER > directive and the default VERBOSITY settings. Both are needed by > /sbin/shorewall. > > - /etc/shorewall/shorewall.conf can contain shell variable expansions; that > requires that /etc/shorewall/params be processed before > /etc/shorewall/shorewall.conf. > > ~/svn/admin/shorewall/hosts/tim/shorewall.conf should set the CONFIG_PATH in > such a way that it omits /etc/shorewall/. That way, the compiler will not > look in /etc/shorewall/ for any of the other files. > > The tarball installer and the RPM from shorewall.conf install both files > with mode 0644.That should have read: The tarball installer and the RPM from _shorewall.net_ install both files with mode 0644. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep wrote:> The non-priv user must have read access to /etc/shorewll/params and > /etc/shorewall/shorewall.conf > > - /etc/shorewall/shorewall.conf contains the site-wide SHOREWALL_COMPILER > directive and the default VERBOSITY settings. Both are needed by > /sbin/shorewall. > > - /etc/shorewall/shorewall.conf can contain shell variable expansions; that > requires that /etc/shorewall/params be processed before > /etc/shorewall/shorewall.conf.Incidentally, this is all explained at http://www.shorewall.net/CompiledPrograms.html#Lite in the Caution in item a): Caution If you want to be able to allow non-root users to manage remote filewall systems, then the files /etc/shorewall/params and /etc/shorewall/shorewall.conf must be readable by all users on the administrative system. Not all packages secure the files that way and you may have to change the file permissions yourself. /sbin/shorewall uses the SHOREWALL_SHELL setting from /etc/shorewall/shorewall.conf to determine the shell to use when compiling programs and it uses the VERBOSITY setting for determining how much output the compiler generates. All other settings are taken from the shorewall.conf file in the remote systems export directory (see below). Beginning with Shorewall 4.0, the SHOREWALL_COMPILER setting is also needed from /etc/shorewall/shorewall.conf. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
> Hello, > > please excuse me if this has been discussed or even solved before, but > I could not find it in the archives. > > I''m in the process of migrating several gateways to shorewall-lite, > keeping the configfiles on one central adminstrative machine, > basically following the guide at > http://www.shorewall.net/CompiledPrograms.html . > > As I understand it, the local /etc/shorewall directory on the > administrative machine should not be used at all for the compilation. > All that matters should the export directory for the host currently > compiled. Because of that, I figured there should not be much reason > to be root while compiling. (Deploying yes, but just preparing no, right?) > > I must have misunderstood something or nobody tried this before: > > % id -u > 501 > % cd ~/svn/admin/shorewall/hosts/tim > % shorewall compile -e -C perl . firewall > /sbin/shorewall: line 134: /etc/shorewall/params: Permission denied > % shorewall version > 4.0.5 > > This is shorewall-4.0.5 with the perl compiler, both from the > shorewall rpm packages by Simon Matter.Thanks for reporting the issue, I have relaxed permissions in the shorewall-4.0.5-6 rpms, would be nice to get some feedback how it works. Regards, Simon ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Wed, Nov 07, 2007 at 03:08:48PM -0800, Tom Eastep <teastep@shorewall.net> wrote:> > The non-priv user must have read access to /etc/shorewll/params and > > /etc/shorewall/shorewall.conf > > > > [...] > > Incidentally, this is all explained at > http://www.shorewall.net/CompiledPrograms.html#Lite in the Caution in item a):Thanks for clearing this up so thoroughly Tom. And thanks to Simon for his quick response, too! Have a nice day everbody, bkw ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/