Re: if-up hooks not working

From: "Scott Severance" <scott scottseverance us>
To: darren darrenalbers com
Cc: NetworkManager Mailing List <networkmanager-list gnome org>
Subject: Re: if-up hooks not working
Date: Sat, 1 Dec 2007 20:56:28 -0600

snip

> > > > > After rebooting the computer in question as well as my server because
> > > > > NFS was acting up, my script now seems to get run reliably if I put it
> > > > > in /etc/network/if- up.d. However, contrary to the docs, the only script
> > > > > in /etc/NetworkManager/dispatcher.d that ever gets executed is
> > > > > 01ifupdown. Since that script calls run-parts on /etc/network/if- up.d,
> > > > > My script gets executed in that directory.
> > > > >
> > > > > Is the NetworkManagerDispatcher man page wrong, or am I experiencing
> > > > > some kind of bug?
> > > > >
> > > > > By the way, I'm running Ubuntu Gutsy.
> > > >
> > > > Is the script only owned by root and executable?   Do you see the script
> > > > execute when you tail syslog?
> > > >
> > > The script is owned by myuser:root, with 770 permissions. I chowned to
> > > root:root, but it didn't make any difference. One reason that I know
> > > it isn't running is because the script logs several messages to
> > > syslog, and those messages don't show up. NetworkManagerDispatcher
> > > doesn't itself log the scripts it runs. So, the script definitely
> > > isn't executing.
> >
> > I think the permissions need to be 0700 or 0500 and the file owned by
> > root.   I remember some messages on the list to that affect but I can't
> > seem to find them off-hand.
> >
>
> Yep that is correct from the source:
> http://svn.gnome.org/viewvc/NetworkManager/tags/NETWORKMANAGER_0_6_5_RELEASE/dispatcher-daemon/NetworkManagerDispatcher.c?view=markup
>
>
> /*
>  * nmd_permission_check
>  *
>  * Verify that the given script has the permissions we want.  Specifically,
>  * ensure that the file is
>  *      - A regular file.
>  *      - Owned by root.
>  *      - Not writable by the group or by other.
>  *      - Not setuid.
>  *      - Executable by the owner.
>  *
>  */

OK. Changing the owner to root:root and the permissions to 755 (the permissions of 01ifupdown) did the trick. I'll file a documentation bug on this, since the man page says nothing about required permissions.

I do wonder, though, why NetworkManagerDispatcher is so particular about permissions. As long as /etc/NetworkManager/dispatcher.d is only writable by root, then it is safe to assume that anything in there is something that root has authorized, regardless of its permissions. And a particular script might or might not contain sensitive information. Shouldn't security policy be left up to the system administrator?

The reason this is an issue for me is that I have a number of scripts that I've written to automate various tasks. For the sake of maintainability, it's easiest to keep all of them in subdirectories of my normal user's home directory and then make symlinks as appropriate. Since /home is on a separate partition, I can have all my data on a single partition, leaving the rest of the filesystem for distro-specific stuff and system-wide config.

Naturally, it is strongly preferable that everything under $HOME should be owned by $USER, so that I don't have to become root to manipulate files in my home directory. But NetworkManagerDispatcher actively prevents me from configuring my system as I see fit, and that's quite frustrating.

Another point to make is that the machine in question is a laptop, and I'm the only person who uses it. So I'm not too worried about someone pulling some attack on files that aren't locked down. If someone were to steal my laptop, their ability to mess with a NetworkManager file would be the least of my worries. Besides, I have sudo configured to grant me root without asking for a password, so root ownership doesn't provide much protection against an adversary. I realize that many people want to run a much tighter system than I do, and they should have that choice. But should I be forced into a security model designed for a multi-user environment when I only operate in a single-user environment?

Would it be possible to relax the permissions checking a bit?

Scott

--
===Scott Severance===

Website: http://www.scottseverance.us
Blog: http://blog.scottseverance.us

Check out the Sermon Illustration Library: http://www.sermonillustrationlibrary.org

Follow-Ups:
- Re: if-up hooks not working
  - From: Dan Williams

References:
- Re: if-up hooks not working
  - From: Scott Severance
- Re: if-up hooks not working
  - From: Darren Albers

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]