cli: regression in ospf show commands #601

jovatn · 2024-09-04T12:07:06Z

Current Behavior

In Infix 24.08.0, 'show ospf' CLI commands gives privilege errors in CLI.
An example with 'show ospf neighbor' is shown below.

admin@example:/> show routes 
PREFIX                        NEXT-HOP                          PREF  PROTOCOL  
10.0.0.0/30                   eth0                                 0  kernel    
10.1.1.1/32                   10.0.0.1                            20  ospf      
admin@example:/> show ospf neighbor 
% Can't open configuration file /etc/frr/vtysh.conf due to 'Permission denied'.
Exiting: failed to connect to any daemons.
Hint: if this seems wrong, try running me as a privileged user!
admin@example:/>

Expected Behavior

'show ospf' CLI commands should show OSPF status information, see example below

admin@example:/> show ospf neighbor 
Neighbor ID     Pri State           Up Time         Dead Time Address         Interface                        RXmtL RqstL DBsmL
10.2.2.2          1 Full/-          59m00s            35.399s 10.0.0.2        eth0:10.0.0.1                        0     0     0
admin@example:/>

Steps To Reproduce

I used gns3, but could be done on hardware.

Install infix 24.08.0 on two units (in my case I used gns3)
(If you do this on gns3 with 24.08.0, please remove the file '/mnt/aux/test-mode')
Configure the units with proper OSPF setup
Run 'show ospf' from admin exec

Additional information

No response

The text was updated successfully, but these errors were encountered:

With the recent changes in Infix v24.08 to tighten up permissions, a regression in the 'show ospf' family of commands was introduced. This patch adds a 'doas' prefix to all vtysh commands. The 'doas' tool wraps sudo in a way such than unauthorized users do not get a sudo error thrown as result. A better fix might be to either include all admin group users also in the UNIX group 'frrvty', or even better, change the default group of vtysh to 'wheel'. Affected files are /etc/frr/vtysh.conf and all /run/frr/*.vty sockets, the latter are created at runtime by zebra, ospfd, etc. This require modifying the buildroot/package/frr/frr.mk file, which unfortunately have the group hard coded. admin@R2:~$ ls -l /etc/frr/vtysh.conf -rw-r----- 1 frr frrvty 32 Sep 3 05:27 /etc/frr/vtysh.conf admin@R2:~$ ls -l /run/frr/*.vty srwxrwx--- 1 frr frrvty 0 Sep 5 04:37 /run/frr/ospfd.vty srwxrwx--- 1 frr frrvty 0 Sep 5 04:37 /run/frr/zebra.vty Fixes #601 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>

jovatn added bug Something isn't working triage Pending investigation & classification (CCB) labels Sep 4, 2024

jovatn changed the title ~~'show ospf' CLI commands fails with "permission denied" error message~~ cli: regression in ospf show commands Sep 4, 2024

troglobit removed the triage Pending investigation & classification (CCB) label Sep 4, 2024

troglobit added this to the Infix v24.09 milestone Sep 4, 2024

troglobit added this to Infix & C:o Sep 4, 2024

troglobit moved this to Todo in Infix & C:o Sep 4, 2024

troglobit self-assigned this Sep 4, 2024

troglobit mentioned this issue Sep 5, 2024

Fix CLI show ospf permissions for admin group users #602

Merged

13 tasks

troglobit moved this from Todo to In progress in Infix & C:o Sep 5, 2024

troglobit closed this as completed in #602 Sep 5, 2024

troglobit closed this as completed in 6752ff4 Sep 5, 2024

github-project-automation bot moved this from In progress to Done in Infix & C:o Sep 5, 2024

troglobit mentioned this issue Dec 4, 2024

Make Frr frrvty group configurable in Buildroot #850

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cli: regression in ospf show commands #601

cli: regression in ospf show commands #601

jovatn commented Sep 4, 2024

cli: regression in ospf show commands #601

cli: regression in ospf show commands #601

Comments

jovatn commented Sep 4, 2024

Current Behavior

Expected Behavior

Steps To Reproduce

Additional information