Closed tripplet closed 4 years ago
thanks for the update.
No problem, thanks for creating and maintaining this repo.
Does this still allow for popen(testparm)
to be run?
Hi, not sure what you mean. If the cmd string can be created it runs popen(testparm ...), so yes?
PS: get_smbparm() itself is only run if the wsdd2 service does not directly get the -W -N parameter.
On Tue, Oct 20, 2020 at 6:46 AM Aman Gupta Karmani notifications@github.com wrote:
Does this still allow for popen(testparm) to be run?
https://github.com/Andy2244/wsdd2/blob/master/wsd.c#L131
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/Andy2244/wsdd2/pull/6#issuecomment-712585429, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIXYVZXLVNKTE4J7MXTAYLSLUIZPANCNFSM4MQ3V5QQ .
It is not working for me it seems. I'm not using -N
. The server responds to the hostname but not the netbios name I have setup in my smb.conf. I'm guessing all these security options are making it so the daemon cannot run testparm or read smb.conf
I also noticed that when I run under systemd there are several errors, and lsof
shows no TCP listeners. But when I run directly no such errors are present:
Oct 20 15:58:46 server systemd[1]: Started WSD/LLMNR Discovery/Name Service Daemon.
Oct 20 15:58:46 server wsdd2[8079]: starting.
Oct 20 15:58:47 server wsdd2[8079]: error: wsdd-http-v4: open_ep: SO_BINDTODEVICE
Oct 20 15:58:47 server wsdd2[8079]: error: wsdd-http-v6: open_ep: SO_BINDTODEVICE
Oct 20 15:58:47 server wsdd2[8079]: error: llmnr-tcp-v4: open_ep: SO_BINDTODEVICE
Oct 20 15:58:47 server wsdd2[8079]: error: llmnr-tcp-v6: open_ep: SO_BINDTODEVICE
wsdd2 8079 61623 0r CHR 1,3 0t0 5419 /dev/null
wsdd2 8079 61623 1u unix 0x00000000e6bda8d4 0t0 34819 type=STREAM
wsdd2 8079 61623 2u unix 0x00000000e6bda8d4 0t0 34819 type=STREAM
wsdd2 8079 61623 3u unix 0x00000000c8634e56 0t0 34846 type=DGRAM
wsdd2 8079 61623 4u IPv4 34850 0t0 UDP *:3702
wsdd2 8079 61623 5u IPv6 34855 0t0 UDP *:3702
wsdd2 8079 61623 6u IPv4 34858 0t0 UDP *:5355
wsdd2 8079 61623 7u IPv6 34860 0t0 UDP *:5355
wsdd2 8079 61623 8u netlink 0t0 34863 ROUTE
vs
wsdd2 8095 root 0u CHR 136,0 0t0 3 /dev/pts/0
wsdd2 8095 root 1u CHR 136,0 0t0 3 /dev/pts/0
wsdd2 8095 root 2u CHR 136,0 0t0 3 /dev/pts/0
wsdd2 8095 root 3u unix 0x00000000a67d51aa 0t0 31718 type=DGRAM
wsdd2 8095 root 4u IPv4 31722 0t0 UDP *:3702
wsdd2 8095 root 5u IPv6 31727 0t0 UDP *:3702
wsdd2 8095 root 6u IPv4 31728 0t0 TCP *:3702 (LISTEN)
wsdd2 8095 root 7u IPv6 31729 0t0 TCP *:3702 (LISTEN)
wsdd2 8095 root 8u IPv4 31730 0t0 UDP *:5355
wsdd2 8095 root 9u IPv6 31732 0t0 UDP *:5355
wsdd2 8095 root 10u IPv4 31733 0t0 TCP *:5355 (LISTEN)
wsdd2 8095 root 11u IPv6 31734 0t0 TCP *:5355 (LISTEN)
wsdd2 8095 root 12u netlink 0t0 31735 ROUTE
So I'm pretty sure these systemd options do not allow the daemon to function properly.
If I revert this PR, there are no more errors in the systemd log and lsof looks correct.
Oct 20 16:04:07 server systemd[1]: Started WSD/LLMNR Discovery/Name Service Daemon.
Oct 20 16:04:07 server wsdd2[8147]: starting.
I'll try to remove the lines one by one to figure out which one causes problems.
Removing DynamicUser=true
fixed the issues I was seeing.
I'm using systemd v244
# systemctl --version
systemd 244 (244)
+PAM -AUDIT -SELINUX -IMA -APPARMOR -SMACK +SYSVINIT +UTMP -LIBCRYPTSETUP +GCRYPT +GNUTLS -ACL -XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN -PCRE2 default-hierarchy=hybrid
I checked and nss-systemd is enabled.
It also works with ProtectSystem=full
, so might be worth adding that and removing DynamicUser
Appears the SO_BINDTODEVICE
errors might have to do with the kernel version:
https://patchwork.ozlabs.org/project/netdev/patch/20200331132009.1306283-1-vincent@bernat.ch/
Would be useful if wsdd2.c printed out the error, which would have shown up as EPERM and made this easier to understand.
Okay, so since I figured out CAP_NET_RAW
was the issue, I was able to make it work as so:
DynamicUser=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_RAW
I will send a PR.
Avoids running the service as root and restricts the access rights