search

hercules-390 / hyperion

Hercules 390
Other
252 stars 70 forks source link

Problem with tun/tap networking #87

Open sjcr opened 8 years ago

sjcr commented 8 years ago

Hi All I've just cloned today's source, built it and tried to run on my CentOS 7 x86_64 system. Everything seems to be working, except network - I'm getting the following error during Hercules startup:

HHC00901I 0:0E20 CTCI: Interface tun0, type TUN opened
*\ _flog_write_pipe: write_pipe() failed; errno=9: Bad file descriptorHHC00100I Thread id 00007f179d564740, prio 0, name Control panel started HHC00136E Error in function execlp(): No such file or directory

Does anyone have similar problem? What else info should I provide to help solve this?

Also, running make check ends with '1 test failed catastrophically'. Corresponding output is:

line 10049: Test case timed out in wait. This is likely an error in Hercules. Please report line 10059: Storage at 00 compare mismatch. Want: 01020408 10204080 got 00000000 00000000
line 10064: Storage at 00 compare mismatch. Want: 01020408 10204080 got 00000000 00000000 line 10069: Storage at 00 compare mismatch. Want: FEFDFBF7 EFDFBF7F got 00000000 00000000
line 10074: Storage at 00 compare mismatch. Want: 01020408 10204080 got 00000000 00000000
line 10079: Storage at 00 compare mismatch. Want: 01020408 10204080 got 00000000 00000000 line 10084: Storage at 00 compare mismatch. Want: FEFDFBF7 EFDFBF7F got 00000000 00000000
line 10089: Storage at 00 compare mismatch. Want: 10101010 10101010 got 00000000 00000000 line 10094: Storage at 00 compare mismatch. Want: 10101010 10101010 got 00000000 00000000 line 10099: Storage at 00 compare mismatch. Want: 10101010 10101010 got 00000000 00000000 line 10104: Storage at 00 compare mismatch. Want: 10101010 10101010 got 00000000 00000000
line 10109: Storage at 00 compare mismatch. Want: 10101010 10101010 got 00000000 00000000
line 10114: Storage at 00 compare mismatch. Want: 10101010 10101010 got 00000000 00000000
line 10126: Storage at 00 compare mismatch. Facilities list bit 52 Want: 00000000 00000800 got 00000000 00000000

I'm not sure if it's related to networking problem, thus not opening new ticket yet...

TIA, Sergiusz

sjcr commented 8 years ago

Hi I've decided give it a go and try to run hercules from the root account and voila - everything works OK. I know it's a rather major security issue, but this system is on a private network, with no access to Internet, so I can live with that. Interesting thing is, using regular account to run hercules, even with hercifc setuid, is not working... Anyway, as I didn't see any other tun/tap issues reported, I suspect it's specific to my setup, so I'm closing this. I'm sorry for not testing this more before posting.

Best regards, Sergiusz

Fish-Git commented 8 years ago

@sjcr : Hyperion was updated recently to handle file handling differently (stdin, stdout, etc) depending on whether a logfile was specified (e.g. hercules -f myconfig > logfile) as well as whether the -d daemon mode option was specified, etc. It looks like there may be a usage case we missed somwehere.

Please insert a msglvl +emsgloc statement at the beginning of your config file and try again. Hyperion will still fail, but it should at least tell us where it failed (which should hopefully be enough for us to figure out where things went wrong and where our bug is).

Thanks.

sjcr commented 8 years ago

Hi Fish Thank you for your reply. After adding msglvl +emsgloc to my config file, I'm getting:

HHC00901I 0:0E20 CTCI: Interface tun0, type TUN opened HHC00100I Thread id 00007f05a3289740, prio 0, name Control panel started
* _flog_write_pipe: write_pipe() failed; errno=9: Bad file descriptorHHC00136E Error in function execlp(): No such file or directory * _flog_write_pipe: write_pipe() failed; errno=9: Bad file descriptorHHC00007I Previous message from function 'IFC_IOCtl' at tuntap.c(1050)

Should I re-open this issue?

Thank you. Sergiusz

Fish-Git commented 8 years ago

It appears the problem is in the Linux IFC_IOCtl fork() logic that runs hercifc.

It appears it's doing some dup2 to "Close spurious FDs END" before calling execlp to execute hercifc (presumably) and it's unclear to me whether they're needed and/or whether they're even correct given our new design. @jphartmann probably needs to look at it to be sure, so yes, this issue needs re-opened since it looks like a bona fide bug in our new file redirection handling.

Thanks.

jphartmann commented 8 years ago

Yes, please. But first check whether hercifc is in your PATH.

I'm glad I finally meet one who also sees all of this as a huge security hole.

You could try Hyperion. It allows you to preconfigure the tunnel so that hercifc is not required.

On 12/19/2015 11:48 PM, sergiusz wrote:

Hi Fish Thank you for your reply. After adding msglvl +emsgloc to my config file, I'm getting:

HHC00901I 0:0E20 CTCI: Interface tun0, type TUN opened HHC00100I Thread id 00007f05a3289740, prio 0, name Control panel started

* _flog_write_pipe: write_pipe() failed; errno=9: Bad file descriptorHHC00136E Error in function execlp(): No such file or directory * _flog_write_pipe: write_pipe() failed; errno=9: Bad file descriptorHHC00007I Previous message from function 'IFC_IOCtl' at tuntap.c(1050)

Should I re-open this issue?

Thank you. Sergiusz

— Reply to this email directly or view it on GitHub https://github.com/hercules-390/hyperion/issues/87#issuecomment-166032141.

jphartmann commented 8 years ago

Duh. This is Hyperion.

The html page about CTCI in the source tree contains a description of setting up a preconfigured tunnel. Given your security concerns, I should think that is the path you wish to pursue.

Regrettably, a bad fix from FreeBSD now means that closing the tunnel deconfigures the IP address, but the guy who committed that fix ran away as soon as I queried it.

ivan-w commented 8 years ago

On 12/20/2015 10:24 AM, John P. Hartmann wrote:

Yes, please. But first check whether hercifc is in your PATH.

I'm glad I finally meet one who also sees all of this as a huge security hole.

hercifc IS a security issue. tun/tap operations should be performed by an administrative process through the implementation of a virtual switch (tap - not too hard, tun - quite a biatch !). But it's a huge work to do that properly.

In the meantime - hercifc isn't an issue unless you can actually open a tun/tap interface (which requires an administrator to grant you access to tun/tap).

Besides, hercifc drops all privileges except for CAP_NET_ADMIN very early. (it still opens the possibility for a non root user the possibility to alter (some) interface configuration and routing tables).

--Ivan

jphartmann commented 8 years ago

hercifc is a trojan horse that lets any user pipe any command through standard input.

sjcr commented 8 years ago

Hi All Sorry for late reply. Yes, I have hercifc in my PATH. And yes, preconfigured tun device did the trick, but only under Linux z/Arch. With OS/390 (ARCHMODE set to ESA/390, CPUMODEL 9672) hyperion opens tun, guest operating system sees device, but no data transfer is possible. I'll dig into this deeper later today. Thank you.

Sergiusz