Page MenuHomeVyOS Platform

Execute permissions are removed from custom SNMP scripts at commit time
Closed, ResolvedPublicBUG

Description

After every configuration commit, the snmp script permissions are changed and snmp user is not able to execute it.

ex.

# chmod +rx /config/user-data/snmp_conntrack.sh
# ls -la /config/user-data/snmp_conntrack.sh
-rwxr-xr-x+ 1 root vyattacfg 33 Dec 10 10:57 /config/user-data/snmp_conntrack.sh

snmpwalk -v2c -c public XXXX .1.3.6.1.4.1.8072.1.3.2.3.1.1.9.99.111.110.110.116.114.97.99.107
iso.3.6.1.4.1.8072.1.3.2.3.1.1.9.99.111.110.110.116.114.97.99.107 = STRING: "59"

# set service snmp script-extensions extension-name conntrack script '/config/user-data/snmp_conntrack.sh'
[edit]
# commit
[edit]
# ls -la /config/user-data/snmp_conntrack.sh
-rwx--x--x+ 1 root vyattacfg 33 Dec 10 10:57 /config/user-data/snmp_conntrack.sh

snmpwalk -v2c -c public XXXX .1.3.6.1.4.1.8072.1.3.2.3.1.1.9.99.111.110.110.116.114.97.99.107
iso.3.6.1.4.1.8072.1.3.2.3.1.1.9.99.111.110.110.116.114.97.99.107 = STRING: "/bin/sh: /config/user-data/snmp_conntrack.sh: Permission denied"

$ show version 
Version:          VyOS 1.2.4
Built by:         xxxxxxxxxxx
Built on:         Thu 12 Dec 2019 10:18 UTC
Build UUID:       4fd6982e-af07-493c-b769-613b6d74626e
Build Commit ID:  7b47b452ce86a9

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  FUJITSU
Hardware model:   PRIMERGY RX2530 M5
Hardware S/N:     xxxxxxxxxxxx
Hardware UUID:    xxxxxxxxxxx

The server was installed using a rolling but last week updated to a release version (1.2.4).

Regards,

Vicente

Details

Difficulty level
Unknown (require assessment)
Version
1.2.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

sento created this task.Dec 16 2019, 10:48 AM
syncer assigned this task to Dmitry.Dec 16 2019, 12:05 PM
syncer triaged this task as Normal priority.
syncer moved this task from Need Triage to In Progress on the VyOS 1.3 Equuleus board.
pasik added a subscriber: pasik.Dec 16 2019, 12:53 PM
Viacheslav added a comment.EditedDec 17 2019, 8:41 AM

PR https://github.com/vyos/vyos-1x/pull/184

vyos@1.2-roll-ns# sudo chmod +rx /config/user-data/snmp_conntrack.sh
[edit]
vyos@1.2-roll-ns# del service snmp script-extensions 
[edit]
vyos@1.2-roll-ns# commit
[edit]
vyos@1.2-roll-ns# set service snmp script-extensions extension-name conntrack script '/config/user-data/snmp_conntrack.sh'
[edit]
vyos@1.2-roll-ns# commit
[edit]
vyos@1.2-roll-ns# sudo ls -la /config/user-data/snmp_conntrack.sh
-rwx--xr-x 1 root vyattacfg 81 Dec 16 18:06 /config/user-data/snmp_conntrack.sh
[edit]
vyos@1.2-roll-ns# 

vyos@1.2-roll-ns:~$ snmpwalk -v2c -c public 127.0.0.1 nsExtendOutput1
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."conntrack" = STRING: hello
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."conntrack" = STRING: hello
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."conntrack" = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendResult."conntrack" = INTEGER: 0
sento closed this task as Resolved.Dec 17 2019, 8:50 AM

Now it works perfect.

Thanks

Dmitry reopened this task as In progress.Dec 17 2019, 8:54 AM
Dmitry changed the task status from In progress to Needs testing.Dec 17 2019, 4:02 PM

@sento own build 1.2.4 this is 1.2-rolling (branch current), in crux branch all works as expected.

sento added a comment.Dec 18 2019, 8:39 AM

Thanks @Dmitry, building it again.

Dmitry changed the task status from Needs testing to In progress.Dec 18 2019, 4:05 PM

In latest rolling 1.2-rolling-201912180217 permission problem solved, but exist one more problem with script path.
CLI allow us to choice script, which stored on '/config/user-data'

vyos@R1:~$ sudo cat /opt/vyatta/share/vyatta-cfg/templates/service/snmp/script-extensions/extension-name/node.tag/script/node.def 
type: txt
help: Script location and name
allowed: sh -c "ls /config/user-data"

If we set this script, without full path, we receive warning after commit, and broken feature

vyos@R1# set service snmp script-extensions extension-name MyExt script 
Possible completions:
   <text>       Script location and name
   snmp_conntrack.sh
                
[edit]
vyos@R1# set service snmp script-extensions extension-name MyExt script snmp_conntrack.sh 
[edit]
vyos@R1# commit
[ service snmp ]
WARNING: script: snmp_conntrack.sh doesn't exist

[edit]
Dmitry changed the task status from In progress to Needs testing.Dec 18 2019, 6:53 PM

https://github.com/vyos/vyos-1x/pull/186

Also fixed additional issue with multiple snmp script-extensions entry (jinja2 sort)

Dmitry closed this task as Resolved.Dec 19 2019, 7:49 AM

Works correct on 1.3-rolling-201912190503

c-po moved this task from In Progress to Finished on the VyOS 1.3 Equuleus board.Jan 30 2020, 8:22 PM
dmbaturin renamed this task from Custom snmp script permissions changed to Execute permissions are removed from custom SNMP scripts at commit time.Feb 4 2020, 10:01 PM