Page MenuHomeVyOS Platform

Permissions Denied doing "show conntrack-sync status" on backup router
Open, Requires assessmentPublic

Description

The command "show conntrack-sync status" gives a permission denied error when it's run on my backup-router:

tim@ferrari-backup:~$ show conntrack-sync status
cat: /var/run/vyatta-conntrackd-failover-state: Permission denied

sync-interface        : eth1
failover-mechanism    : vrrp [sync-group failover-group]
last state transition : ExpectationSync       : enabled for all: ftp, sip, h323, nfs, sqlnet

It appears to have been created with privledges that only root is allowed to see it:

tim@ferrari-backup:~$ sudo ls -la /var/run/vyatta-conntrackd-failover-state
-rw------- 1 root root 40 Sep 29 08:32 /var/run/vyatta-conntrackd-failover-state

I don't see the same problem on my primary router:

tim@ferrari:~$ show conntrack-sync status

sync-interface        : eth1
failover-mechanism    : vrrp [sync-group failover-group]
last state transition : no transition yet!
ExpectationSync       : enabled for all: ftp, sip, h323, nfs, sqlnet
tim@ferrari:~$ sudo ls -la /var/run/vyatta-conntrackd-failover-state
ls: cannot access /var/run/vyatta-conntrackd-failover-state: No such file or directory

Details

Difficulty level
Unknown (require assessment)
Version
1.2.6-S1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change

Event Timeline

tjh created this task.Oct 14 2020, 12:40 AM
tjh created this object in space S1 VyOS Public.
pasik added a subscriber: pasik.Oct 14 2020, 6:35 AM
pasik added a comment.Oct 21 2020, 9:32 AM

Did this work earlier in previous releases? is this a regression in 1.2.6-S1 ?

@tjh can you edit one file?

sudo nano -c +74 /opt/vyatta/bin/sudo-users/vyatta-op-conntrack-sync.pl

And replace string

$failover_state = `cat $FAILOVER_STATE_FILE`;

to

$failover_state = `sudo cat $FAILOVER_STATE_FILE`;

Ctrl+X and Y (save)

After that check again.

Viacheslav added a comment.EditedOct 21 2020, 3:48 PM

PR for crux https://github.com/vyos/vyatta-conntrack-sync/pull/4

vyos@r1-1.2.6:~$ show conntrack-sync status

sync-interface        : eth1
failover-mechanism    : vrrp [sync-group sync]
last state transition : BACKUP at Wed Oct 21 18:36:52 EEST 2020

Will be fixed in the new LTS release.

tjh added a comment.Fri, Nov 20, 12:23 AM

I just saw the patch above for how to fix this and yes, with that line changed to sudo it now works correctly.
Thanks!