Page MenuHomeVyOS Platform

Removal of restricted-shell broke configure mode for RADIUS users
Needs testing, Unbreak Now!PublicBUG

Description

Configure mode is broken on the most recent 1.4 rolling release for my configuration:

trae@cr01b-vyos:~$ add sys im ./vyos-1.4-rolling-202101140417-amd64.iso
Checking MD5 checksums of files on the ISO image...OK.
Done!
What would you like to name this image? [1.4-rolling-202101140417]:
OK.  This image will be named: 1.4-rolling-202101140417
Installing "1.4-rolling-202101140417" image.
Copying new release files...

Would you like to save the current configuration
directory and config file? (Yes/No) [Yes]: Copying current configuration...



Would you like to save the SSH host keys from your
current configuration? (Yes/No) [Yes]: Copying SSH keys...
Running post-install script...
Setting up grub configuration...
Done.
trae@cr01b-vyos:~$
trae@cr01b-vyos:~$
trae@cr01b-vyos:~$ reboot
Are you sure you want to reboot this system? [y/N] y
client_loop: send disconnect: Broken pipe
sh-4.4$ ssh cr01b-vyos
Welcome to VyOS
trae@cr01b-vyos's password:
Creating directory '/home/trae'.
Linux cr01b-vyos 5.10.6-amd64-vyos #1 SMP Sun Jan 10 15:49:56 UTC 2021 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
trae@cr01b-vyos:~$ configure
Exec of shell /opt/vyatta/bin/restricted-shell failed: No such file or directory
trae@cr01b-vyos:~$ ls -alh /opt/vyatta/bin/
total 115K
drwxr-xr-x 3 root root  854 Jan 13 22:21 .
drwxr-xr-x 1 root root 4.0K Jan 13 22:17 ..
-rwxr-xr-x 1 root root  388 Mar 25  2019 progress-indicator
-rwxr-xr-x 1 root root 3.7K Nov  7  2018 rename-image.pl
-rwxr-xr-x 1 root root  930 Nov  7  2018 show-dhcp-leases.pl
-rwxr-xr-x 1 root root 2.3K Nov  7  2018 show-image-storage.pl
-rwxr-xr-x 1 root root 4.8K Jan 24  2016 show-input-policy.pl
drwxr-xr-x 3 root root  783 Jan 13 22:24 sudo-users
-rwxr-xr-x 1 root root 2.0K Nov  7  2018 tech-support-archive
-rwxr-xr-x 1 root root  18K Nov  7  2018 vyatta-boot-image.pl
-rwxr-xr-x 1 root root 2.2K Jan 24  2016 vyatta-clear-firewall
-rwxr-xr-x 1 root root 1.2K Nov  7  2018 vyatta-gettime.pl
-rwxr-xr-x 1 root root  209 Nov  7  2018 vyatta-monitor
-rwxr-xr-x 1 root root  737 Nov  7  2018 vyatta-monitor-background
-rwxr-xr-x 1 root root  371 Nov  7  2018 vyatta-monitor-background-stop
-rwxr-xr-x 1 root root  306 Nov  7  2018 vyatta-monitor-check-rule-log
-rwxr-xr-x 1 root root 1.1K Nov  7  2018 vyatta-monitor-cleanup
-rwxr-xr-x 1 root root  586 Nov  7  2018 vyatta-monitor-list
-rwxr-xr-x 1 root root  140 Nov  7  2018 vyatta-op-cmd-wrapper
-rwxr-xr-x 1 root root 2.5K Nov  7  2018 vyatta-remote-copy.pl
-rwxr-xr-x 1 root root 3.4K Nov  7  2018 vyatta-show-bonding.pl
-rwxr-xr-x 1 root root  324 Nov  7  2018 vyatta-show-current-user
-rwxr-xr-x 1 root root 4.3K Nov  7  2018 vyatta-show-dhclient.pl
-rwxr-xr-x 1 root root  266 Nov  7  2018 vyatta-show-dmi
-rwxr-xr-x 1 root root  20K Jan 24  2016 vyatta-show-firewall.pl
-rwxr-xr-x 1 root root 4.7K Nov  7  2018 vyatta-show-interfaces
-rwxr-xr-x 1 root root  13K Nov  7  2018 vyatta-show-interfaces.pl
-rwxr-xr-x 1 root root  424 Jan 24  2016 vyatta-show-queue
-rwxr-xr-x 1 root root 6.7K Jan 24  2016 vyatta-show-queueing.pl
-rwxr-xr-x 1 root root 1.5K Jan 24  2016 vyatta-show-zone.pl
-rwxr-xr-x 1 root root 5.6K Nov  7  2018 vyos-strip-config.pl
trae@cr01b-vyos:~$ show ver

Version:          VyOS 1.4-rolling-202101140417
Release Train:    sagitta

Built by:         autobuild@vyos.net
Built on:         Thu 14 Jan 2021 04:17 UTC
Build UUID:       29fa3022-d820-438c-81d6-8dfdc50eeec9
Build Commit ID:  ae2279e30b1222

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  Red Hat
Hardware model:   KVM
Hardware S/N:
Hardware UUID:    46be2e86-3597-4d89-a990-16357589eb49

Copyright:        VyOS maintainers and contributors

Let me know if you need me to sanitize my config and upload it here.

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.4-rolling-202101140417
Why the issue appeared?
Other
Is it a breaking change?
Perfectly compatible

Event Timeline

Some days ago a cleanup was done on 1.4 to clean away some old legacy code, it looks like this cleanup has removed a bit to much...
https://github.com/vyos/vyatta-cfg-system/pull/136

There seems to be a un-noticed reference to restricted-shell when using radius.
https://github.com/vyos/libpam-radius-auth/blob/76ad405d374f708128e0447c14bbd966d820928a/src/radius_shell.c#L125-L129

It looks like you are hitting this reference, are you using radius auth?

c-po changed the task status from Open to Needs testing.Thu, Jan 14, 6:19 PM
c-po assigned this task to runar.
c-po triaged this task as Unbreak Now! priority.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Other.
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
c-po renamed this task from Configure Mode Broken in 1.4 Rolling to Removal of restricted-shell broke configure mode for RADIUS users.Thu, Jan 14, 6:21 PM