Page MenuHomeVyOS Platform

Keepalived_vrrp: Unsafe permissions found for script ‘xxx.sh’ - disabling
Closed, ResolvedPublic

Description

Hi,

The vrrp health-check script is not working in vyos1.3.

vyos vrrp configuratuon is as follows:
Master node:

group INSIDE {
    interface eth2
    no-preempt
    priority 200
    virtual-address 10.1.4.3/24
    vrid 20
}
group OUTERSIDE {
    health-check {
        failure-count 1
        interval 30
        script /config/scripts/vrrp-check.sh
    }
    interface eth1
    no-preempt
    priority 200
    transition-script {
        backup /config/scripts/dmvpn-backup.sh
        fault /config/scripts/dmvpn-backup.sh
        master /config/scripts/dmvpn-master.sh
    }
    virtual-address 33.1.4.6/24
    vrid 10
}
sync-group MAIN {
    member INSIDE
    member OUTERSIDE
}

Backup node:

group INSIDE {
    interface eth2
    no-preempt
    priority 50
    virtual-address 10.1.4.3/24
    vrid 20
}
group OUTSIDE {
    health-check {
        failure-count 1
        interval 30
        script /config/scripts/vrrp-check.sh
    }
    interface eth1
    no-preempt
    priority 50
    transition-script {
        backup /config/scripts/dmvpn-backup.sh
        fault /config/scripts/dmvpn-backup.sh
        master /config/scripts/dmvpn-master.sh
    }
    virtual-address 33.1.4.6/24
    vrid 10
}
sync-group MAIN {
    member INSIDE
    member OUTSIDE
}

First of all, start vrrp and check the vrrp log

vyos Keepalived_vrrp[31108]:Registering Kernel netlink reflector
vyos Keepalived_vrrp[31108]:Registering Kernel netlink command channel
vyos Keepalived_vrrp[31108]:Opening file '/etc/keepalived/keepalived.conf'
vyos Keepalived_vrrp[31108]:Starting SNMP subagent
vyos Keepalived_vrrp[31108]:NET-SNMP version 5.7.3 AgentX subagent connected
vyos Keepalived_vrrp[31108]:Unsafe permissions found for script '/config/scripts/vrrp-check.sh'
vyos Keepalived_vrrp[31108]:SECURITY VIOLATION - scripts are being executed but script_security not enabled. There are insecure scripts.
vyos Keepalived_vrrp[31108]:Registering gratuitous ARP shared channel
vyos Keepalived_vrrp[31108]:Script 'healthcheck_OUTSIDE' now returning 1
vyos Keepalived_vrrp[31108]:VRRP_Script(healthcheck_OUTSIDE)failed (exited with status 1)
vyos Keepalived_vrrp[31108]:(OUTSIDE) Entering FAULT STATE
vyos Keepalived_vrrp[31108]:VRRP_Group(MAIN) Syncing instances to FAULT state
vyos Keepalived_vrrp[31108]:(INSIDE) Entering FAULT STATE

Then, I add 'enable_script_security' in global_defs section in '/etc/keepalived/keepalived.conf'

global_defs {
    dynamic_interfaces
    script_user root
    enable_script_security
    notify_fifo /run/keepalived_notify_fifo
    notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py
}

Restart vrrp and check the vrrp log again

vyos Keepalived_vrrp[31591]:Registering Kernel netlink reflector
vyos Keepalived_vrrp[31591]:Registering Kernel netlink command channel
vyos Keepalived_vrrp[31591]:Opening file '/etc/keepalived/keepalived.conf'
vyos Keepalived_vrrp[31591]:Starting SNMP subagent
vyos Keepalived_vrrp[31591]:NET-SNMP version 5.7.3 AgentX subagent connected
vyos Keepalived_vrrp[31591]:Unsafe permissions found for script '/config/scripts/vrrp-check.sh' - disabling.
vyos Keepalived_vrrp[31591]:Disabling track script healthcheck_OUTSIDE
 due to insecure
vyos Keepalived_vrrp[31591]:Registering gratuitous ARP shared channel
vyos Keepalived_vrrp[31591]:(INSDIE) Entering BACKUP STATE (init)
vyos Keepalived_vrrp[31591]:(OUTSIDE) Entering BACKUP STATE (init)

The scripts attributes are as follows:

ls -al /config/scripts
-rwxr-xr-x 1 root vyattacfg 24 Feb 23 02:10 dmvpn-backup.sh
-rwxr-xr-x 1 root vyattacfg 131 Feb 23 06:46 dmvpn-master.sh
-rwxr-xr-x 1 root vyattacfg 254 Feb 23 08:24 vrrp-check.sh
-rwxr-xr-x 1 root vyattacfg 230 Jan 26 04:29 vyos-postconfig-bootup.script

I tried to change the script permission and group to solve this issue, but unfortunately I did not get the key point.
Really appreciate if you have any ideas!

Best regards,
Arvin

Details

Difficulty level
Unknown (require assessment)
Version
vyos1.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

arvin triaged this task as High priority.Feb 25 2021, 3:51 AM
arvin created this task.
arvin created this object in space S1 VyOS Public.
arvin claimed this task.

Please ignore this task, it works fine!