From dfe536f475a79e899cf2915a3ba602c92aee2263 Mon Sep 17 00:00:00 2001 From: Quentin Young Date: Thu, 4 May 2017 22:46:46 +0000 Subject: [PATCH 1/5] lib: fix 'list permutations' Cyclic graphs ftw Also remove graph pretty printer from permutations.c 'cause it's not really needed anymore Signed-off-by: Quentin Young --- lib/command.c | 16 ++++++++++--- tools/permutations.c | 57 ++++++++++++++++---------------------------- 2 files changed, 34 insertions(+), 39 deletions(-) diff --git a/lib/command.c b/lib/command.c index 993d6f9055..43b2c478a0 100644 --- a/lib/command.c +++ b/lib/command.c @@ -1584,6 +1584,10 @@ permute (struct graph_node *start, struct vty *vty) static struct list *position = NULL; if (!position) position = list_new (); + struct cmd_token *stok = start->data; + struct graph_node *gnn; + struct listnode *ln; + // recursive dfs listnode_add (position, start); for (unsigned int i = 0; i < vector_active (start->to); i++) @@ -1595,8 +1599,6 @@ permute (struct graph_node *start, struct vty *vty) continue; else if (tok->type == END_TKN || gn == start) { - struct graph_node *gnn; - struct listnode *ln; vty_out (vty, " "); for (ALL_LIST_ELEMENTS_RO (position,ln,gnn)) { @@ -1609,7 +1611,15 @@ permute (struct graph_node *start, struct vty *vty) vty_out (vty, VTY_NEWLINE); } else - permute (gn, vty); + { + bool skip = false; + if (stok->type == FORK_TKN && tok->type != FORK_TKN) + for (ALL_LIST_ELEMENTS_RO (position, ln, gnn)) + if (gnn == gn && (skip = true)) + break; + if (!skip) + permute (gn, vty); + } } list_delete_node (position, listtail(position)); } diff --git a/tools/permutations.c b/tools/permutations.c index 0ca980b259..6e1a37981a 100644 --- a/tools/permutations.c +++ b/tools/permutations.c @@ -48,7 +48,6 @@ int main (int argc, char *argv[]) command_parse_format (graph, cmd); permute (vector_slot (graph->nodes, 0)); - pretty_print_graph (vector_slot (graph->nodes, 0), 0); } void @@ -57,56 +56,42 @@ permute (struct graph_node *start) static struct list *position = NULL; if (!position) position = list_new (); + struct cmd_token *stok = start->data; + struct graph_node *gnn; + struct listnode *ln; + // recursive dfs listnode_add (position, start); for (unsigned int i = 0; i < vector_active (start->to); i++) { struct graph_node *gn = vector_slot (start->to, i); struct cmd_token *tok = gn->data; - if (tok->type == END_TKN) + if (tok->attr == CMD_ATTR_HIDDEN || + tok->attr == CMD_ATTR_DEPRECATED) + continue; + else if (tok->type == END_TKN || gn == start) { - struct graph_node *gnn; - struct listnode *ln; + fprintf (stdout, " "); for (ALL_LIST_ELEMENTS_RO (position,ln,gnn)) { struct cmd_token *tt = gnn->data; if (tt->type < SPECIAL_TKN) - fprintf (stdout, "%s ", tt->text); + fprintf (stdout, " %s", tt->text); } + if (gn == start) + fprintf (stdout, "..."); fprintf (stdout, "\n"); } else - permute (gn); + { + bool skip = false; + if (stok->type == FORK_TKN && tok->type != FORK_TKN) + for (ALL_LIST_ELEMENTS_RO (position, ln, gnn)) + if (gnn == gn && (skip = true)) + break; + if (!skip) + permute (gn); + } } list_delete_node (position, listtail(position)); } - -void -pretty_print_graph (struct graph_node *start, int level) -{ - // print this node - struct cmd_token *tok = start->data; - fprintf (stdout, "%s[%d] ", tok->text, tok->type); - - int numto = vector_active (start->to); - if (numto) - { - if (numto > 1) - fprintf (stdout, "\n"); - for (unsigned int i = 0; i < vector_active (start->to); i++) - { - struct graph_node *adj = vector_slot (start->to, i); - // if we're listing multiple children, indent! - if (numto > 1) - for (int j = 0; j < level+1; j++) - fprintf (stdout, " "); - // if this node is a vararg, just print * - if (adj == start) - fprintf (stdout, "*"); - else - pretty_print_graph (adj, numto > 1 ? level+1 : level); - } - } - else - fprintf(stdout, "\n"); -} From 700f63d361ca9d88f6273a26a1b9e4179cd44dcd Mon Sep 17 00:00:00 2001 From: Lou Berger Date: Sun, 2 Apr 2017 13:55:58 -0400 Subject: [PATCH 2/5] bgp: fix a couple of instances of bm being used before init'ed Signed-off-by: Lou Berger --- bgpd/bgp_main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c index 423c9453eb..55bf410628 100644 --- a/bgpd/bgp_main.c +++ b/bgpd/bgp_main.c @@ -363,6 +363,7 @@ main (int argc, char **argv) int bgp_port = BGP_PORT_DEFAULT; char *bgp_address = NULL; + int no_fib_flag = 0; frr_preinit(&bgpd_di, argc, argv); frr_opt_add("p:l:rne:", longopts, @@ -389,7 +390,7 @@ main (int argc, char **argv) if (tmp_port <= 0 || tmp_port > 0xffff) bgp_port = BGP_PORT_DEFAULT; else - bm->port = tmp_port; + bgp_port = tmp_port; break; case 'e': multipath_num = atoi (optarg); @@ -406,7 +407,7 @@ main (int argc, char **argv) bgp_address = optarg; /* listenon implies -n */ case 'n': - bgp_option_set (BGP_OPT_NO_FIB); + no_fib_flag = 1; break; default: frr_help_exit (1); @@ -418,6 +419,8 @@ main (int argc, char **argv) bgp_master_init (frr_init ()); bm->port = bgp_port; bm->address = bgp_address; + if (no_fib_flag) + bgp_option_set (BGP_OPT_NO_FIB); /* Initializations. */ bgp_vrf_init (); From c0734576140d104d0f9b0c67bfc5a7260a2ab15c Mon Sep 17 00:00:00 2001 From: Lou Berger Date: Sun, 2 Apr 2017 15:34:55 -0400 Subject: [PATCH 3/5] bgpd: restore -S, --skip_runas options Signed-off-by: Lou Berger --- bgpd/bgp_main.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c index 55bf410628..1773070fe3 100644 --- a/bgpd/bgp_main.c +++ b/bgpd/bgp_main.c @@ -66,6 +66,7 @@ static const struct option longopts[] = { "listenon", required_argument, NULL, 'l'}, { "retain", no_argument, NULL, 'r'}, { "no_kernel", no_argument, NULL, 'n'}, + { "skip_runas", no_argument, NULL, 'S'}, { "ecmp", required_argument, NULL, 'e'}, { 0 } }; @@ -151,7 +152,8 @@ sigint (void) if (! retain_mode) { bgp_terminate (); - zprivs_terminate (&bgpd_privs); + if (bgpd_privs.user) /* NULL if skip_runas flag set */ + zprivs_terminate (&bgpd_privs); } bgp_exit (0); @@ -364,6 +366,7 @@ main (int argc, char **argv) int bgp_port = BGP_PORT_DEFAULT; char *bgp_address = NULL; int no_fib_flag = 0; + int skip_runas = 0; frr_preinit(&bgpd_di, argc, argv); frr_opt_add("p:l:rne:", longopts, @@ -371,6 +374,7 @@ main (int argc, char **argv) " -l, --listenon Listen on specified address (implies -n)\n" " -r, --retain When program terminates, retain added route by bgpd.\n" " -n, --no_kernel Do not install route to kernel.\n" + " -S, --skip_runas Skip capabilities checks, and changing user and group IDs.\n" " -e, --ecmp Specify ECMP to use.\n"); /* Command line argument treatment. */ @@ -409,11 +413,16 @@ main (int argc, char **argv) case 'n': no_fib_flag = 1; break; + case 'S': + skip_runas = 1; + break; default: frr_help_exit (1); break; } } + if (skip_runas) + memset (&bgpd_privs, 0, sizeof (bgpd_privs)); /* BGP master init. */ bgp_master_init (frr_init ()); From 14f0a0f9c51950611600d7ba675d2c7275724756 Mon Sep 17 00:00:00 2001 From: Lou Berger Date: Tue, 9 May 2017 14:38:55 -0400 Subject: [PATCH 4/5] bgp rfapi: rfapi shouldn't be called (yet) for BGP VRF instances. --- bgpd/bgpd.c | 9 ++++++--- bgpd/rfapi/bgp_rfapi_cfg.c | 2 ++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c index 25bd757840..9af26f5510 100644 --- a/bgpd/bgpd.c +++ b/bgpd/bgpd.c @@ -2951,9 +2951,12 @@ bgp_create (as_t *as, const char *name, enum bgp_instance_type inst_type) bgp->as = *as; #if ENABLE_BGP_VNC - bgp->rfapi = bgp_rfapi_new(bgp); - assert(bgp->rfapi); - assert(bgp->rfapi_cfg); + if (inst_type != BGP_INSTANCE_TYPE_VRF) + { + bgp->rfapi = bgp_rfapi_new(bgp); + assert(bgp->rfapi); + assert(bgp->rfapi_cfg); + } #endif /* ENABLE_BGP_VNC */ if (name) diff --git a/bgpd/rfapi/bgp_rfapi_cfg.c b/bgpd/rfapi/bgp_rfapi_cfg.c index 5ddccc906f..4f46565900 100644 --- a/bgpd/rfapi/bgp_rfapi_cfg.c +++ b/bgpd/rfapi/bgp_rfapi_cfg.c @@ -4281,6 +4281,8 @@ bgp_rfapi_cfg_write (struct vty *vty, struct bgp *bgp) int write = 0; afi_t afi; int type; + if (bgp->rfapi == NULL || hc == NULL) + return write; vty_out (vty, "!%s", VTY_NEWLINE); for (ALL_LIST_ELEMENTS (hc->nve_groups_sequential, node, nnode, rfg)) From e08dde01c513a6480b56b7cc70d8c9dcc793f076 Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Tue, 9 May 2017 16:18:04 -0400 Subject: [PATCH 5/5] *: Remove ability to install frr_sudoers If the user were to uncomment last line and allow VTYSH_SHOW to be used as a non-root account, this would allow arbitrary command completion inside of vtysh via multiple -c ... -c .... lines Signed-off-by: Donald Sharp --- cumulus/etc/sudoers.d/frr_sudoers | 15 --------------- debian/frr.postinst | 1 - 2 files changed, 16 deletions(-) delete mode 100644 cumulus/etc/sudoers.d/frr_sudoers diff --git a/cumulus/etc/sudoers.d/frr_sudoers b/cumulus/etc/sudoers.d/frr_sudoers deleted file mode 100644 index 4a42fb24f4..0000000000 --- a/cumulus/etc/sudoers.d/frr_sudoers +++ /dev/null @@ -1,15 +0,0 @@ -Defaults env_keep += VTYSH_PAGER - -# Allow user in group frr to run vtysh show commands -# without a password by uncommenting the "%frr" line below. - -# Subshell commands need to be disallowed, including -# preventing the user passing command line args like 'start-shell' -# Since vtysh allows minimum non-conflicting prefix'es, that means -# anything beginning with the string "st" in any arg. That's a bit -# restrictive. -# Instead, use NOEXEC, to prevent any exec'ed commands. - -Cmnd_Alias VTY_SHOW = /usr/bin/vtysh -c show * -# %frr ALL = (root) NOPASSWD:NOEXEC: VTY_SHOW - diff --git a/debian/frr.postinst b/debian/frr.postinst index 43d3ffa9e0..9020d7bf7a 100644 --- a/debian/frr.postinst +++ b/debian/frr.postinst @@ -15,7 +15,6 @@ frrvtygid=`egrep "^frrvty:" $GROUPFILE | awk -F ":" '{ print $3 }'` chown -R ${frruid}:${frrgid} /etc/frr touch /etc/frr/vtysh.conf chgrp ${frrvtygid} /etc/frr/vtysh* -chmod 440 /etc/sudoers.d/frr_sudoers chmod 644 /etc/frr/* ENVIRONMENTFILE=/etc/environment