Project

General

Profile

Actions

Bug #10781

closed

Incorrect env variables if admin user logged in via ssh

Added by Viktor Gurov about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
DNS Resolver
Target version:
Start date:
07/21/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.5-p1
Affected Architecture:

Description

How to reproduce:
1. ssh in as admin@
2. menu entries 16/11

after that running 'echo <any_command> | su -m <anyuser>' on the Diagnostics / Command Prompt page shows /etc/rc.initial menu:

pfSense - Netgate Device ID: XXX

*** Welcome to 2.4.5-RELEASE-p1 (amd64) on pf4 ***

 WAN (wan)       -> vtnet1     -> v4/DHCP4: 192.168.1.100/24
 LAN (lan)       -> vtnet0     -> v4: 192.168.2.4/24
 OPT1 (opt1)     -> vtnet2     -> v4: 172.16.3.6/24

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

pfSense - Netgate Device ID: XXX

*** Welcome to pfSense 2.4.5-RELEASE-p1 (amd64) on pf4 ***

 WAN (wan)       -> vtnet1     -> v4/DHCP4: 192.168.1.100/24
 LAN (lan)       -> vtnet0     -> v4: 192.168.2.4/24
 OPT1 (opt1)     -> vtnet2     -> v4: 172.16.3.6/24

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

kill: 2121: Operation not permitted

It seems that $SSH_TTY from admin@ ssh session is used in https://github.com/pfsense/pfsense/blob/master/src/etc/skel/dot.profile

This causes DNS Resolver restart service issue https://forum.netgate.com/topic/154721/dns-resolver-issue-since-2-4-5-p1-upgrade-from-2-4-4-p3:
The following input errors were detected:

The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/unbound_server.pem: No such file or directory
[1592837331] unbound-checkconf[8845:0] fatal error: server-cert-file: "/var/unbound/test/unbound_server.pem" does not exist

as it uses 'su -m' command: https://github.com/pfsense/pfsense/blob/ba6398892350503d60ca324d4738dcf16f5d5c8e/src/etc/inc/unbound.inc#L629

How to resolve:
1. ssh in as root@
2. menu entries 16/11

same issue on 2.5.0.a.20200721.0050

Actions #1

Updated by Viktor Gurov about 4 years ago

  • Category changed from Web Interface to DNS Resolver
Actions #3

Updated by Jim Pingle about 4 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0
Actions #4

Updated by Renato Botelho about 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #5

Updated by Max Leighton about 4 years ago

  • Status changed from Feedback to Resolved

When replicating the behavior in 2.4.5_1 I was also seeing this error when making changes to the DNS Resolver:

The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
[1600096422] unbound-checkconf[92233:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

Tested in:

2.5.0-DEVELOPMENT (amd64)
built on Mon Sep 14 07:02:16 EDT 2020
FreeBSD 12.2-PRERELEASE

And confirmed this is no longer an issue. Resolving the ticket.

Actions

Also available in: Atom PDF