extern const isc::log::MessageID COMMAND_SOCKET_WRITE = "COMMAND_SOCKET_WRITE";
extern const isc::log::MessageID COMMAND_SOCKET_WRITE_FAIL = "COMMAND_SOCKET_WRITE_FAIL";
extern const isc::log::MessageID COMMAND_UNIX_SOCKET_PATH_SECURITY_WARNING = "COMMAND_UNIX_SOCKET_PATH_SECURITY_WARNING";
+extern const isc::log::MessageID COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING = "COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING";
extern const isc::log::MessageID COMMAND_WATCH_SOCKET_CLEAR_ERROR = "COMMAND_WATCH_SOCKET_CLEAR_ERROR";
extern const isc::log::MessageID COMMAND_WATCH_SOCKET_CLOSE_ERROR = "COMMAND_WATCH_SOCKET_CLOSE_ERROR";
extern const isc::log::MessageID COMMAND_WATCH_SOCKET_MARK_READY_ERROR = "COMMAND_WATCH_SOCKET_MARK_READY_ERROR";
"COMMAND_SOCKET_WRITE", "Sent response of %1 bytes (%2 bytes left to send) over command socket %3",
"COMMAND_SOCKET_WRITE_FAIL", "Error while writing to command socket %1 : %2",
"COMMAND_UNIX_SOCKET_PATH_SECURITY_WARNING", "unix socket path is NOT SECURE: %1",
+ "COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING", "unix socket permissions are NOT SECURE: %1",
"COMMAND_WATCH_SOCKET_CLEAR_ERROR", "watch socket failed to clear: %1",
"COMMAND_WATCH_SOCKET_CLOSE_ERROR", "watch socket failed to close: %1",
"COMMAND_WATCH_SOCKET_MARK_READY_ERROR", "watch socket failed to mark ready: %1",
extern const isc::log::MessageID COMMAND_SOCKET_WRITE;
extern const isc::log::MessageID COMMAND_SOCKET_WRITE_FAIL;
extern const isc::log::MessageID COMMAND_UNIX_SOCKET_PATH_SECURITY_WARNING;
+extern const isc::log::MessageID COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING;
extern const isc::log::MessageID COMMAND_WATCH_SOCKET_CLEAR_ERROR;
extern const isc::log::MessageID COMMAND_WATCH_SOCKET_CLOSE_ERROR;
extern const isc::log::MessageID COMMAND_WATCH_SOCKET_MARK_READY_ERROR;
and the path specified for a control channel unix socket-name does
not comply with the supported path. The server will still use the
specified path but is warning that doing so may pose a security risk.
+
+% COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING unix socket permissions are NOT SECURE: %1
+This warning message is issued when security enforcement is disabled
+and the path specified for a control channel unix socket-name does
+not have the required socket permissions. The server will still use the
+specified path but is warning that doing so may pose a security risk.
EXPECT_EQ(1, countFile(oss.str()));
}
+// This test verifies security warning of invalid
+// socket path permissions.
+TEST_F(UnixCommandConfigTest, securityEnforcmentFalsePermissions) {
+ setSocketTestPath("/tmp");
+ UnixCommandConfig::setSocketPathPerms(0);
+ file::PathChecker::enableEnforcement(false);
+ std::string config = R"( { "socket-name": "/tmp/mysocket" } )";
+
+ ElementPtr json;
+ ASSERT_NO_THROW(json = Element::fromJSON(config));
+ ASSERT_NO_THROW_LOG(unix_config_.reset(new UnixCommandConfig(json)));
+
+ std::ostringstream oss;
+ oss << "COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING"
+ << " unix socket permissions are NOT SECURE: socket path:/tmp"
+ << " does not exist or does not have permssions = 0";
+
+ EXPECT_EQ(1, countFile(oss.str()));
+}
+
+
} // end of anonymous namespace
return(socket_path);
}
- if (!socket_path_checker_->pathHasPermissions(socket_path_perms_)) {
- isc_throw (DhcpConfigError,
- "socket path:" << socket_path_checker_->getPath()
- << " does not exist or does not have permssions = "
- << std::oct << socket_path_perms_);
+ auto parent_path = socket_path_checker_->getPath();
+ if (!hasPermissions(parent_path, socket_path_perms_)) {
+ std::ostringstream oss;
+ oss << "socket path:" << parent_path
+ << " does not exist or does not have permssions = "
+ << std::oct << socket_path_perms_;
+
+ if (PathChecker::shouldEnforceSecurity()) {
+ isc_throw (DhcpConfigError, oss.str());
+ }
+
+ LOG_WARN(command_logger, COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING)
+ .arg(oss.str());
}
return (valid_path);
projects / thirdparty / kea.git / commitdiff
