Ubuntu
networkd-dispatcher package

Permissions problem after networkd-dispatcher (1.7-0ubuntu3.4) update

Asked by Roger Cornelius

This could be a documentation problem, a program bug, or both.

On ubuntu 20.04.4, after recent install of update “networkd-dispatcher (1.7-0ubuntu3.4) bionic-security; urgency=medium”, scripts in /etc/networkd-dispatcher/routable.d with 700 permissions that used to run as expected, fail to do so. I haven’t tested but I expect scripts in other directories under /etc/networkd-dispatcher would have the same problem.

E.g. I have the script 50-iptables in routable.d:
# ls -l /etc/networkd-dispatcher/routable.d
total 4
-rwx------ 1 root 152 Jan 10 2021 50-iptables

After boot, I can see my iptables commands didn’t run, and ‘service networkd-dispatcher status’ returns:

May 07 14:14:49 Krieger networkd-dispatcher[581]: ERROR:invalid permissions on /etc/networkd-dispatcher/routable.d/50-iptables. Expected mode=0o755, uid=0, gid=0; got mode=0o700, uid=0, >

If I change the perms to 0755 on the 50-iptables script, the script runs at boot time as expected.

On the documentation side, permission requirements for scripts under /etc/networkd-dispatcher are not documented in the networkd-dispatcher man page.

Is this new less-strict permissions requirement intended behavior or is this a bug? I’ve looked at the update’s Changelog:

https://changelogs.ubuntu.com/changelogs/pool/main/n/networkd-dispatcher/networkd-dispatcher_1.7-0ubuntu3.4/changelog

and its stated intent seems at odds with this behavior.

Thank you

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu networkd-dispatcher Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

As far as I understand, there was a security vulnerability, if the access rights to the scripts were not strict enough (e.g. world writable) and the change that was introduced now checks the file protection settings (755) before activating a script
I agree with you, that even stricter access rights (700) should still be acceptable, but apparently that is not the case in the current software.

As far as I know the file 50-iptables in not provided by the Ubuntu package, but seems to be your own configuration. I guess for the time being you do not have any other chance but setting its protection to 755.

Do you have other files in these directories? See output of
ls -l /etc/networkd-dispatcher/*

Meanwhile a new version 1.7-0ubuntu3.5 of networkd-dispatcher has been published to fix a regression, see https://ubuntu.com/security/notices/USN-5395-2

Revision history for this message
Roger Cornelius (rac-3) said : 		#2

Thanks for the reply. I am aware of the later update but it does not alter the behavior. I will post something under bugs in case this falls under that category.

Thank you.

Can you help with this problem?

Provide an answer of your own, or ask Roger Cornelius for more information if necessary.

To post a message you must log in.