Project

General

Profile

Bug #12208

ferm fails to start at boot time

Added by intrigeri almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
Start date:
02/01/2017
Due date:
% Done:

100%

Feature Branch:
bugfix/12208-ferm-fix
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

Seen this in 3.0~beta1.

Associated revisions

Revision 8ac7a044 (diff)
Added by anonym over 2 years ago

Ferm: use the variable when referring to the Live user.

The firewall will fail to start during early boot otherwise since the
"amnesia" user hasn't been created yet.

Refs: #7018
Will-fix: #12208

Revision be3ebdc1
Added by intrigeri over 2 years ago

Merge remote-tracking branch 'origin/bugfix/12208-ferm-fix' into stable (Fix-committed: #12208)

History

#1 Updated by intrigeri almost 3 years ago

Feb 01 22:33:15 localhost.localdomain ferm[366]: Starting Firewall: fermiptables-restore v1.6.0: owner: Bad value for "--uid-owner" option: "amnesia" 
Feb 01 22:33:15 localhost.localdomain ferm[366]: Error occurred at line: 35
Feb 01 22:33:15 localhost.localdomain ferm[366]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Feb 01 22:33:15 localhost.localdomain ferm[366]: Failed to run /sbin/iptables-restore
Feb 01 22:33:15 localhost.localdomain ferm[366]: Firewall rules rolled back.
Feb 01 22:33:15 localhost.localdomain ferm[366]:  failed!
Feb 01 22:33:15 localhost.localdomain systemd[1]: ferm.service: Main process exited, code=exited, status=1/FAILURE
Feb 01 22:33:15 localhost.localdomain systemd[1]: Failed to start ferm firewall configuration.
Feb 01 22:33:15 localhost.localdomain systemd[1]: ferm.service: Unit entered failed state.
Feb 01 22:33:15 localhost.localdomain systemd[1]: ferm.service: Failed with result 'exit-code'.

That's because ferm.service starts before live-config.service is done.

#2 Updated by intrigeri almost 3 years ago

No, that's because of:

                daddr 127.0.0.1 proto tcp syn dport 17600:17650 {
                    mod owner uid-owner amnesia ACCEPT;
                }

It should be "$amnesia_uid" like everywhere else.

This probably affects 2.10 too.

#3 Updated by intrigeri almost 3 years ago

  • Assignee changed from intrigeri to anonym
  • Target version changed from Tails_3.0 to Tails_2.11

#4 Updated by intrigeri almost 3 years ago

  • Subject changed from ferm fails to start at boot time on Stretch to ferm fails to start at boot time

#5 Updated by intrigeri almost 3 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

#6 Updated by anonym over 2 years ago

  • Assignee changed from anonym to intrigeri
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA
  • Feature Branch set to bugfix/12208-ferm-fix

Can you take it? Otherwise I'll merge it after I've seen the branch pass our automated QA.

#7 Updated by intrigeri over 2 years ago

  • Status changed from In Progress to 11
  • % Done changed from 50 to 100

#8 Updated by intrigeri over 2 years ago

  • Assignee deleted (intrigeri)
  • QA Check changed from Ready for QA to Pass

#9 Updated by anonym over 2 years ago

  • Status changed from 11 to Resolved

Also available in: Atom PDF