* 001-fail2ban-server-socket-close-on-exec-no-leak.diff
Add code that marks server and client sockets with FD_CLOEXEC flags.
Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).
Unix sockets managed by fail2ban-server don't need to be passed to any
child process. Fail2ban already uses the FD_CLOEXEC flags in the filter
code.
This patch also avoids giving iptables access to fail2ban UNIX socket in
a SELinux environment (A sane SELinux policy should trigger an audit
event because "iptables" will be given read/write access to the fail2ban
control socket).
Some random references related to this bug:
http://sourceforge.net/tracker/?func=detail&atid=689044&aid=2086568&group_id=121032http://www.redhat.com/archives/fedora-selinux-list/2009-June/msg00124.htmlhttp://forums.fedoraforum.org/showthread.php?t=234230
* 002-fail2ban-filters-close-on-exec-typo-fix.diff
There is a typo in the fail2ban server/filter.py source code. The
FD_CLOEXEC is correctly set but additional *random* flags are also set.
It has no side-effect as long as the fd doesn't match a valid flag :)
"fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)" <== the 3rd
parameter should be flags, not a file descriptor.
* 003-fail2ban-gamin-socket-close-on-exec-no-leak.diff
Add code that marks the Gamin monitor file descriptor with FD_CLOEXEC
flags. Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).
---
File descriptors in action process before patches:
dr-x------ 2 root root 0 .
dr-xr-xr-x 8 root root 0 ..
lr-x------ 1 root root 64 0 -> /dev/null <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null <== OK
lrwx------ 1 root root 64 3 -> socket:[116361] <== NOK (fail2ban.sock leak)
lr-x------ 1 root root 64 4 -> /proc/20090/fd <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
lrwx------ 1 root root 64 6 -> socket:[115608] <== NOK (gamin sock leak)
File descriptors in action process after patches:
dr-x------ 2 root root 0 .
dr-xr-xr-x 8 root root 0 ..
lr-x------ 1 root root 64 0 -> /dev/null <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null <== OK
lr-x------ 1 root root 64 3 -> /proc/18284/fd <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
* commit '0.8.8-160-g74e76e0': (65 commits)
TST+BF: Use separate coveragerc for Travis CI
RF+TST: bring inBanList back from private to protected and enabled its rudimentary unittests
TST: coverage ignore Travis CI python virtual environments
ENH: increase waiting to 4 sec for gamin/pyinotify
TST+BF: Fix incorrect commands for coveralls support
TST: Add support for coveralls for python 2.6 and python 2.7
ENH: deleted trailing spaces in fail2ban- cmdline tools
DOC: minor change -- refer to the fail2ban manpage
TST: be more aggressive in cleanup of temp files + use mktemp instead of mkstemp
ENH(BF?): overload open() (for buffering) within filtertestcase to guarantee atomic writing
BF: delay check for the existence of config directory until read()
DOC: minor fix ups of manpages. fixes#159
non-static (get|set)BaseDir for Configurator. fixes#160
ENH: Slight tune ups for fresh SOGo filter + comment into the sample log file
ENH: postfix filter -- react also on (450 4.7.1) with empty from/to. fixes#126
TST: basic testing of reading the shipped jail.conf (forcing all jails to be enabled)
ENH: allow to force enable all jails (for testing), do not crash for jails without actions (just warn)
ENH: minor -- add default value into the warning if option had none provided
ENH: _copy_lines_between_files -- read all needed, and only then write/flush at once
ENH: move pyinotify callback debug message into callback + delay string interpolations
...
Conflicts:
fail2ban-testcases
testcases/clientreadertestcase.py -- fix for setBaseDir will follow
* pr/117/head:
An example of failed logins against sogo
Update sogo-auth.conf
Update config/filter.d/sogo-auth.conf
Create sogo-auth.conf
Update config/jail.conf
Now it should be evaluated only if logging mode is debug or "lower", and also
should happen not only on initial detections but for every added failure.
It also reports counts per each IP now
Also to guarantee unique file names across tests -- append incremental
numeric suffix.
This should prevent unittest from not reporting specific unittest method names,
thus complicating the analysis of failures
Yaroslav Halchenko