Exec module questions, v4

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

Exec module questions, v4

Users mailing list
Hi all,
  Does the exec module in v4 still support "non-xlat" use, i.e. where you stipulate a program, run it, maybe collect output pairs values?

If so, I have an example where the execution is a bit different from v3, and wanted to query it.

Using pretty much stock setup, only just added two bits - one to update the cleartext-password for chap testing, and the other to reject the user every time, for another reason.

I have an exec module "testexec"

exec testexec {
  program='/etc/freeradius/test.sh'
  wait = yes
  input_pairs = request
  output_pairs = reply
}

And my test.sh program

#!/bin/bash
echo "Reply-Message := \"hello\""
exit 0

Some observations

-          The stdout output "pickup" didn't seem to be consistent, here I've used radtest to fire a test auth twice in a row without changing anything (let me know if you'd like to see the complete output)

..

(0)    pap - Setting &control:Auth-Type = pap

(0)    pap (updated)

(0)    testexec (yield)

(0)    EXPAND /etc/freeradius/test.sh

(0)      --> /etc/freeradius/test.sh

(0)    Running request

(0)    tmpl - Resuming execution

(0)    testexec - EXEC GOT -- Reply-Message := \"hello\"

(0)    testexec (ok)

..

pap - Setting &control:Auth-Type = pap

(1)    pap (updated)

(1)    testexec (yield)

(1)    EXPAND /etc/freeradius/test.sh

(1)      --> /etc/freeradius/test.sh

(1)    Running request

(1)    tmpl - Resuming execution

(1)    testexec (ok)

..



-          Also, the module return code isn't the same as it used to be, i.e. where 0 was ok, 1 was reject, 2 fail, as per https://networkradius.com/doc/3.0.10/raddb/mods-available/exec.html

If I modify the program to:

#!/bin/bash

echo "Reply-Message := \"hello\""

exit 1



./test.sh ; echo $?

Reply-Message := "hello"

1



I still get (ok), not (reject), and some more output inconsistency, one has status code, one not, even with no modifications (except the exit code in the script) or restarting the service



(3)    pap - Setting &control:Auth-Type = pap

(3)    pap (updated)

(3)    testexec (yield)

(3)    EXPAND /etc/freeradius/test.sh

(3)      --> /etc/freeradius/test.sh

(3)    Running request

(3)    tmpl - Resuming execution

(3)    testexec (ok)



pap - Setting &control:Auth-Type = pap

(4)    pap (updated)

(4)    testexec (yield)

(4)    EXPAND /etc/freeradius/test.sh

(4)      --> /etc/freeradius/test.sh

(4)    Running request

(4)    tmpl - Resuming execution

(4)    Program failed with status code 1

(4)    testexec (ok)



I'm not modifying the module behaviour with { reject=1 } etc.



We used to rely on the text output, even if the exit code was non zero, and that exit code value to do some more stuff after a CoA request.



I should try modifying my unlang to do some xlats instead, but thought I'd ask first - is it just me - do I not understand deliberate changes that have taken place?



I've tried changing shell_escape value, using sh instead of bash, with similar results.



Thanks!

Andy






********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Exec module questions, v4

Alan DeKok-2
On Jul 31, 2020, at 9:00 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <[hidden email]> wrote:
>  Does the exec module in v4 still support "non-xlat" use, i.e. where you stipulate a program, run it, maybe collect output pairs values?

  It should.

  The main issue is that we're using libkqueue for our event library.  And llibkqueue doesn't have good support for handling child processes.  We have patches for it, but they need to be integrated back into the main libkqueue distribution.

> Some observations
>
> -          The stdout output "pickup" didn't seem to be consistent, here I've used radtest to fire a test auth twice in a row without changing anything (let me know if you'd like to see the complete output)

  Yes.  There are race conditions using libkqueue.  So the result from the child is sometimes picked up, and sometimes not.  :(

  We're working on fixing it.

> -          Also, the module return code isn't the same as it used to be, i.e. where 0 was ok, 1 was reject, 2 fail, as per https://networkradius.com/doc/3.0.10/raddb/mods-available/exec.html

  Ah yes... I'll push a fix.

> We used to rely on the text output, even if the exit code was non zero, and that exit code value to do some more stuff after a CoA request.

  It should still get the text output when the exit code is >= 0

> I should try modifying my unlang to do some xlats instead, but thought I'd ask first - is it just me - do I not understand deliberate changes that have taken place?

  It should behave largely the same as v3.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Exec module questions, v4

Users mailing list
Ah, great Alan, thanks for the update. I'll maybe have a look into running it a different way, maybe through python or similar for the time being, possibly that's what people more typically do with CoA logoff requests.

Happy to also try any libkqueue patches, if that can be compiled separately.

I've submitted a separate crash report about a loop on github, but I might be able to work around it too, not the right place to discuss here.

Kind regards
Andy

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+andy.franks1=[hidden email]> On Behalf Of Alan DeKok
Sent: 31 July 2020 14:15
To: FreeRadius users mailing list <[hidden email]>
Subject: Re: Exec module questions, v4

On Jul 31, 2020, at 9:00 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <[hidden email]> wrote:
>  Does the exec module in v4 still support "non-xlat" use, i.e. where you stipulate a program, run it, maybe collect output pairs values?

  It should.

  The main issue is that we're using libkqueue for our event library.  And llibkqueue doesn't have good support for handling child processes.  We have patches for it, but they need to be integrated back into the main libkqueue distribution.

> Some observations
>
> -          The stdout output "pickup" didn't seem to be consistent, here I've used radtest to fire a test auth twice in a row without changing anything (let me know if you'd like to see the complete output)

  Yes.  There are race conditions using libkqueue.  So the result from the child is sometimes picked up, and sometimes not.  :(

  We're working on fixing it.

> -          Also, the module return code isn't the same as it used to be, i.e. where 0 was ok, 1 was reject, 2 fail, as per https://networkradius.com/doc/3.0.10/raddb/mods-available/exec.html

  Ah yes... I'll push a fix.

> We used to rely on the text output, even if the exit code was non zero, and that exit code value to do some more stuff after a CoA request.

  It should still get the text output when the exit code is >= 0

> I should try modifying my unlang to do some xlats instead, but thought I'd ask first - is it just me - do I not understand deliberate changes that have taken place?

  It should behave largely the same as v3.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Exec module questions, v4

Alan DeKok-2
On Jul 31, 2020, at 9:34 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <[hidden email]> wrote:
>
> Ah, great Alan, thanks for the update. I'll maybe have a look into running it a different way, maybe through python or similar for the time being, possibly that's what people more typically do with CoA logoff requests.

  If you're sending CoA packets, you can just use the radius module.  There's no need to call exec!

  That requires, of course, one "radius" module per CoA destination.  But we're working on fixing that, too.

> Happy to also try any libkqueue patches, if that can be compiled separately.
>
> I've submitted a separate crash report about a loop on github, but I might be able to work around it too, not the right place to discuss here.

  I'll take a look, thanks.

  I've pushed patches which should get the correct status code, and set Module-Failure-Message when status is FAILED

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

FW: Exec module questions, v4

Users mailing list
Hi Alan,
  Thanks for the update to the program last week, just testing here.
It seems to be taking the return code (when available) as multiple of 256 of the actual exit code, unless 0 now:

(0)    testexec (yield)
(0)    EXPAND /etc/freeradius/test.sh
(0)      --> /etc/freeradius/test.sh
(0)    Running request
(0)    tmpl - Resuming execution
(0)    Program failed with status code 1
(0)    testexec - ERROR: Program returned invalid code (greater than max rcode) (256 > 9): (null)
(0)    testexec (fail)

(0)    EXPAND /etc/freeradius/test.sh
(0)      --> /etc/freeradius/test.sh
(0)    Running request
(0)    tmpl - Resuming execution
(0)    Program failed with status code 5
(0)    testexec - ERROR: Program returned invalid code (greater than max rcode) (1280 > 9): (null)
(0)    testexec (fail)

Another kqueue issue?

I did try libkqueue 2.4.0 , compiled from the github repo, but I guess it's in test, as it never exits, then freeradius crashes.. just in case of interest, please ignore if not;

(0)    testexec (yield)
(0)    EXPAND /etc/freeradius/test.sh
(0)      --> /etc/freeradius/test.sh
proto_radius_udp - Received Access-Request ID 90 length 82 radius_udp server * port 1812
(1)  Received Access-Request ID 90 from 127.0.0.1:52250 to 127.0.0.1:1812 length 82 via socket radius_udp server * port 1812
(1)    User-Name = "123456789012"
(1)    User-Password = "123456789012"
(1)    NAS-IP-Address = 127.0.1.1
(1)    NAS-Port = 1
(1)    Message-Authenticator = 0x17c3bf3a8f0549007cf688555a0b2d7e
(1)  WARNING: Discarding duplicate of request (0)
(0)    ERROR: Timeout running program - killing it and failing the request
(0)    Running request
(0)    tmpl - Resuming execution
ASSERT FAILED src/lib/unlang/tmpl.c[316]: state->pid > 0
CAUGHT SIGNAL: Aborted
Backtrace of last 14 frames:
/usr/lib/freeradius/libfreeradius-util.so(fr_fault+0x104)[0x7efcc9d6a7cc]
/usr/lib/freeradius/libfreeradius-util.so(_fr_assert_fatal+0x0)[0x7efcc9d6b43c]
/usr/lib/freeradius/libfreeradius-unlang.so(+0x20c98)[0x7efcc9e43c98]
/usr/lib/freeradius/libfreeradius-unlang.so(+0x17de1)[0x7efcc9e3ade1]
/usr/lib/freeradius/libfreeradius-unlang.so(unlang_interpret+0x299)[0x7efcc9e3b734]
/usr/lib/freeradius/proto_radius_auth.so(+0x3079)[0x7efcc8f8a079]
/usr/lib/freeradius/libfreeradius-io.so(+0x1f737)[0x7efcc9e0f737]
/usr/lib/freeradius/libfreeradius-io.so(fr_worker_post_event+0x4d)[0x7efcc9e10480]
/usr/lib/freeradius/libfreeradius-util.so(fr_event_service+0x9b1)[0x7efcc9d80ae4]
/usr/lib/freeradius/libfreeradius-util.so(fr_event_loop+0x67)[0x7efcc9d80bea]
/usr/lib/freeradius/libfreeradius-server.so(main_loop_start+0x82)[0x7efcc9ed5be3]
freeradius(main+0x148e)[0x561e1c353bd2]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0x7efcc976e0b3]
freeradius(_start+0x2e)[0x561e1c3523ee]
No panic action set
Aborted

Thanks
Andy

-----Original Message-----
From: Alan DeKok <[hidden email]>
Sent: 31 July 2020 14:41
To: FreeRadius users mailing list <[hidden email]>
Cc: FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) <[hidden email]>
Subject: Re: Exec module questions, v4

On Jul 31, 2020, at 9:34 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <[hidden email]> wrote:
>
> Ah, great Alan, thanks for the update. I'll maybe have a look into running it a different way, maybe through python or similar for the time being, possibly that's what people more typically do with CoA logoff requests.

  If you're sending CoA packets, you can just use the radius module.  There's no need to call exec!

  That requires, of course, one "radius" module per CoA destination.  But we're working on fixing that, too.

> Happy to also try any libkqueue patches, if that can be compiled separately.
>
> I've submitted a separate crash report about a loop on github, but I might be able to work around it too, not the right place to discuss here.

  I'll take a look, thanks.

  I've pushed patches which should get the correct status code, and set Module-Failure-Message when status is FAILED

  Alan DeKok.



********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Exec module questions, v4

Alan DeKok-2
On Aug 4, 2020, at 6:15 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <[hidden email]> wrote:
>  Thanks for the update to the program last week, just testing here.
> It seems to be taking the return code (when available) as multiple of 256 of the actual exit code, unless 0 now:

  OK.  I've pushed a fix.

> Another kqueue issue?
>
> I did try libkqueue 2.4.0 , compiled from the github repo, but I guess it's in test, as it never exits, then freeradius crashes.. just in case of interest, please ignore if not;

  An assert is not a crash.  It's a positive signal that the server caught something wrong, and died rather than running in an unknown state.

> (0)    ERROR: Timeout running program - killing it and failing the request
> (0)    Running request
> (0)    tmpl - Resuming execution
> ASSERT FAILED src/lib/unlang/tmpl.c[316]: state->pid > 0

  I've pushed a fix for that, too.

  But to be honest, you really shouldn't be running a long-lived radclient program from `exec`.  See raddb/mods-available/radius.  The server supports sending RADIUS packets natively, as with v3.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Exec module questions, v4

Users mailing list
Thanks very much for the fixes, appreciated.

Noted re the long-lived running script. I was probably a bit ambiguous in the last email ; the timeout was introduced by compiling libkqueue to try and get around the exec race condition talked about, rather than using the built-in libkqueue* packages.
The built-in ones execute quickly but don't always report output / exit codes, but with the source-built libkqueue it just doesn't finish execution, timing out. Not a fault of Freeradius.

Thank you again
Andy

-----Original Message-----
From: Alan DeKok <[hidden email]>
Sent: 04 August 2020 13:19
To: FreeRadius users mailing list <[hidden email]>
Cc: FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) <[hidden email]>
Subject: Re: Exec module questions, v4

On Aug 4, 2020, at 6:15 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <[hidden email]> wrote:
>  Thanks for the update to the program last week, just testing here.
> It seems to be taking the return code (when available) as multiple of 256 of the actual exit code, unless 0 now:

  OK.  I've pushed a fix.

> Another kqueue issue?
>
> I did try libkqueue 2.4.0 , compiled from the github repo, but I guess it's in test, as it never exits, then freeradius crashes.. just in case of interest, please ignore if not;

  An assert is not a crash.  It's a positive signal that the server caught something wrong, and died rather than running in an unknown state.

> (0)    ERROR: Timeout running program - killing it and failing the request
> (0)    Running request
> (0)    tmpl - Resuming execution
> ASSERT FAILED src/lib/unlang/tmpl.c[316]: state->pid > 0

  I've pushed a fix for that, too.

  But to be honest, you really shouldn't be running a long-lived radclient program from `exec`.  See raddb/mods-available/radius.  The server supports sending RADIUS packets natively, as with v3.

  Alan DeKok.




********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html