Don't consider an empty client.keys to be a failure condition #662
Conversation
|
Can someone test this? I think it's a great change, but want to make sure it works first. (adding it to my list of things to do when I can make time) |
|
I think this may break some stuff. This function is called by the agent and the server. I agree, on the server, this shouldn't be fatal, but I'm not so sure on the agent if this would fly. |
|
I thought about sticking |
|
It's not fantastic but since if (strcmp(__local_name, "ossec-remoted") != 0) {
…
} |
|
Rebased. |
chewi
force-pushed
the
empty_keys
branch
2 times, most recently
from
3b476f0
to
a40bed1
Compare
|
I finally gave this a try myself and found it segfaulted because |
|
I've now also got it to create client.keys on startup like authd does. This has to happen before dropping privileges because ossecr should not have write access. The file permissions could still be tightened up (currently root:root and 644) but authd doesn't make any effort to do this and the directory permissions at least prevent world read access. One for later perhaps. |
|
Any chance of getting this merged now? I haven't seen any ill effects since and yet another person asked about this problem on the mailing list. |
|
It looks good now, except for this function: __realloc Really confusing to use a standard C function name for this. Can you change to something more adequate to what it does? (allocate key mem) |
|
Fair enough, renamed it to __realloc_keys. |
|
Reviewed 4 of 4 files at r1. src/os_crypto/shared/keys.c, line 262 [r1] (raw file): Comments from the review on Reviewable.io |
|
Sorry i am taking so long need to review some more things within the code base. Review status: all files reviewed at latest revision, 1 unresolved discussion, some commit checks failed. Comments from the review on Reviewable.io |
|
Review status: all files reviewed at latest revision, 1 unresolved discussion, some commit checks failed. src/os_crypto/shared/keys.c, line 262 [r1] (raw file): Comments from the review on Reviewable.io |
|
I'm concerned that 2.9 may get released without this and that would be very frustrating. The code smell mentioned above isn't a showstopper and could always be improved later. |
client.keys is already reloaded each time a given key is not found in memory so there's no harm in this file being empty. In fact, it's downright annoying if you're using authd because you have to wait for the first agent to register and then manually restart the server before they can start communicating. Removing this check would make the Chef cookbook less clunky.
client.keys is already reloaded each time a given key is not found in memory so there's no harm in this file being empty. In fact, it's downright annoying if you're using authd because you have to wait for the first agent to register and then manually restart the server before they can start communicating. Removing this check would make the Chef cookbook less clunky.
Disclaimer: I haven't tested this at all because I've already sunk too much time into the cookbook. The change seems simple enough though.