From nakaji@boggy.acest.tutrp.tut.ac.jp  Thu Dec 13 17:37:02 2001
Return-Path: <nakaji@boggy.acest.tutrp.tut.ac.jp>
Received: from boggy.acest.tutrp.tut.ac.jp (boggy.acest.tutrp.tut.ac.jp [133.15.67.40])
	by hub.freebsd.org (Postfix) with ESMTP id D7B7537B405
	for <freebsd-gnats-submit@freebsd.org>; Thu, 13 Dec 2001 17:37:01 -0800 (PST)
Received: (from root@localhost)
	by boggy.acest.tutrp.tut.ac.jp (8.11.6+3.4W/8.11.6) id fBE1aua24041
	for freebsd-gnats-submit@freebsd.org; Fri, 14 Dec 2001 10:36:56 +0900 (JST)
Received: (from nakaji@localhost)
	by boggy.acest.tutrp.tut.ac.jp (8.11.6+3.4W/8.11.6av) id fBE1ass24033;
	Fri, 14 Dec 2001 10:36:54 +0900 (JST)
Message-Id: <200112140136.fBE1ass24033@boggy.acest.tutrp.tut.ac.jp>
Date: Fri, 14 Dec 2001 10:36:54 +0900 (JST)
From: NAKAJI Hiroyuki <nakaji@jp.freebsd.org>
Reply-To: NAKAJI Hiroyuki <nakaji@jp.freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: /etc/periodic/security/[56]50.ip{,6}fwlimit error
X-Send-Pr-Version: 3.113
X-GNATS-Notify: cjc

>Number:         32822
>Category:       bin
>Synopsis:       /etc/periodic/security/[56]50.ip{,6}fwlimit error
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ru
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 13 17:40:01 PST 2001
>Closed-Date:    Fri Dec 14 01:01:04 PST 2001
>Last-Modified:  Fri Dec 14 01:01:39 PST 2001
>Originator:     NAKAJI Hiroyuki
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD boggy.acest.tutrp.tut.ac.jp 5.0-CURRENT FreeBSD 5.0-CURRENT #1: Mon Dec 10 17:06:01 JST 2001 root@boggy.acest.tutrp.tut.ac.jp:/usr/obj/usr/src/sys/NAKAJI i386


>Description:

	In daily mails from root, I see

	Checking for passwordless accounts:
	[: : out of range
	[: : out of range

	And checked the scripts in /etc/periodic/security to find which
	one says 'out of range'. They are 550.ipfwlimit and
	650.ip6fwlimit.

	They use the variable ${IPFW_LOG_LIMIT} or ${IP6FW_LOG_LIMIT} and
	compare it with 0. But on my current system, the variables are
	both null strings because kernel does not have 
	"options IPFIREWALL" nor "options IPV6FIREWALL", 
	so that the 'test' fail.

>How-To-Repeat:

	/bin/sh -x /etc/periodic/550.ipfwlimit
	[snip]
	+ sysctl -n net.inet.ip.fw.verbose_limit
	+ IPFW_LOG_LIMIT=
	+ [ 1 -eq 0 -a  -ne 0 ]
	[: : out of range

	/bin/sh -x /etc/periodic/650.ip6fwlimit
	[snip]
	+ sysctl -n net.inet6.ip6.fw.verbose_limit
	+ IP6FW_LOG_LIMIT=
	+ [ 1 -eq 0 -a  -ne 0 ]
	[: : out of range


>Fix:

	If you don't have net.inet.ip.fw.verbose_limit or
	net.inet6.ip6.fw.verbose_limit, the variables ${IPFW_LOG_LIMIT}
	and ${IP6FW_LOG_LIMIT} should be 0.

	Here is a diff.

Index: 550.ipfwlimit
===================================================================
RCS file: /home/ncvs/src/etc/periodic/security/550.ipfwlimit,v
retrieving revision 1.1
diff -u -r1.1 550.ipfwlimit
--- 550.ipfwlimit	7 Dec 2001 23:57:38 -0000	1.1
+++ 550.ipfwlimit	14 Dec 2001 01:27:40 -0000
@@ -44,6 +44,7 @@
 case "$daily_status_security_ipfwlimit_enable" in
     [Yy][Ee][Ss])
 	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
+	test -z "${IPFW_LOG_LIMIT}" && IPFW_LOG_LIMIT=0
 	if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
 	    ipfw -a l | grep " log " | perl -n -e \
 		'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
Index: 650.ip6fwlimit
===================================================================
RCS file: /home/ncvs/src/etc/periodic/security/650.ip6fwlimit,v
retrieving revision 1.1
diff -u -r1.1 650.ip6fwlimit
--- 650.ip6fwlimit	7 Dec 2001 23:57:38 -0000	1.1
+++ 650.ip6fwlimit	14 Dec 2001 01:27:59 -0000
@@ -44,6 +44,7 @@
 case "$daily_status_security_ip6fwlimit_enable" in
     [Yy][Ee][Ss])
 	IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
+	test -z "${IP6FW_LOG_LIMIT}" && IP6FW_LOG_LIMIT=0
 	if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
 	    ip6fw -a l | grep " log " | perl -n -e \
 		'/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
>Release-Note:
>Audit-Trail:

From: Ruslan Ermilov <ru@FreeBSD.org>
To: NAKAJI Hiroyuki <nakaji@jp.freebsd.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/32822: /etc/periodic/security/[56]50.ip{,6}fwlimit error
Date: Fri, 14 Dec 2001 10:50:57 +0200

 On Fri, Dec 14, 2001 at 10:36:54AM +0900, NAKAJI Hiroyuki wrote:
 > 
 > 	In daily mails from root, I see
 > 
 > 	Checking for passwordless accounts:
 > 	[: : out of range
 > 	[: : out of range
 > 
 > 	And checked the scripts in /etc/periodic/security to find which
 > 	one says 'out of range'. They are 550.ipfwlimit and
 > 	650.ip6fwlimit.
 > 
 > 	They use the variable ${IPFW_LOG_LIMIT} or ${IP6FW_LOG_LIMIT} and
 > 	compare it with 0. But on my current system, the variables are
 > 	both null strings because kernel does not have 
 > 	"options IPFIREWALL" nor "options IPV6FIREWALL", 
 > 	so that the 'test' fail.
 > 
 > >How-To-Repeat:
 > 
 > 	/bin/sh -x /etc/periodic/550.ipfwlimit
 > 	[snip]
 > 	+ sysctl -n net.inet.ip.fw.verbose_limit
 > 	+ IPFW_LOG_LIMIT=
 > 	+ [ 1 -eq 0 -a  -ne 0 ]
 > 	[: : out of range
 > 
 > 	/bin/sh -x /etc/periodic/650.ip6fwlimit
 > 	[snip]
 > 	+ sysctl -n net.inet6.ip6.fw.verbose_limit
 > 	+ IP6FW_LOG_LIMIT=
 > 	+ [ 1 -eq 0 -a  -ne 0 ]
 > 	[: : out of range
 > 
 > 
 > >Fix:
 > 
 > 	If you don't have net.inet.ip.fw.verbose_limit or
 > 	net.inet6.ip6.fw.verbose_limit, the variables ${IPFW_LOG_LIMIT}
 > 	and ${IP6FW_LOG_LIMIT} should be 0.
 > 
 > 	Here is a diff.
 > 
 Yeah, this is a nasty "feature" of test(1)'s "-a" operator; 
 In the following expression, "expression1 -a expression2",
 expression2 is executed even if expression1 is false.
 
 The correct fix would be:
 
 Index: 550.ipfwlimit
 ===================================================================
 RCS file: /home/ncvs/src/etc/periodic/security/550.ipfwlimit,v
 retrieving revision 1.1
 diff -u -r1.1 550.ipfwlimit
 --- 550.ipfwlimit	2001/12/07 23:57:38	1.1
 +++ 550.ipfwlimit	2001/12/14 08:52:43
 @@ -44,7 +44,7 @@
  case "$daily_status_security_ipfwlimit_enable" in
      [Yy][Ee][Ss])
  	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
 -	if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
 +	if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then
  	    ipfw -a l | grep " log " | perl -n -e \
  		'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
  	    if [ -s "${TMP}" ]; then
 Index: 650.ip6fwlimit
 ===================================================================
 RCS file: /home/ncvs/src/etc/periodic/security/650.ip6fwlimit,v
 retrieving revision 1.1
 diff -u -r1.1 650.ip6fwlimit
 --- 650.ip6fwlimit	2001/12/07 23:57:38	1.1
 +++ 650.ip6fwlimit	2001/12/14 08:52:43
 @@ -44,7 +44,7 @@
  case "$daily_status_security_ip6fwlimit_enable" in
      [Yy][Ee][Ss])
  	IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
 -	if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
 +	if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
  	    ip6fw -a l | grep " log " | perl -n -e \
  		'/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
  	    if [ -s "${TMP}" ]; then
 
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Fri Dec 14 01:01:04 PST 2001 
State-Changed-Why:  
Fixed in a slightly different way, thanks for the spot! 


Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: ru 
Responsible-Changed-When: Fri Dec 14 01:01:04 PST 2001 
Responsible-Changed-Why:  

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32822 
>Unformatted:
