Tux

...making Linux just a little more fun!

Can you give your suggestion on this?

kathik kumar [karthikgiri1984 at gmail.com]


Thu, 26 Feb 2009 18:26:18 +0530

Hi,

I have installed my ipsec tools in my linux-server. I am observing some issues while testing.

These are the steps, i done:

============================
 
   http://ipsec-tools.sourceforge.net http://ipsec-tools.sourceforge.net for
installation (tar file location)
 
   a. Copy the file *.tar.gz to your linux machine
   b. Untar the file tar xvzf *.tar.gz
   c. Then issue ./bootstrap
   d. Issue ./Configure
   e. Go to src directory. Setkey is installed
   f. Setkey is available in the /sbin directory. so i changed the name and
Copy the setkey directory to /sbin.
   g. Then created set-key file.
 
[root@linux scripts]$ cat set-key
#!/sbin/setkey -f
flush;
 
spdflush;
 
add 10.0.0.1 11.0.0.2 ah 500 -A hmac-md5 0xabcd1234abcd1234abcd1234abcd1234;
add 11.0.0.2 10.0.0.1 ah 600 -A hmac-md5 0xabcd1234abcd1234abcd1234abcd1234;
 
#add 10.0.0.1 11.0.0.2 ah 500 -A hmac-sha1
0xabcd1234abcd1234abcd1234abcd1234abcd1234;
#add 11.0.0.2 10.0.0.1 ah 600 -A hmac-sha1
0xabcd1234abcd1234abcd1234abcd1234abcd1234;
 
add 10.0.0.1 11.0.0.2 esp 500 -E 3des-cbc
0x1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd -A hmac-md5
0x1234abcd1234abcd1234abcd1234abcd;
add 11.0.0.2 10.0.0.1 esp 600 -E 3des-cbc
0x1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd -A hmac-md5
0x1234abcd1234abcd1234abcd1234abcd;
 
spdadd 10.0.0.1/32[any] 11.0.0.2/32[any] any -P out ipsec
ah/transport//require esp/transport//require;
spdadd 11.0.0.2/32[any] 10.0.0.1/32[any] any -P in ipsec
ah/transport//require esp/transport//require;
 
spdadd 10.0.0.1/32[any] 11.0.0.2/32[any] any -P out ipsec
ah/tunnel/10.0.0.1-11.0.0.2/require;
spdadd 11.0.0.2/32[any] 10.0.0.1/32[any] any -P in ipsec
ah/tunnel/11.0.0.2-10.0.0.1/require;
 
  h. The issue is, The file has full permission, but it says permission
denied.
 
-rwxrwxrwx  1 root     root 1054 Feb 26 04:44 set-key
[root@linux scripts]$ ./set-key
./set-key: Permission denied.  -------------->>>>>>>>>>ISSUE
[root@linux scripts]$

Could you please let me know about this issue?

Thanks -Karthik


Top    Back


Thomas Adam [thomas.adam22 at gmail.com]


Thu, 26 Feb 2009 13:01:33 +0000

2009/2/26 kathik kumar <karthikgiri1984@gmail.com>:

>       g. Then created set-key file.

... and them promptly didn't make it executable. Marvellous.

chmod +x set-key

-- Thomas Adam


Top    Back


Neil Youngman [ny at youngman.org.uk]


Thu, 26 Feb 2009 13:08:50 +0000

On Thursday 26 February 2009 12:56:18 kathik kumar wrote: <SNIP >

> [root@linux scripts]$ cat set-key
> #!/sbin/setkey -f
> flush;

<SNIP >

>   h. The issue is, The file has full permission, but it says permission
> denied.
>
> -rwxrwxrwx  1 root     root 1054 Feb 26 04:44 set-key
> [root@linux scripts]$ ./set-key
> ./set-key: Permission denied.  -------------->>>>>>>>>>ISSUE
> [root@linux scripts]$

That "#!/sbin/setkey -f" could be the source of the problem. What does ls -l /sbin/setkey tell you?

HTH

Neil Youngman


Top    Back


Neil Youngman [ny at youngman.org.uk]


Thu, 26 Feb 2009 13:10:32 +0000

On Thursday 26 February 2009 13:01:33 Thomas Adam wrote:

> 2009/2/26 kathik kumar <karthikgiri1984@gmail.com>:
> >    g. Then created set-key file.
>
> ... and them promptly didn't make it executable.  Marvellous.
>
> ``
> chmod +x set-key
> ''

If you read a bit further, Kathik says

  h. The issue is, The file has full permission, but it says permission
denied.
 
-rwxrwxrwx  1 root     root 1054 Feb 26 04:44 set-key

That looks executable to me, unless I'm more confused than usual.

Neil


Top    Back


Neil Youngman [ny at youngman.org.uk]


Thu, 26 Feb 2009 14:39:10 +0000

On Thursday 26 February 2009 14:13:55 you wrote:

> Hi,
>
>     #!/sbin/setkey is a dirctory, which has some tools related to ipsec.

I'm pretty sure that's the problem. A first line starting with #! is known as a sha-bang. It tells Linux that the script should be interpreted by the command given, e.g. "#!/bin/bash" requires the bash shell.

In this case you are telling Linux that it should run "/sbin/setkey -f" to interpret the set-key script. As /sbin/setkey is not an executable file it will fail, as you have observed.

Neil

P.S. Please direct your replies to the list, so that others can assist and the answer is available to publish in the Gazette.


Top    Back


kathik kumar [karthikgiri1984 at gmail.com]


Thu, 26 Feb 2009 20:34:42 +0530

Hi,

Thanks for your quick reply, Then can i use "#!/bin/setkey" in first line of the set-key file.

Regards -Karthik


Top    Back


Neil Youngman [ny at youngman.org.uk]


Thu, 26 Feb 2009 15:09:09 +0000

On Thursday 26 February 2009 15:04:42 kathik kumar wrote:

> Hi,
>
>   Thanks for your quick reply, Then can i use "#!/bin/setkey" in first line
> of the set-key file.

Possibly.

If /bin/setkey is a binary capable of interpreting the set-key file correctly, than that should work.

Neil


Top    Back


kathik kumar [karthikgiri1984 at gmail.com]


Thu, 26 Feb 2009 20:45:14 +0530

Hi,

Still am facing the issue.

[root@linux /bin]$ ls -ltr setkey
total 372
-rwxrwxrwx  1 root root  1812 Feb 26 07:00 vchar.h
-rwxrwxrwx  1 root root 10242 Feb 26 07:00 token.l
-rwxrwxrwx  1 root root 88539 Feb 26 07:00 token.c
-rwxrwxrwx  1 root root 15946 Feb 26 07:00 test-pfkey.c
-rwxrwxrwx  1 root root 18557 Feb 26 07:00 setkey.c
-rwxrwxrwx  1 root root 20213 Feb 26 07:00 setkey.8
-rwxrwxrwx  1 root root  1206 Feb 26 07:00 scriptdump.pl
-rwxrwxrwx  1 root root   862 Feb 26 07:00 sample-policy02.cf
-rwxrwxrwx  1 root root   342 Feb 26 07:00 sample-policy01.cf
-rwxrwxrwx  1 root root  9000 Feb 26 07:00 sample.cf
-rwxrwxrwx  1 root root 34679 Feb 26 07:00 parse.y
-rwxrwxrwx  1 root root  4491 Feb 26 07:00 parse.h
-rwxrwxrwx  1 root root 89135 Feb 26 07:00 parse.c
-rwxrwxrwx  1 root root 17950 Feb 26 07:00 Makefile.in
-rwxrwxrwx  1 root root   448 Feb 26 07:00 Makefile.am
-rwxrwxrwx  1 root root 17961 Feb 26 07:00 Makefile
-rwxrwxrwx  1 root root   637 Feb 26 07:00 extern.h
[root@linux /bin]$
 
[root@linux scripts]$ cat set-key
#!/bin/setkey -f
flush;
spdflush;
add 10.0.0.1 11.0.0.2 ah 500 -A hmac-md5 0xabcd1234abcd1234abcd1234abcd1234;
add 11.0.0.2 10.0.0.1 ah 600 -A hmac-md5 0xabcd1234abcd1234abcd1234abcd1234;
#add 10.0.0.1 11.0.0.2 ah 500 -A hmac-sha1
0xabcd1234abcd1234abcd1234abcd1234abcd1234;
#add 11.0.0.2 10.0.0.1 ah 600 -A hmac-sha1
0xabcd1234abcd1234abcd1234abcd1234abcd1234;
add 10.0.0.1 11.0.0.2 esp 500 -E 3des-cbc
0x1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd -A hmac-md5
0x1234abcd1234abcd1234abcd1234abcd;
add 11.0.0.2 10.0.0.1 esp 600 -E 3des-cbc
0x1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd -A hmac-md5
0x1234abcd1234abcd1234abcd1234abcd;
 
spdadd 10.0.0.1/32[any] 11.0.0.2/32[any] any -P out ipsec
ah/transport//require esp/transport//require;
spdadd 11.0.0.2/32[any] 10.0.0.1/32[any] any -P in ipsec
ah/transport//require esp/transport//require;
spdadd 10.0.0.1/32[any] 11.0.0.2/32[any] any -P out ipsec
ah/tunnel/10.0.0.1-11.0.0.2/require;
spdadd 11.0.0.2/32[any] 10.0.0.1/32[any] any -P in ipsec
ah/tunnel/11.0.0.2-10.0.0.1/require;
[root@linux scripts]$ ./set-key
./set-key: Permission denied.
[root@linux scripts]$

Thanks -Karthik


Top    Back


Neil Youngman [ny at youngman.org.uk]


Thu, 26 Feb 2009 15:39:14 +0000

On Thursday 26 February 2009 15:15:14 kathik kumar wrote:

> Hi,
>
>  Still am facing the issue.

<SNIP>

> [root@linux scripts]$ cat set-key
> #!/bin/setkey -f

<SNIP>

What do you get from "ls -l /bin/setkey"?

Neil


Top    Back


kathik kumar [karthikgiri1984 at gmail.com]


Thu, 26 Feb 2009 21:10:52 +0530

Hi,

[root@mcpisic-linux /bin]$ ls -l /bin/setkey
total 372
-rwxrwxrwx  1 root root   637 Feb 26 07:00 extern.h
-rwxrwxrwx  1 root root 17961 Feb 26 07:00 Makefile
-rwxrwxrwx  1 root root   448 Feb 26 07:00 Makefile.am
-rwxrwxrwx  1 root root 17950 Feb 26 07:00 Makefile.in
-rwxrwxrwx  1 root root 89135 Feb 26 07:00 parse.c
-rwxrwxrwx  1 root root  4491 Feb 26 07:00 parse.h
-rwxrwxrwx  1 root root 34679 Feb 26 07:00 parse.y
-rwxrwxrwx  1 root root  9000 Feb 26 07:00 sample.cf
-rwxrwxrwx  1 root root   342 Feb 26 07:00 sample-policy01.cf
-rwxrwxrwx  1 root root   862 Feb 26 07:00 sample-policy02.cf
-rwxrwxrwx  1 root root  1206 Feb 26 07:00 scriptdump.pl
-rwxrwxrwx  1 root root 20213 Feb 26 07:00 setkey.8
-rwxrwxrwx  1 root root 18557 Feb 26 07:00 setkey.c
-rwxrwxrwx  1 root root 15946 Feb 26 07:00 test-pfkey.c
-rwxrwxrwx  1 root root 88539 Feb 26 07:00 token.c
-rwxrwxrwx  1 root root 10242 Feb 26 07:00 token.l
-rwxrwxrwx  1 root root  1812 Feb 26 07:00 vchar.h
[root@mcpisic-linux /bin]$

Thanks -karthik


Top    Back


Kapil Hari Paranjape [kapil at imsc.res.in]


Thu, 26 Feb 2009 21:20:04 +0530

Hello,

On Thu, 26 Feb 2009, kathik kumar wrote:

>  Still am facing the issue.

I think you missed the content of the previous messages.

> [root@linux /bin]$ ls -ltr setkey

The output of this shows that "setkey" is a directory. What you need to show is a listing of the output of

  ls -l /bin/setkey

It is /sbin/setkey which is invoked by the script

> [root@linux scripts]$ cat set-key
> #!/bin/setkey -f 
> etc.

Finally, from your command-line:

> [root@linux scripts]$ ./set-key

... I deduce that you are trying to execute this script as an ordinary user (not super-user). Since /bin/setkey changes some network parameters it is extremely unlikely that anyone other than the super user is allowed to use this command in the way that you are using it.

Regards,

Kapil. --


Top    Back


Lew Pitcher [lew.pitcher at digitalfreehold.ca]


Thu, 26 Feb 2009 10:53:24 -0500

[text rearranged to show continuity of thread]

On February 26, 2009 10:40:52 kathik kumar wrote:

> Hi,
>
> On Thu, Feb 26, 2009 at 9:09 PM, Neil Youngman <ny@youngman.org.uk> wrote:
> > On Thursday 26 February 2009 15:15:14 kathik kumar wrote:
> > > Hi,
> > >
> > >  Still am facing the issue.
> >
> > <SNIP>
> >
> > > [root@linux scripts]$ cat set-key
> > > #!/bin/setkey -f
> >
> > <SNIP>
> >
> > What do you get from "ls -l /bin/setkey"?
>
> [root@mcpisic-linux /bin]$ ls -l /bin/setkey
> total 372
> -rwxrwxrwx  1 root root   637 Feb 26 07:00 extern.h

[snip]

OK, that proves it.

Your problem is that you've replaced the /bin/setkey program with a directory. Directories are not "executable", and cannot be the target of a hash-bang, so your script, which starts with

 #!/bin/setkey -f
cannot execute the /bin/setkey program (because it doesn't exist), and fails on a "permission error".

I have no easy way to fix this. The only way is to back out your changes: remove the /bin/setkey directory and put back the /bin/setkey program. Then, see what else has been trashed as part of this install, and fix it as well.

HTH

-- 
Lew Pitcher
 
Master Codewright & JOAT-in-training | Registered Linux User #112576
http://pitcher.digitalfreehold.ca/   | GPG public key available by request
----------      Slackware - Because I know what I'm doing.          ------


Top    Back


Neil Youngman [ny at youngman.org.uk]


Thu, 26 Feb 2009 15:55:05 +0000

On Thursday 26 February 2009 15:40:52 kathik kumar wrote:

> Hi,
>
> [root@mcpisic-linux /bin]$ ls -l /bin/setkey
> total 372
> -rwxrwxrwx  1 root root   637 Feb 26 07:00 extern.h
> -rwxrwxrwx  1 root root 17961 Feb 26 07:00 Makefile

<SNIP>

It seems /bin/setkey is a directory, not an executable, so there's little point in trying to use /bin/setkey in the sha-bang. You need to work out where the setkey executable is and use that path. "locate setkey" might find some likely candidates if you have locate set up?

I would also consider moving the setkey directory to someplace other than /bin. It's intended to hold binaries, not directories. I would be inclined to put it under /usr/local/src or in a suitable user's home directory.

Neil


Top    Back


Kapil Hari Paranjape [kapil at imsc.res.in]


Thu, 26 Feb 2009 21:45:08 +0530

Hello

Oops many mistakes in this one!

On Thu, 26 Feb 2009, Kapil Hari Paranjape wrote:

> On Thu, 26 Feb 2009, kathik kumar wrote:
> > [root@linux /bin]$ ls -ltr setkey
> 
> The output of this shows that "setkey" is a directory. What you need
> to show is a listing of the output of
>   ls -l /bin/setkey

In fact you have given us the output of "ls -l setkey" from the /bin directory so this is the same as "ls -l /bin/setkey". This proves that /bin/setkey is a directory.

Directories are not commands to be run.

> It is /sbin/setkey which is invoked by the script
        ^^^^^^^^^^^^
> > [root@linux scripts]$ cat set-key
> > #!/bin/setkey -f 
> > etc.

That was also a mistake on my part. I should have said that it is /bin/setkey which is invoked by the script. Since that is a directory it cannot be invoked as a command and hence the "permission denied" message.

Regards, Kapil. --


Top    Back


Neil Youngman [ny at youngman.org.uk]


Thu, 26 Feb 2009 16:20:53 +0000

On Thursday 26 February 2009 16:06:33 kathik kumar wrote:

> Hi ,
>
>   I have tried with /usr/local/logs

<SNIP>

> [root@linux scripts]$ ls -ltr /usr/local/logs/setkey
> total 372
> -rwxr-xr-x  1 root root  1812 Feb 26 07:57 vchar.h

<SNIP>

> Still am facing the issues... Can you please?

That's obviously a directory as well. In fact it looks like the same directory? Just moving the directory around won't help.

Is there a /usr/local/bin/setkey? If not and locate isn't working, you could use "find / -name setkey -executable -print" to find the executable.

I think you also need to take some time to learn to recognise the differences between files and directories.

HTH

Neil


Top    Back