Keepalived_vrrp: Unsafe permissions found for script 'xxx.sh' - disabling

arvin · February 24, 2021, 2:42am

Hi,

I got a problem when using vrrp with health-check script, the log is as follows:

Keepalived_vrrp[10096]:Starting SNMP subagent
Keepalived_vrrp[10096]:NET-SNMP version 5.7.3 AgentX subagent connected
**Keepalived_vrrp[10096]:Unsafe permissions found for script '/config/scripts/vrrp-check.sh' - disabling.**
**Keepalived_vrrp[10096]:Disabling track script** healthcheck_OUTERSIDE due to insecure
Keepalived_vrrp[10096]:Registering gratuitous ARP shared channel
...

github.com/acassen/keepalived

Unsafe permissions found for script

opened 06:13PM - 19 Apr 18 UTC

closed 06:43PM - 19 Apr 18 UTC

1stone

Package: keepalived Version: 1:1.3.2-1 Keepalived complains about `Unsafe pe…rmissions found for script` but does not say **what** is unsafe with that. Nor can I find any documentation describing the requirements for _notify_ or _misc_ scripts to pass this test. In my particular case keepalived says: ``` Unsafe permissions found for script '/usr/local/bin/vrrp.sh MASTER VI_1'. Disabling notify script /usr/local/bin/vrrp.sh MASTER VI_1 due to insecure ``` ``` # ls -al /usr/local/bin drwxr-sr-t 2 root staff 4096 Jul 24 2016 . drwxrwsr-x 10 root staff 4096 Nov 28 2013 .. -rwxr-xr-x 1 root root 132 May 3 2005 /usr/local/bin/vrrp.sh ```

This issue said it should set ‘enable_script_security’ in global_defs section in keepalived.conf, but it does not work. My configuration of global_defs is as follows:

global_defs {
    dynamic_interfaces
    script_user root
    enable_script_security
    notify_fifo /run/keepalived_notify_fifo
    notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py
}

VRRP configuration is as follows:
Master node:
group INSIDE {
    interface eth2
    no-preempt
    priority 200
    virtual-address 10.1.4.3/24
    vrid 20
}
group OUTERSIDE {
    health-check {
        failure-count 1
        interval 30
        script /config/scripts/vrrp-check.sh
    }
    interface eth1
    no-preempt
    priority 200
    transition-script {
        backup /config/scripts/dmvpn-backup.sh
        fault /config/scripts/dmvpn-backup.sh
        master /config/scripts/dmvpn-master.sh
    }
    virtual-address 33.1.4.6/24
    vrid 10
}
sync-group MAIN {
    member INSIDE
    member OUTERSIDE
}

backup node:
group INSIDE {
    interface eth2
    no-preempt
    priority 50
    virtual-address 10.1.4.3/24
    vrid 20
}
group OUTSIDE {
    health-check {
        failure-count 1
        interval 30
        script /config/scripts/vrrp-check.sh
    }
    interface eth1
    no-preempt
    priority 50
    transition-script {
        backup /config/scripts/dmvpn-backup.sh
        fault /config/scripts/dmvpn-backup.sh
        master /config/scripts/dmvpn-master.sh
    }
    virtual-address 33.1.4.6/24
    vrid 10
}
sync-group MAIN {
    member INSIDE
    member OUTSIDE
}

ls -al /config/scripts
-rwxr-xr-x 1 root vyattacfg 24 Feb 23 02:10 dmvpn-backup.sh
-rwxr-xr-x 1 root vyattacfg 131 Feb 23 06:46 dmvpn-master.sh
-rwxr-xr-x 1 root vyattacfg 254 Feb 23 08:24 vrrp-check.sh
-rwxr-xr-x 1 root vyattacfg 230 Jan 26 04:29 vyos-postconfig-bootup.script

vyos version:vyos-1.3-beta-202101260443-amd64

The scripts work fine with command mode. Really appreciate if you have any ideas.

Best regards,
Arvin

arvin · February 24, 2021, 8:24am

I test the latest 1.3 which is built from souce code, it has the same problem.

arvin · February 25, 2021, 7:05am

It looks like the transition-script works fine but health-check script is not.

arvin · February 25, 2021, 10:09am

Please ignore this issue, the program works fine.

system · February 27, 2021, 10:09am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.