389-ds.x86_64: W: missing-call-to-setgroups-before-setuid /usr/sbin/ns-slapd This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this means it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem.
lib389.x86_64: W: non-executable-script /usr/lib/python3.6/site-packages/lib389/clitools/init.py 644 /usr/bin/env python This text file contains a shebang or is located in a path dedicated for executables, but lacks the executable bits and cannot thus be executed. If the file is meant to be an executable script, add the executable bits, otherwise remove the shebang or move the file elsewhere.
389-ds.x86_64: I: binary-or-shlib-calls-gethostbyname /usr/lib64/dirsrv/libslapd.so.0.1.0 The binary calls gethostbyname(). Please port the code to use getaddrinfo().
1.4.0.18 openSUSE Tumbleweed
Metadata Update from @firstyear: - Issue assigned to firstyear
ldap/include/portable.h:244:#define GETHOSTBYNAME(n, r, b, l, e) gethostbyname(n) ldap/include/portable.h:253:#define GETHOSTBYNAME(n, r, b, l, e) gethostbyname(n) ldap/include/portable.h:255:#define GETHOSTBYNAME_BUF_T struct hostent_data ldap/include/portable.h:256:#define GETHOSTBYNAME(n, r, b, l, e) \ ldap/include/portable.h:257: (memset(&b, 0, l), gethostbyname_r(n, r, &b) ? NULL : r) ldap/include/portable.h:259:#define GETHOSTBYNAME_BUF_T struct hostent_data ldap/include/portable.h:260:#define GETHOSTBYNAME(n, r, b, l, e) nsldapi_compat_gethostbyname_r(n, r, (char *)&b, l, e) ldap/include/portable.h:263:typedef char GETHOSTBYNAME_buf_t[BUFSIZ /* XXX might be too small */]; ldap/include/portable.h:264:#define GETHOSTBYNAME_BUF_T GETHOSTBYNAME_buf_t ldap/include/portable.h:265:#define GETHOSTBYNAME(n, r, b, l, e) gethostbyname_r(n, r, b, l, e) ldap/servers/slapd/tools/ldclt/repcheck.c:108: serveraddr = gethostbyname(argv[optind]); ldap/servers/slapd/tools/ldclt/repslave.c:254: if ((serveraddr = gethostbyname(hn)) == NULL) { ldap/servers/slapd/tools/ldclt/repslave.c:277: if ((serveraddr = gethostbyname(argv[optind])) == NULL) { ldap/servers/slapd/localhost.c:53:#ifdef GETHOSTBYNAME_BUF_T ldap/servers/slapd/localhost.c:55: GETHOSTBYNAME_BUF_T hbuf; ldap/servers/slapd/localhost.c:72: hp = GETHOSTBYNAME(hostname, &hent, hbuf, sizeof(hbuf), &err); ldap/servers/slapd/localhost.c:77: "find_localhost_DNS - gethostbyname(\"%s\") failed, error %d (%s)\n", ldap/servers/slapd/localhost.c:83: "gethostbyname(\"%s\")->h_name == NULL\n", hostname); lib/base/dns.cpp:103: err = PR_GetHostByName(myhostname, lib/base/dns.cpp:123: err = PR_GetHostByName(hn, lib/base/dnsdmain.cpp:85: /* No, try gethostbyname() */ lib/base/dnsdmain.cpp:86: err = PR_GetHostByName(line, lib/base/net.cpp:56: err = PR_GetHostByName(
These look like the gethostbyname call sites
Metadata Update from @firstyear: - Custom field component adjusted to None - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
https://pagure.io/389-ds-base/pull-request/49977
Metadata Update from @firstyear: - Custom field reviewstatus adjusted to review (was: None)
This is now the only remaining issue. The other issues have had fixes merged.
Metadata Update from @firstyear: - Custom field reviewstatus adjusted to None (was: review)
There is an issue with the patch on Fedora:
../389-ds-base/ldap/servers/slapd/main.c: In function ‘main_setuid’: ../389-ds-base/ldap/servers/slapd/main.c:396:17: warning: implicit declaration of function ‘setgroups’; did you mean ‘getgroups’? [-Wimplicit-function-declaration] if (setgroups(0, NULL) != 0) { ^~~~~~~~~ getgroups
Fixed compiler warning:
3cb911d..487ea32 master -> master
@mreynolds I think that's a missing header declaration. edit: you fixed it! Thanks, so sorry :(
@tbordaz I can reproduce the issue you have now, I'm working on it :)
I already fixed it @tbordaz did you refresh your code base?
@mreynolds, I did the update 3 days ago and I may have missed your fix. Which commit was it ?
@mreynolds, even with the above fix there is a permission denied when setgroups is called while not being root (prefix install). I successfully tested the following fix
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c index d175dcdc2..ed75a947c 100644 --- a/ldap/servers/slapd/main.c +++ b/ldap/servers/slapd/main.c @@ -394,7 +394,7 @@ main_setuid(char *username) * * In the future this may change however. */ - if (setgroups(0, NULL) != 0) { + if ((getuid()==0) && setgroups(0, NULL) != 0) { int oserr = errno; slapi_log_err(SLAPI_LOG_ERR, "main_setuid", "setgroups(0, NULL) != 0, error %d (%s)\n",
@tbordaz LGTM!
I have a better fix coming soon I think. Just lack time :(
soon is too late, we always need to be able to run prefix builds and tests. I just returned from PTO and after checking out master could no longer run my tests and had to find this issue and fix (thierry's fix worked)
So, either we commit Thierry's fix or backout the original patch which breaks the prefix builds and tests
@lkrispen The point is more "commit thierry's fix, and I'll update it later" because I understand it's blocking work. It also means please don't close the ticket as still have things to address on it.
Push the fix suggested https://pagure.io/389-ds-base/issue/49975#comment-538051
8566e32..a784a4e master -> master
Metadata Update from @tbordaz: - Issue set to the milestone: 1.3.9
This ticket is fixed since 1.3.9.
Metadata Update from @tbordaz: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/3034
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.