#49975 Various issues from rpmlint found in the openSUSE builds
Closed: wontfix 5 years ago by tbordaz. Opened 5 years ago by darix.

Issue Description

389-ds.x86_64: W: missing-call-to-setgroups-before-setuid /usr/sbin/ns-slapd
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this means it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.

lib389.x86_64: W: non-executable-script /usr/lib/python3.6/site-packages/lib389/clitools/init.py 644 /usr/bin/env python
This text file contains a shebang or is located in a path dedicated for
executables, but lacks the executable bits and cannot thus be executed. If
the file is meant to be an executable script, add the executable bits,
otherwise remove the shebang or move the file elsewhere.

389-ds.x86_64: I: binary-or-shlib-calls-gethostbyname /usr/lib64/dirsrv/libslapd.so.0.1.0
The binary calls gethostbyname(). Please port the code to use getaddrinfo().

Package Version and Platform

1.4.0.18
openSUSE Tumbleweed


Metadata Update from @firstyear:
- Issue assigned to firstyear

5 years ago
ldap/include/portable.h:244:#define GETHOSTBYNAME(n, r, b, l, e) gethostbyname(n)
ldap/include/portable.h:253:#define GETHOSTBYNAME(n, r, b, l, e) gethostbyname(n)
ldap/include/portable.h:255:#define GETHOSTBYNAME_BUF_T struct hostent_data
ldap/include/portable.h:256:#define GETHOSTBYNAME(n, r, b, l, e) \
ldap/include/portable.h:257:    (memset(&b, 0, l), gethostbyname_r(n, r, &b) ? NULL : r)
ldap/include/portable.h:259:#define GETHOSTBYNAME_BUF_T struct hostent_data
ldap/include/portable.h:260:#define GETHOSTBYNAME(n, r, b, l, e) nsldapi_compat_gethostbyname_r(n, r, (char *)&b, l, e)
ldap/include/portable.h:263:typedef char GETHOSTBYNAME_buf_t[BUFSIZ /* XXX might be too small */];
ldap/include/portable.h:264:#define GETHOSTBYNAME_BUF_T GETHOSTBYNAME_buf_t
ldap/include/portable.h:265:#define GETHOSTBYNAME(n, r, b, l, e) gethostbyname_r(n, r, b, l, e)
ldap/servers/slapd/tools/ldclt/repcheck.c:108:    serveraddr = gethostbyname(argv[optind]);
ldap/servers/slapd/tools/ldclt/repslave.c:254:            if ((serveraddr = gethostbyname(hn)) == NULL) {
ldap/servers/slapd/tools/ldclt/repslave.c:277:        if ((serveraddr = gethostbyname(argv[optind])) == NULL) {
ldap/servers/slapd/localhost.c:53:#ifdef GETHOSTBYNAME_BUF_T
ldap/servers/slapd/localhost.c:55:    GETHOSTBYNAME_BUF_T hbuf;
ldap/servers/slapd/localhost.c:72:    hp = GETHOSTBYNAME(hostname, &hent, hbuf, sizeof(hbuf), &err);
ldap/servers/slapd/localhost.c:77:                      "find_localhost_DNS - gethostbyname(\"%s\") failed, error %d (%s)\n",
ldap/servers/slapd/localhost.c:83:                      "gethostbyname(\"%s\")->h_name == NULL\n", hostname);
lib/base/dns.cpp:103:        err =  PR_GetHostByName(myhostname,
lib/base/dns.cpp:123:           err = PR_GetHostByName(hn,
lib/base/dnsdmain.cpp:85:       /* No, try gethostbyname() */
lib/base/dnsdmain.cpp:86:       err = PR_GetHostByName(line,
lib/base/net.cpp:56:    err = PR_GetHostByName(

These look like the gethostbyname call sites

Metadata Update from @firstyear:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None

5 years ago

Metadata Update from @firstyear:
- Custom field reviewstatus adjusted to review (was: None)

5 years ago

389-ds.x86_64: I: binary-or-shlib-calls-gethostbyname /usr/lib64/dirsrv/libslapd.so.0.1.0
The binary calls gethostbyname(). Please port the code to use getaddrinfo().

This is now the only remaining issue. The other issues have had fixes merged.

Metadata Update from @firstyear:
- Custom field reviewstatus adjusted to None (was: review)

5 years ago

There is an issue with the patch on Fedora:

../389-ds-base/ldap/servers/slapd/main.c: In function ‘main_setuid’:
../389-ds-base/ldap/servers/slapd/main.c:396:17: warning: implicit declaration of function ‘setgroups’; did you mean ‘getgroups’? [-Wimplicit-function-declaration]
             if (setgroups(0, NULL) != 0) {
                 ^~~~~~~~~
                 getgroups

Fixed compiler warning:

3cb911d..487ea32 master -> master

@mreynolds I think that's a missing header declaration. edit: you fixed it! Thanks, so sorry :(

@tbordaz I can reproduce the issue you have now, I'm working on it :)

I already fixed it @tbordaz did you refresh your code base?

@mreynolds, I did the update 3 days ago and I may have missed your fix. Which commit was it ?

@mreynolds, I did the update 3 days ago and I may have missed your fix. Which commit was it ?

3cb911d..487ea32 master -> master

@mreynolds, even with the above fix there is a permission denied when setgroups is called while not being root (prefix install). I successfully tested the following fix

diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index d175dcdc2..ed75a947c 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -394,7 +394,7 @@ main_setuid(char *username)
          *
          * In the future this may change however.
          */
-            if (setgroups(0, NULL) != 0) {
+            if ((getuid()==0) && setgroups(0, NULL) != 0) {
             int oserr = errno;

             slapi_log_err(SLAPI_LOG_ERR, "main_setuid", "setgroups(0, NULL) != 0, error %d (%s)\n",

I have a better fix coming soon I think. Just lack time :(

I have a better fix coming soon I think. Just lack time :(

soon is too late, we always need to be able to run prefix builds and tests. I just returned from PTO and after checking out master could no longer run my tests and had to find this issue and fix (thierry's fix worked)

So, either we commit Thierry's fix or backout the original patch which breaks the prefix builds and tests

@lkrispen The point is more "commit thierry's fix, and I'll update it later" because I understand it's blocking work. It also means please don't close the ticket as still have things to address on it.

Metadata Update from @tbordaz:
- Issue set to the milestone: 1.3.9

5 years ago

This ticket is fixed since 1.3.9.

Metadata Update from @tbordaz:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/3034

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

3 years ago

Login to comment on this ticket.

Metadata