389-ds-base

Clone
Source Code
GIT

#49977 Resolve rpmlint issues found by SUSE
Closed 3 years ago by spichugi. Opened 5 years ago by firstyear.
firstyear/389-ds-base 49975-setgid-setuid  into  master

file modified
+16 
@@ -384,6 +384,22 @@ 
 

              slapi_log_err(SLAPI_LOG_ERR, "main_setuid", "getpwnam(%s) == NULL, error %d (%s)\n",
 

                            username, oserr, slapd_system_strerror(oserr));
 

          } else {
 

+             /*
 

+              * According to https://pagure.io/389-ds-base/issue/49975 and
 

+              * POS36-C. Observe correct revocation order while relinquishing privileges
 

+              * setgroups must be called to ensure our supplemental group list is
 

+              * correctly limited. Because we only care about our single group
 

+              * dirsrv for the target user, we set that.
 

+              *
 

+              * In the future this may change however.
 

+              */
 

+             if (setgroups(0, NULL) != 0) {
 

+                 int oserr = errno;
 

+ 

+                 slapi_log_err(SLAPI_LOG_ERR, "main_setuid", "setgroups(0, NULL) != 0, error %d (%s)\n",
 

+                               oserr, slapd_system_strerror(oserr));
 

+                 return -1;
 

+             }
 

              if (setgid(pw->pw_gid) != 0) {
 

                  int oserr = errno;

file modified
-2 
@@ -1,5 +1,3 @@ 
 

- #!/usr/bin/env python
 

- 

  # --- BEGIN COPYRIGHT BLOCK ---
 

  # Copyright (C) 2015 Red Hat, Inc.
 

  # All rights reserved.

file modified
+2 -1 
@@ -226,6 +226,7 @@ 
 

                   'sysconf_dir': ds_paths.sysconf_dir,
 

                   'data_dir': ds_paths.data_dir,
 

                   'local_state_dir': ds_paths.local_state_dir,
 

+                  'ldapi' : ds_paths.ldapi,
 

                   'lib_dir': ds_paths.lib_dir,
 

                   'run_dir': ds_paths.run_dir,
 

                   'tmp_dir': ds_paths.tmp_dir,
 
@@ -781,7 +782,7 @@ 
 

              ds_instance.backends.create(properties=backend)
 

  

          # Initialise ldapi socket information. IPA expects this ....
 

-         ldapi_path = slapd['run_dir'].replace('dirsrv', 'slapd-' + slapd['instance_name'] + '.socket')
 

+         ldapi_path = os.path.join(slapd['local_state_dir'], "run/slapd-%s.socket" % slapd['instance_name'])
 

          ds_instance.config.set('nsslapd-ldapifilepath', ldapi_path)
 

          ds_instance.config.set('nsslapd-ldapilisten', 'on')
 

          ds_instance.config.set('nsslapd-ldapiautobind', 'on')

The package maintainer at SUSE kindly pointed out a number of issues
detected by rpmlint. Of the three issues, this resolves two of them.

The first is calling setgroups with an empty group list before setgid
so that we guarantee we only have the target user group remaining
in our permission set when we drop privileges. The second is to remove
a superfluous shebang line from python

https://pagure.io/389-ds-base/issue/49975

ack

Thanks mate, I'll rebase and merge when I get back to my laptop :)

rebased onto e1c693d
5 years ago

Pull-Request has been merged by firstyear
5 years ago

The problem with this change is that it breaks the ability to run tests on prefix install
There is this error during setup-ds

[22/Oct/2018:12:48:42.484536797 +0200] - ERR - main_setuid - setgroups(0, NULL) != 0, error 1 (Operation not permitted)

@tbordaz Are you running the tests are root or as a user? We should probably handle this case correctly if startup user != root then, and this matters in cntainers too.

Edited 5 years ago by firstyear

Right in prefix install (and in container as well if I understand correctly) the server is started by a regular user. Testing being root, before calling setgroups, looks good to me

@tbordaz Okay, I'm sorry I broke this. I will endeavour to correct it asap. I actually honestly didn't think this feature worked!

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/3036

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi
3 years ago
Metadata
None
No Tags
Changes Summary 3
+16 -0
file changed
ldap/servers/slapd/main.c
+0 -2
file changed
src/lib389/lib389/clitools/__init__.py
+2 -1
file changed
src/lib389/lib389/instance/setup.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.