Debian Bug report logs - #130006
libnss-ldap: does not protect host program from signals, therefore causing it to abort or worse

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henrique de Moraes Holschuh <hmh@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libnss-ldap: does not protect host program from signals, therefore causing it to abort or worse

Date: Sat, 19 Jan 2002 18:30:49 -0200

[Message part 1 (text/plain, inline)]

Package: libnss-ldap
Version: 174-1
Severity: critical
Justification: breaks unrelated software (anything using an ldap nss map)

Well, this is a damn serious bug but unfortunately I ran out of time to
futher debug it today. I am reporting it right now more as a heads'up
measure than anything else.

How to reproduce:
(maybe useful notes: nscd package installed, but not running)

1. Set something in nsswitch.conf to use the ldap map.
2. Make sure the ldap server you configured libnss-ldap.conf for is NOT
   running (or that it will drop the connection in the middle of the
   transaction).
3. Try to get something from that map, e.g. using getent.
4. Watch the program get a sigpipe that was meant for
   libnss_ldap.so. An strace is very enlightening.

I have reproduced it here with su(!), when using the pam_wheel pam module. I
had "group: files ldap" in /etc/nsswitch.conf, and suddenly I could not su
to root anymore. The sigpipe would kill su, since it does not trap it. A
program that trapped the sigpipe, would receive it from an unexpected
source. A sigpipe handler issuing a libnss_ldap request might cause a
lot of trouble to.

Attached you will find an strace of the attempt to run su with a "ldap"
entry for the nss map "group", with pam_wheel in su's pam config.

An idea for a fix would be to make sure libnss save the signal handling
state on entry, set them all to sig_ignore or handling them all by causing a
normal nss error later; then restoring signal handling state.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux khazad-dum 2.4.18-pre3-k7 #1 Dom Jan 13 01:00:51 BRST 2002 i686
Locale: LANG=pt_BR, LC_CTYPE=pt_BR

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

[foo.strace (text/plain, attachment)]

Message #10 received at 130006@bugs.debian.org (full text, mbox, reply):

From: Henrique de Moraes Holschuh <hmh@debian.org>

To: 130006@bugs.debian.org

Subject: Re: Bug#130006: Acknowledgement (libnss-ldap: does not protect host program from signals, therefore causing it to abort or worse)

Date: Sat, 19 Jan 2002 18:54:42 -0200

This bug appears to be related (or the same as) in #92199. The severity of
the problem is downplayed in 92199's severity, though (IMHO).

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Message #15 received at 130006@bugs.debian.org (full text, mbox, reply):

From: Luke Howard <lukeh@padl.com>

To: ressu@ressukka.net

Cc: nssldap@padl.com, ldap-nis@padl.com, hmh@debian.org, 130006@bugs.debian.org

Subject: Re: [nssldap] Interesting bug report.. can someone verify

Date: Sun, 20 Jan 2002 09:14:39 +1100

[please move to nssldap list]

Sami,

Search for SIGPIPE in ldap-nss.c. nss_ldap is supposed to save the signal
mask, block SIGPIPE, call getpeername() on the LDAP socket, and then
restore the signal mask. If getpeername() fails, then it closes the
LDAP socket. In this case, it appears that getpeername() succeeds,
which suggests that perhaps it's not the right test. Patches welcome.

Can you try testing with nss_ldap configured with --enable-no-so-keepalive?

lukeh@padl/au[29]% ./configure --help|grep keepalive
  --enable-no-so-keepalive  disable SO_KEEPALIVE

regards,

-- Luke

>From: ressu@ressukka.net (Sami Haahtinen)
>Subject: [ldap-nis] Interesting bug report.. can someone verify
>To: ldap-nis@padl.com
>Date: Sat, 19 Jan 2002 23:21:34 +0200
>
>Well, this just popped in to my mail from debianBTS, looks pretty
>serious, and i think i've seen this one somewhere before..
>
>-- 
>			  -< Sami Haahtinen >-
>      -[ Is it still a bug, if we have learned to live with it? ]-
>	-< 2209 3C53 D0FB 041C F7B1  F908 A9B6 F730 B83D 761C >-
>
>
>Subject: Bug#130006: libnss-ldap: does not protect host program from signals,
>    therefore causing it to abort or worse
>Date: Sat, 19 Jan 2002 18:30:49 -0200
>From: Henrique de Moraes Holschuh <hmh@debian.org>
>To: Debian Bug Tracking System <submit@bugs.debian.org>
>Reply-to: Henrique de Moraes Holschuh <hmh@debian.org>, 130006@bugs.debian.org
>
>Package: libnss-ldap
>Version: 174-1
>Severity: critical
>Justification: breaks unrelated software (anything using an ldap nss map)
>
>Well, this is a damn serious bug but unfortunately I ran out of time to
>futher debug it today. I am reporting it right now more as a heads'up
>measure than anything else.
>
>How to reproduce:
>(maybe useful notes: nscd package installed, but not running)
>
>1. Set something in nsswitch.conf to use the ldap map.
>2. Make sure the ldap server you configured libnss-ldap.conf for is NOT
>   running (or that it will drop the connection in the middle of the
>   transaction).
>3. Try to get something from that map, e.g. using getent.
>4. Watch the program get a sigpipe that was meant for
>   libnss_ldap.so. An strace is very enlightening.
>
>I have reproduced it here with su(!), when using the pam_wheel pam module. I
>had "group: files ldap" in /etc/nsswitch.conf, and suddenly I could not su
>to root anymore. The sigpipe would kill su, since it does not trap it. A
>program that trapped the sigpipe, would receive it from an unexpected
>source. A sigpipe handler issuing a libnss_ldap request might cause a
>lot of trouble to.
>
>Attached you will find an strace of the attempt to run su with a "ldap"
>entry for the nss map "group", with pam_wheel in su's pam config.
>
>An idea for a fix would be to make sure libnss save the signal handling
>state on entry, set them all to sig_ignore or handling them all by causing a
>normal nss error later; then restoring signal handling state.
>
>-- System Information
>Debian Release: 3.0
>Architecture: i386
>Kernel: Linux khazad-dum 2.4.18-pre3-k7 #1 Dom Jan 13 01:00:51 BRST 2002 i686
>Locale: LANG=pt_BR, LC_CTYPE=pt_BR
>
>-- 
>  "One disk to rule them all, One disk to find them. One disk to bring
>  them all and in the darkness grind them. In the Land of Redmond
>  where the shadows lie." -- The Silicon Valley Tarot
>  Henrique Holschuh
>
>[Attachment: foo.strace, text/plain]

--
Luke Howard | lukehoward.com
PADL Software | www.padl.com

Message #20 received at 130006@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@netexpress.net>

To: Luke Howard <lukeh@PADL.COM>

Cc: nssldap@PADL.COM, 130006@bugs.debian.org

Subject: Re: [nssldap] Interesting bug report.. can someone verify

Date: Sat, 19 Jan 2002 23:36:27 -0600

[Message part 1 (text/plain, inline)]

On Sun, Jan 20, 2002 at 09:14:39AM +1100, Luke Howard wrote:

> Search for SIGPIPE in ldap-nss.c. nss_ldap is supposed to save the signal
> mask, block SIGPIPE, call getpeername() on the LDAP socket, and then
> restore the signal mask. If getpeername() fails, then it closes the
> LDAP socket. In this case, it appears that getpeername() succeeds,
> which suggests that perhaps it's not the right test. Patches welcome.

> Can you try testing with nss_ldap configured with --enable-no-so-keepalive?

> lukeh@padl/au[29]% ./configure --help|grep keepalive
>   --enable-no-so-keepalive  disable SO_KEEPALIVE

I talked with Henrique about this briefly today on IRC.  At the time, he 
mentioned only being able to kill apps with a SIGPIPE by shutting down 
the LDAP server.  According to write(2) on Linux, a SIGPIPE will be
generated whenever a program attempts to write to a socket whose remote 
end has shut down; therefore, I believe the signal needs to be ignored 
whenever nss_ldap is initiating a network operation.

HTH,
Steve Langasek
postmodern programmer

> >From: ressu@ressukka.net (Sami Haahtinen)
> >Subject: [ldap-nis] Interesting bug report.. can someone verify
> >To: ldap-nis@padl.com
> >Date: Sat, 19 Jan 2002 23:21:34 +0200
> >
> >Well, this just popped in to my mail from debianBTS, looks pretty
> >serious, and i think i've seen this one somewhere before..
> >
> >-- 
> >			  -< Sami Haahtinen >-
> >      -[ Is it still a bug, if we have learned to live with it? ]-
> >	-< 2209 3C53 D0FB 041C F7B1  F908 A9B6 F730 B83D 761C >-
> >
> >
> >Subject: Bug#130006: libnss-ldap: does not protect host program from signals,
> >    therefore causing it to abort or worse
> >Date: Sat, 19 Jan 2002 18:30:49 -0200
> >From: Henrique de Moraes Holschuh <hmh@debian.org>
> >To: Debian Bug Tracking System <submit@bugs.debian.org>
> >Reply-to: Henrique de Moraes Holschuh <hmh@debian.org>, 130006@bugs.debian.org
> >
> >Package: libnss-ldap
> >Version: 174-1
> >Severity: critical
> >Justification: breaks unrelated software (anything using an ldap nss map)
> >
> >Well, this is a damn serious bug but unfortunately I ran out of time to
> >futher debug it today. I am reporting it right now more as a heads'up
> >measure than anything else.
> >
> >How to reproduce:
> >(maybe useful notes: nscd package installed, but not running)
> >
> >1. Set something in nsswitch.conf to use the ldap map.
> >2. Make sure the ldap server you configured libnss-ldap.conf for is NOT
> >   running (or that it will drop the connection in the middle of the
> >   transaction).
> >3. Try to get something from that map, e.g. using getent.
> >4. Watch the program get a sigpipe that was meant for
> >   libnss_ldap.so. An strace is very enlightening.
> >
> >I have reproduced it here with su(!), when using the pam_wheel pam module. I
> >had "group: files ldap" in /etc/nsswitch.conf, and suddenly I could not su
> >to root anymore. The sigpipe would kill su, since it does not trap it. A
> >program that trapped the sigpipe, would receive it from an unexpected
> >source. A sigpipe handler issuing a libnss_ldap request might cause a
> >lot of trouble to.
> >
> >Attached you will find an strace of the attempt to run su with a "ldap"
> >entry for the nss map "group", with pam_wheel in su's pam config.
> >
> >An idea for a fix would be to make sure libnss save the signal handling
> >state on entry, set them all to sig_ignore or handling them all by causing a
> >normal nss error later; then restoring signal handling state.
> >
> >-- System Information
> >Debian Release: 3.0
> >Architecture: i386
> >Kernel: Linux khazad-dum 2.4.18-pre3-k7 #1 Dom Jan 13 01:00:51 BRST 2002 i686
> >Locale: LANG=pt_BR, LC_CTYPE=pt_BR
> >
> >-- 
> >  "One disk to rule them all, One disk to find them. One disk to bring
> >  them all and in the darkness grind them. In the Land of Redmond
> >  where the shadows lie." -- The Silicon Valley Tarot
> >  Henrique Holschuh
> >
> >[Attachment: foo.strace, text/plain]
> 
> --
> Luke Howard | lukehoward.com
> PADL Software | www.padl.com

[Message part 2 (application/pgp-signature, inline)]

Message #25 received at 130006@bugs.debian.org (full text, mbox, reply):

From: Luke Howard <lukeh@padl.com>

To: vorlon@netexpress.net

Cc: nssldap@padl.com, 130006@bugs.debian.org

Subject: Re: [nssldap] Interesting bug report.. can someone verify

Date: Sun, 20 Jan 2002 21:52:17 +1100

>I talked with Henrique about this briefly today on IRC.  At the time, he 
>mentioned only being able to kill apps with a SIGPIPE by shutting down 
>the LDAP server.  According to write(2) on Linux, a SIGPIPE will be
>generated whenever a program attempts to write to a socket whose remote 
>end has shut down; therefore, I believe the signal needs to be ignored 
>whenever nss_ldap is initiating a network operation.

OK, please try nss_ldap-181 and see whether this fixes the problem.


regards,

-- Luke

--
Luke Howard | lukehoward.com
PADL Software | www.padl.com

Message #30 received at 130006@bugs.debian.org (full text, mbox, reply):

From: Henrique de Moraes Holschuh <hmh@debian.org>

To: Luke Howard <lukeh@padl.com>

Cc: ressu@ressukka.net, nssldap@padl.com, ldap-nis@padl.com, 130006@bugs.debian.org

Subject: Re: [nssldap] Interesting bug report.. can someone verify

Date: Sun, 20 Jan 2002 12:30:26 -0200

[Message part 1 (text/plain, inline)]

Hello,

Thanks for the prompt response about this bug! (I am the submitter).

I have applied the changes between 174 and 181 to a local copy of the Debian
nss-ldap package, and tried to reproduce the bug.

It is still there, but behaviour changed. I have included with this message
two straces, one where I call a simple /bin/su - (as root) where the fix
works, and another where I call /bin/su - user -c /bin/su - and the fix does
not work.

I can reproduce the bug doing a simple /bin/su - as a normal user (but since
I don't have strace suid root, I did the double su trick above to get the
strace).  Interestingly enough, I cannot reproduce the bug anymore using
getent group.

PAM config for su included too, for reference. The test was done by
requesting a "ldap files" lookup in nsswitch.conf, again with the LDAP
server down (server in 127.0.0.1).

As an additional just-in-case comment to the reports, sigpipe must be
caught/ignored whenever nss-ldap will do any kind of write IO in Linux.
Protecting the opening of the connection is not enough. The write syscals
will return -EPIPE if a sigpipe is thrown (and ignored or handled).  I did
not read the 180 -> 181 patch to verify if that is what is done in the fix,
btw.

PS: all passwords in the strace are not current anymore ;-)

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

[su (text/plain, attachment)]

[su.strace.181 (text/plain, attachment)]

[su.strace.181.ok (text/plain, attachment)]

Message #35 received at 130006@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@netexpress.net>

To: Luke Howard <lukeh@padl.com>

Cc: nssldap@padl.com, 130006@bugs.debian.org

Subject: Re: [nssldap] Interesting bug report.. can someone verify

Date: Sun, 20 Jan 2002 15:29:26 -0600

[Message part 1 (text/plain, inline)]

On Sun, Jan 20, 2002 at 09:52:17PM +1100, Luke Howard wrote:

> >I talked with Henrique about this briefly today on IRC.  At the time, he 
> >mentioned only being able to kill apps with a SIGPIPE by shutting down 
> >the LDAP server.  According to write(2) on Linux, a SIGPIPE will be
> >generated whenever a program attempts to write to a socket whose remote 
> >end has shut down; therefore, I believe the signal needs to be ignored 
> >whenever nss_ldap is initiating a network operation.

> OK, please try nss_ldap-181 and see whether this fixes the problem.

I'll defer to Henrique on this, since I haven't been able to reproduce
the original problem here.

Steve Langasek
postmodern programmer

[Message part 2 (application/pgp-signature, inline)]

Message #40 received at 130006-close@bugs.debian.org (full text, mbox, reply):

From: Sami Haahtinen <ressu@debian.org>

To: 130006-close@bugs.debian.org

Subject: Bug#130006: fixed in libnss-ldap 184-1

Date: Sat, 16 Feb 2002 15:18:36 -0500

We believe that the bug you reported is fixed in the latest version of
libnss-ldap, which has been installed in the Debian FTP archive:

libnss-ldap_184-1.diff.gz
  to pool/main/libn/libnss-ldap/libnss-ldap_184-1.diff.gz
libnss-ldap_184-1.dsc
  to pool/main/libn/libnss-ldap/libnss-ldap_184-1.dsc
libnss-ldap_184-1_i386.deb
  to pool/main/libn/libnss-ldap/libnss-ldap_184-1_i386.deb
libnss-ldap_184.orig.tar.gz
  to pool/main/libn/libnss-ldap/libnss-ldap_184.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 130006@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sami Haahtinen <ressu@debian.org> (supplier of updated libnss-ldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 16 Feb 2002 12:35:19 +0200
Source: libnss-ldap
Binary: libnss-ldap
Architecture: source i386
Version: 184-1
Distribution: unstable
Urgency: low
Maintainer: Sami Haahtinen <ressu@debian.org>
Changed-By: Sami Haahtinen <ressu@debian.org>
Description: 
 libnss-ldap - NSS module for using LDAP as a naming service
Closes: 92199 130006 133398
Changes: 
 libnss-ldap (184-1) unstable; urgency=low
 .
   * New upstream release
   * Improved SIGPIPE handling (Closes: #130006,#92199)
   * Rebuild fixes bug 133398 (Closes: #133398)
Files: 
 0cf4e25d585a3a46ec1f0436bea505e2 651 net extra libnss-ldap_184-1.dsc
 ae5c73e8a8b7b0cfdb6ecc851f292d3d 178950 net extra libnss-ldap_184.orig.tar.gz
 7833c74e679dad522bfab1e68a772e11 29868 net extra libnss-ldap_184-1.diff.gz
 74d0247ee265445617daa199309231cf 64272 net extra libnss-ldap_184-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8bjdAqbb3MLg9dhwRAnMhAJ4sd+mlAH1B/stz3yCl5sL1KbyI8gCgzKv7
ld5al7XAEqRAStReDPHRO38=
=LpY9
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.