Bug 188298

Summary: /etc/init.d/ldap creates an unnecessary script in /tmp which can't execute if /tmp is mounted with noexec/nosuid options
Product: [Fedora] Fedora Reporter: Sam Azer <sam>
Component: openldapAssignee: Jan Safranek <jsafrane>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-08 11:53:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sam Azer 2006-04-07 18:19:04 UTC 
Description of problem:

/etc/init.d/ldap creates a script in /tmp. It's not a particularly necessary
script, ie: running service ldap restart produces the following script:

   File: /tmp/start-slapd.f31856
Content: exec /usr/sbin/slapd -h "ldap:///" -u ldap

This works fine for a standard linux install, but when /etc/fstab is modified to
block execution of scripts in /tmp as a security precaution, the
/etc/init.d/fstab script fails. It's not a big deal to build the command line
using an in-memory variable instead of using an executable script.

Version-Release number of selected component (if applicable):

openldap-2.3.19-4


How reproducible:

To see this bug, you need a system with /tmp mounted as a separate partition.
The idea is, for added system security, to remount the partition using the
noexec and nosuid options. This prevents malicious users who find a way into the
system (often by uploading scripts through Apache into the /tmp tree,) from
executing any scripts that they manage to load there.


Steps to Reproduce:

On a system with /tmp mounted as a separate partition:

1. In /etc/fstab, change the /tmp line to include the noexec/nosuid options,
like this:

/dev/vg1/lv0 /tmp ext3 rw,noexec,nosuid  1 2

2. Next, remount the partition:

mount -o remount /tmp

3. Next, try to restart the openLDAP service:

service ldap restart

Actual results:

"Permission Denied," OpenLDAP fails to start

Expected results:

OpenLDAP should restart normally

Additional info:

There may be other scripts in the system that try to execute code in /tmp, so
I've added the code below to /etc/init.d/functions. The original code, at line
177, is this:

        # And start it up.
        if [ -z "$user" ]; then
           $nice /bin/bash -c "$corelimit >/dev/null 2>&1 ; $*"
        else
           $nice runuser -s /bin/bash - $user -c "$corelimit >/dev/null 2>&1 ; $*"

The update, replacing the above code, is this:

        ##################################################################
        ## 2006.Apr.07 SA: updated patch to handle service ldap start bug
        ##                 The /etc/init.d/ldap script builds a script in
        ##                 /tmp which should be mounted using noexec &
        ##                 nosuid for added security. Solution: don't build
        ##                 scripts in /tmp. However, for now, we can
        ##                 detect such scripts, run them with BASH and
        ##                 emit an appropriate warning to the sysadmin.
        ##################################################################

        CMD2EXEC=$*
        if echo "$CMD2EXEC" | grep -q "^/tmp"
        then
           CMD2EXEC="/bin/bash $CMD2EXEC"
           echo
           echo
           echo
           echo
           echo
"############################################################################"
           echo "WARNING: Attempting to run a script in /tmp:"
           echo "   File: $*"
           echo "Content:" `cat $*`
           echo "Please update your system script to avoid using /tmp for
anything executable"
           echo
"############################################################################"
           echo
           echo
           echo
           echo
        fi

        # And start it up.
        if [ -z "$user" ]; then
           $nice /bin/bash -c "$corelimit >/dev/null 2>&1 ; $CMD2EXEC"
        else
           $nice runuser -s /bin/bash - $user -c "$corelimit >/dev/null 2>&1 ;
$CMD2EXEC"


I hope this helps,
Thank you,
Sam.
Comment 1 Sam Azer 2006-04-07 18:57:26 UTC 
One possible solution to the specific issue in the ldap script is to move the
script from /tmp to /var/tmp. Specifically, in the /etc/init.d/ldap file on line
147, which currently reads:

        wrapper=`mktemp ${TMP:-/tmp}/start-slapd.XXXXXX`

We can change the name of the directory to /var/tmp as follows:

        wrapper=`mktemp ${TMP:-/var/tmp}/start-slapd.XXXXXX`

This solves the problem for /etc/init.d/ldap; it is now able to function
correctly in an environment where no scripts are allowed to execute in /tmp.
Comment 2 Jan Safranek 2007-06-08 11:53:35 UTC 
Fixed in openldap-2.3.34-3.fc8