Bug 738768

Summary: initscript marked as %config incorrectly
Product: Red Hat Enterprise Linux 5 Reporter: Don Hoover <donhoover>
Component: openldapAssignee: Jan Vcelak <jvcelak>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.6CC: jplans, jvcelak, omoris, ovasik, tsmetana
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openldap-2.3.43-23.el5 Doc Type: Bug Fix
Doc Text:
- openldap-servers installed, manual modification of ldap initscript performed - when the package is upgraded, ldap init script is not overwritten by the new version because the initscript is incorrectly marked as a configuration file - updated specfile to reflect, that ldap initscript is not a configuration file - upgrade of openldap-servers package will overwrite ldap initscript with a new version when there were some local modifications
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-21 05:29:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Don Hoover 2011-09-15 18:20:11 UTC 
Description of problem:
On a recent update to RHEL 5.6, and installed openldap-servers-2.3.43-12.el5_6.5.i386, a new problem was created.

The new init script now EXPECTS /tmp to be execuitable which is very poor programming practices.  

In almost every 'harden your linux' guide in existence from CIS to Bastille, one of the recommendations is to mount /tmp with noexec.  

This is because no only is it handy for mr 'ldap init script writer', it is also one of the single most common places for worms and other nastiness to create self-executing stuff.

Version-Release number of selected component (if applicable):
openldap-servers-2.3.43-12.el5_6.5.i386

How reproducible:
Try to startup ldap (slapd) with /tmp mounted with noexec, and it will fail because it wants to create a temporary script and self-execute.

Steps to Reproduce:
1. mount /tmp with noexec
2. service ldap start
3. profit!
  
Actual results:


Expected results:
No one would be silly enough to create a script in /tmp and expect it to be executable.  :)

Additional info:
Comment 1 Jan Vcelak 2011-09-16 12:19:59 UTC 
There were no recent changes in the ldap initscript. And looking into the source, I cannot see the place where it might happen. And I do not manage to reproduce it either.

[root@rhel5 ~]# rpm -q openldap-servers
openldap-servers-2.3.43-12.el5_6.5
[root@rhel5 ~]# rpm -qV openldap-servers
S.5....T  c /etc/openldap/slapd.conf
[root@rhel5 ~]# service ldap status
slapd is stopped
[root@rhel5 ~]# mount | grep /tmp
/dev/null on /tmp type tmpfs (rw,noexec)
[root@rhel5 ~]# ll /tmp/script.sh 
-rwxr-xr-x 1 root root 23 Sep 16 13:58 /tmp/script.sh
[root@rhel5 ~]# /tmp/script.sh 
-bash: /tmp/script.sh: /bin/bash: bad interpreter: Permission denied
[root@rhel5 ~]# service ldap start
Checking configuration files for slapd:  config file testing succeeded
                                                           [  OK  ]
Starting slapd:                                            [  OK  ]
[root@rhel5 ~]# service ldap status
slapd (pid 3419) is running...
[root@rhel5 ~]# ps -ef | grep slapd
ldap      3419     1  0 14:08 ?        00:00:00 /usr/sbin/slapd -h ldap:/// -u ldap
root      3435  2739  0 14:08 pts/0    00:00:00 grep slapd
[root@rhel5 ~]#

I need more information:

1.) what is the version of openldap you updated from?
2.) # rpm -qV openldap-servers
3.) # sh -x /etc/init.d/ldap start
Comment 2 Don Hoover 2011-09-16 19:18:19 UTC 
You are totally correct.  


The offending lines in my init script on this box:
-------------------------------------------------------
	# Build a wrapper script to exec slapd with the right arguments, to
	# avoid being tripped out by changes or weirdness in how daemon()
	# handles quoted arguments.
	wrapper=`mktemp ${TMP:-/tmp}/start-slapd.XXXXXX`
	harg="ldap:///"
	if grep -q ^TLS /etc/openldap/slapd.conf || test x$SLAPD_LDAPS = xyes ; then
	    harg="$harg ldaps:///"
	fi
	if test x$SLAPD_LDAPI = xyes ; then
	    harg="$harg ldapi:///"
	fi
	if test -z "$wrapper" ; then
	    return 1
	fi
	cat >> $wrapper <<- EOF
	exec ${slapd} -h "$harg" -u ${user} $OPTIONS $SLAPD_OPTIONS
	EOF
	chmod u+x $wrapper
	trap "rm -f $wrapper" EXIT
	# Start daemons.
	echo -n $"Starting $prog: "
	daemon --check=$prog $wrapper
-------------------------------------------------------


Granted, this system was first installed in 2008.  I am guessing this is a left over from a previous version of openldap-servers.  I did a "yum reinstall openldap-servers" and it did not replace the /etc/init.d/ldap script with the current one or create a .rpmnew/.rpmold file or anything like that.


I am guessing this ldap init file is from a previews version of the rpm sometime in the RHEL5.x tree.


However, I do think the openldap-servers package probably should be updating the initscript with its own version to handle this sort of thing and keep the init script in sync with the software.



Apologies to whoever manages the CURRENT init script.
Comment 3 Don Hoover 2011-09-16 19:19:52 UTC 
FYI.. I went through the logs, this box was INSTALLED as a RHEL 5.1 and has been going strong all the way through now on RHEL 5.6.   Not a bad service record, all things considered.
Comment 4 Jan Vcelak 2011-09-16 19:42:28 UTC 
I see in the spec that the initscript is incorrectly marked as %config. Easy fix.

--- openldap.spec       29 Aug 2011 13:54:06 -0000      1.114
+++ openldap.spec       16 Sep 2011 19:40:45 -0000
@@ -842,7 +842,7 @@
 %doc TOOLS.migration
 %doc $RPM_SOURCE_DIR/README.upgrading $RPM_SOURCE_DIR/guide.html
 %ghost %config %{_sysconfdir}/pki/tls/certs/slapd.pem
-%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/ldap
+%attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/ldap
 %attr(0640,root,ldap) %config(noreplace) %{_sysconfdir}/openldap/slapd.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ldap
 %attr(0640,root,ldap) %{_sysconfdir}/openldap/DB_CONFIG.example
Comment 5 Jan Vcelak 2011-09-21 08:54:57 UTC 
Resolved in openldap-2.3.43-23.el5
Comment 10 Jan Vcelak 2011-10-12 10:50:06 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- openldap-servers installed, manual modification of ldap initscript performed
- when the package is upgraded, ldap init script is not overwritten by the new version because the initscript is incorrectly marked as a configuration file
- updated specfile to reflect, that ldap initscript is not a configuration file
- upgrade of openldap-servers package will overwrite ldap initscript with a new version when there were some local modifications
Comment 12 errata-xmlrpc 2012-02-21 05:29:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0155.html