Bug 772043

Summary: Adding a netgroup with a "+" in the name that overlaps hostgroup causes crash
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0CC: dpal, jamescape777, jgalipea, mkosek, shaines, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-3.el6 Doc Type: Bug Fix
Doc Text:
Cause: IPA netgroup plugin does not validate netgroup names. Consequence: A netgroup with invalid name can be stored in LDAP server which may then crash when the invalid value is processed by NIS plugin. Fix: IPA netgroup plugin enforces stricter validation for netgroup names. Result: User cannot accidentally enter invalid netgroup and thus cause an LDAP server to crash because of NIS plugin processing.
 Story Points: ---
Clone Of: 770952 Environment:
Last Closed: 2012-06-20 13:28:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 770952    
Bug Blocks:    

Description Dmitri Pal 2012-01-05 18:13:24 UTC 
+++ This bug was initially created as a clone of Bug #770952 +++

Description of problem:

When you create an NIS netgroup named +(hostgroup), 389 crashes and then crashes on startup (last log item is a note about database recovery).

Version-Release number of selected component (if applicable):

2.1.4-3.fc16.x86_64 (from updates-testing as of 2011-12-29)

How reproducible:

Haven't tried on a test setup, consistently crashed, however.

Steps to Reproduce:
1. Create a hostgroup "buildserv"
2. Add a server to it
3. Create a sudo command-group "software-install" that mirrors the standard SOFTWARE cmnd_alias.
4. Create a sudo rule "developers_buildserv" which allows members of the "developers" group to run softare on the host named "+buildserv"
5. Create an NIS netgroup "+buildserv"

Actual results:

389 crashes, crashes again when restarting.

Expected results:

The server refuses to create +buildserv, lets you know you're doing something dumb.

Additional info:

The corrective action was:

1. Use db2ldif to dump the database to LDIF
2. Manually edit the dump to rename the "buildserv" netgroup
3. Re-import with ldif2db
4. Delete the host group
5. Delete the netgroup
6. Re-add the host group.
Comment 1 Dmitri Pal 2012-01-05 18:14:31 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2221
Comment 3 Rob Crittenden 2012-02-27 22:17:23 UTC 
Allowed characters are a-z, 0-9, -, _ and .

Also restricting hostgroup names with same list.

Fixed upstream

master: 7d7322de2eb0de61ea917d03662452d3efa4c834

ipa-2-2: 85462d063453f8614b63eddbba568fed034b0037
Comment 5 Scott Poore 2012-03-16 21:35:05 UTC 
Verified.

Version :: ipa-server-2.2.0-4.el6.x86_64

Automated Test Results ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: netgroup_bz_772043: Adding a netgroup with a + in the name that overlaps hostgroup causes crash
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'ipa netgroup-add +badtestnetgroup --desc=netgroup_with_plus_kills_dirsrv > /netgroup_bz_772043.29569.out 2>&1'
:: [   PASS   ] :: BZ 772043 not found...fix is in place for ipa command
:: [   PASS   ] :: Running 'ipactl status > /netgroup_bz_772043.29569.out 2>&1'
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: netgroup_bz_772043: Adding a netgroup with a + in the name that overlaps hostgroup causes crash

Manual Test Results ::

[root@hp-xw6600-01 ipa-netgroup-cli]# ipa-compat-manage status
Directory Manager password: 

Plugin Enabled

[root@hp-xw6600-01 ipa-netgroup-cli]# ipa netgroup-add +badtestnetgroup --desc=netgroup_with_plus_kills_dirsrv
ipa: ERROR: invalid 'name': may only include letters, numbers, _, -, and .

[root@hp-xw6600-01 ipa-netgroup-cli]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
Comment 6 Martin Kosek 2012-04-19 19:43:56 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: IPA netgroup plugin does not validate netgroup names.
Consequence: A netgroup with invalid name can be stored in LDAP server which may then crash when the invalid value is processed by NIS plugin.
Fix: IPA netgroup plugin enforces stricter validation for netgroup names.
Result: User cannot accidentally enter invalid netgroup and thus cause an LDAP server to crash because of NIS plugin processing.
Comment 9 errata-xmlrpc 2012-06-20 13:28:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html