Bug 189779 - nscd can't use paranoia mode with default config
nscd can't use paranoia mode with default config
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: glibc (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
Depends On:
Blocks: 181409
  Show dependency treegraph
Reported: 2006-04-24 12:15 EDT by Bastien Nocera
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2006-0510
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-10 17:36:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2006:0510 normal SHIPPED_LIVE glibc bug fix update 2006-08-09 00:00:00 EDT

  None (edit)
Description Bastien Nocera 2006-04-24 12:15:16 EDT

Setting the following configuration options, to have nscd restart itself every
1200 seconds fails when the user nscd is running as is "nscd":

paranoia                yes
restart-interval        1200

It will show:
25936: cannot change to old UID: Operation not permitted; disabling paranoia mode

It works fine if you use "root" as the user to run nscd as.
Comment 1 Ulrich Drepper 2006-04-27 16:22:49 EDT
I checked in a patch upstream which should fix this issue.  We should have used
setres[gu]id instead of set[gu]id in a few places.
Comment 2 Bastien Nocera 2006-05-08 11:52:21 EDT
The customer tested this patch:

And it would only restart once using the paranoia, then would throw the same error:
26908: re-exec failed: Permission denied; disabling paranoia mode
Comment 3 Jakub Jelinek 2006-05-09 07:52:15 EDT
Any audit messages regarding this?
On FC5 where glibc-2.4-7 (fc5-updates-candidate) has the same patch
nscd will not reexec properly due to SELinux policy not allowing it:
rpm -q nscd; egrep '^[^#].*(paranoia|restart|user)' /etc/nscd.conf
        server-user             nscd
        paranoia                yes
        restart-interval        60
May  9 13:40:03 hammer nscd: 21463 Access Vector Cache (AVC) started
May  9 13:41:09 hammer nscd: 21463 re-exec failed: Permission denied; disabling
paranoia mode
May  9 13:41:09 hammer kernel: audit(1147174869.158:9): avc:  denied  {
execute_no_trans } for  pid=21463 comm="nscd" name="nscd" dev=hda3 ino=396997
scontext=user_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_exec_t:s0

while if I sudo chcon system_u:object_r:bin_t /usr/sbin/nscd
and restart nscd, it works fine:
May  9 13:44:30 hammer nscd: 21596 Access Vector Cache (AVC) started
May  9 13:45:30 hammer nscd: 21657 Access Vector Cache (AVC) started
May  9 13:46:31 hammer nscd: 21706 Access Vector Cache (AVC) started
May  9 13:47:32 hammer nscd: 21755 Access Vector Cache (AVC) started
May  9 13:48:32 hammer nscd: 21803 Access Vector Cache (AVC) started
May  9 13:49:33 hammer nscd: 21851 Access Vector Cache (AVC) started
May  9 13:50:33 hammer nscd: 21901 Access Vector Cache (AVC) started
May  9 13:51:35 hammer nscd: 21950 Access Vector Cache (AVC) started
May  9 13:52:35 hammer nscd: 21999 Access Vector Cache (AVC) started
May  9 13:53:36 hammer nscd: 22048 Access Vector Cache (AVC) started
May  9 13:54:37 hammer nscd: 22095 Access Vector Cache (AVC) started
Comment 4 Bastien Nocera 2006-05-09 10:22:45 EDT
SELinux is disabled on the machine nscd was started on. Is the patch posted
above sufficient to fix this problem?
Comment 5 Jakub Jelinek 2006-05-09 10:31:08 EDT
The patch in glibc-2.3.4-2.20 (and FC4/FC5 testing updates) is not just
-r1.8{6,7} of nscd/connections.c, but -r1.8{5,7}.
Comment 11 Red Hat Bugzilla 2006-08-10 17:36:07 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.