This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 189779 - nscd can't use paranoia mode with default config
nscd can't use paranoia mode with default config
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: glibc (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
Depends On:
Blocks: 181409
  Show dependency treegraph
 
Reported: 2006-04-24 12:15 EDT by Bastien Nocera
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2006-0510
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-10 17:36:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Bastien Nocera 2006-04-24 12:15:16 EDT
nscd-2.3.4-2.19-x86_64

Setting the following configuration options, to have nscd restart itself every
1200 seconds fails when the user nscd is running as is "nscd":

paranoia                yes
restart-interval        1200

It will show:
25936: cannot change to old UID: Operation not permitted; disabling paranoia mode

It works fine if you use "root" as the user to run nscd as.
Comment 1 Ulrich Drepper 2006-04-27 16:22:49 EDT
I checked in a patch upstream which should fix this issue.  We should have used
setres[gu]id instead of set[gu]id in a few places.
Comment 2 Bastien Nocera 2006-05-08 11:52:21 EDT
The customer tested this patch:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/nscd/connections.c.diff?cvsroot=glibc&r1=1.86&r2=1.87

And it would only restart once using the paranoia, then would throw the same error:
26908: re-exec failed: Permission denied; disabling paranoia mode
Comment 3 Jakub Jelinek 2006-05-09 07:52:15 EDT
Any audit messages regarding this?
On FC5 where glibc-2.4-7 (fc5-updates-candidate) has the same patch
nscd will not reexec properly due to SELinux policy not allowing it:
rpm -q nscd; egrep '^[^#].*(paranoia|restart|user)' /etc/nscd.conf
nscd-2.4-7
        server-user             nscd
        paranoia                yes
        restart-interval        60
May  9 13:40:03 hammer nscd: 21463 Access Vector Cache (AVC) started
May  9 13:41:09 hammer nscd: 21463 re-exec failed: Permission denied; disabling
paranoia mode
May  9 13:41:09 hammer kernel: audit(1147174869.158:9): avc:  denied  {
execute_no_trans } for  pid=21463 comm="nscd" name="nscd" dev=hda3 ino=396997
scontext=user_u:system_r:nscd_t:s0 tcontext=system_u:object_r:nscd_exec_t:s0
tclass=file

while if I sudo chcon system_u:object_r:bin_t /usr/sbin/nscd
and restart nscd, it works fine:
May  9 13:44:30 hammer nscd: 21596 Access Vector Cache (AVC) started
May  9 13:45:30 hammer nscd: 21657 Access Vector Cache (AVC) started
May  9 13:46:31 hammer nscd: 21706 Access Vector Cache (AVC) started
May  9 13:47:32 hammer nscd: 21755 Access Vector Cache (AVC) started
May  9 13:48:32 hammer nscd: 21803 Access Vector Cache (AVC) started
May  9 13:49:33 hammer nscd: 21851 Access Vector Cache (AVC) started
May  9 13:50:33 hammer nscd: 21901 Access Vector Cache (AVC) started
May  9 13:51:35 hammer nscd: 21950 Access Vector Cache (AVC) started
May  9 13:52:35 hammer nscd: 21999 Access Vector Cache (AVC) started
May  9 13:53:36 hammer nscd: 22048 Access Vector Cache (AVC) started
May  9 13:54:37 hammer nscd: 22095 Access Vector Cache (AVC) started
Comment 4 Bastien Nocera 2006-05-09 10:22:45 EDT
SELinux is disabled on the machine nscd was started on. Is the patch posted
above sufficient to fix this problem?
Comment 5 Jakub Jelinek 2006-05-09 10:31:08 EDT
The patch in glibc-2.3.4-2.20 (and FC4/FC5 testing updates) is not just
-r1.8{6,7} of nscd/connections.c, but -r1.8{5,7}.
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/nscd/connections.c.diff?cvsroot=glibc&r1=1.85&r2=1.87
Comment 11 Red Hat Bugzilla 2006-08-10 17:36:07 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0510.html

Note You need to log in before you can comment on or make changes to this bug.