Bug 20995 - Chroot environment not updated
Chroot environment not updated
Status: CLOSED RAWHIDE
Product: Red Hat Powertools
Classification: Retired
Component: postfix (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-11-16 22:56 EST by Damien Miller
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-12-18 15:01:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Damien Miller 2000-11-16 22:56:27 EST
The powertools packages run chrooted, and set up a chroot environment at
install time (consisting of libraries, etc). 

Unfortunatly the libs in this environment are not updated along with the
system copies. This could lead to a situation where security problems which
have been fixed in system libraries are still present in the libraries that
postfix uses.

Below is an updated postfix init script which tries to solve the problem at
daemon start time. It appears to work OK, but it could be improved by
dynamically determining which libs are needed from the output of ldd. 

---------------------------------------------

#!/bin/sh
#
# postfix      This shell script takes care of starting and stopping
#               postfix.
#
# chkconfig: 2345 80 30
# description: Postfix is a Mail Transport Agent, which is the program \
#              that moves mail from one machine to another.
# processname: postfix
# config: /etc/postfix/
# pidfile: /var/run/postfix.pid

# Hacked by jam 25 Feb 99.  Mostly s/sendmail/postfix/g :-)

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -f /usr/sbin/postfix ] || exit 0

# Checks and updates the chroot environment (eg. if libraries have been
# updated)
check_chroot_env() {
	TESTBIN=/usr/libexec/postfix/cleanup
	QUEUEDIR=/var/spool/postfix

	NSSDNS1=/lib/libnss_dns.so.1
	NSSDNS2=/lib/libnss_dns.so.2
	LIBLDAP=/usr/lib/libldap.so.1
	LIBLBER=/usr/lib/liblber.so.1

	umask 022

	install -d ${QUEUEDIR}/lib ${QUEUEDIR}/usr/lib
	install -c -m 644 /etc/localtime /etc/services /etc/resolv.conf
${QUEUEDIR}/etc
	ln -sf /etc/localtime ${QUEUEDIR}/usr/lib/zoneinfo

	# XXX: should dynamically determine what libs to use from output of ldd
	if test -e ${NSSDNS2} ; then
		if ! cmp -s ${NSSDNS2} ${QUEUEDIR}/${NSSDNS2} 2>/dev/null ;then
			install -c ${NSSDNS2} ${QUEUEDIR}/lib
		fi
	elif test -e ${NSSDNS1} ; then
		if ! cmp -s ${NSSDNS1} ${QUEUEDIR}/${NSSDNS1} 2>/dev/null ;then
			install -c ${NSSDNS1} ${QUEUEDIR}/lib
		fi
	fi
	if test -e ${LIBLDAP} && \
		/usr/bin/ldd ${TESTBIN} | /bin/grep `basename ${LIBLDAP}` 2>&1 >/dev/null
;then
		if ! cmp -s ${LIBLDAP} ${QUEUEDIR}/${LIBLDAP} 2>/dev/null ;then
			install -c ${LIBLDAP} ${QUEUEDIR}/usr/lib
		fi
	fi
	if test -e ${LIBLBER} && \
		/usr/bin/ldd ${TESTBIN} | /bin/grep `basename ${LIBLBER}` 2>&1 >/dev/null
;then
		if ! cmp -s ${LIBLBER} ${QUEUEDIR}/${LIBLBER} 2>/dev/null ;then
			install -c ${LIBLBER} ${QUEUEDIR}/usr/lib
		fi
	fi
	
	/usr/sbin/postfix check >/dev/null
}

RETVAL=0

# See how we were called.
case "$1" in
  start)
	# Start daemons.
	check_chroot_env
	echo -n "Starting postfix: "
	/usr/sbin/postfix start
	RETVAL=$?
	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/postfix
	;;
  stop)
	# Stop daemons.
	echo -n "Shutting down postfix: "
	/usr/sbin/postfix stop
	RETVAL=$?
	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/postfix
	echo
	;;
  restart)
	$0 stop
	$0 start
	;;
  reload)
	/usr/sbin/postfix reload
        exit $?
	;;
  abort)
	/usr/sbin/postfix abort
        exit $?
	;;
  flush)
	/usr/sbin/postfix flush
        exit $?
	;;
  check)
	/usr/sbin/postfix check
        exit $?
	;;
  *)
	echo "Usage: postfix {start|stop|restart|reload|abort|flush|check}"
	exit 1
esac

exit $RETVAL
Comment 1 Bernhard Rosenkraenzer 2000-11-17 10:05:03 EST
This is true... The problem is that this sort of script breaks rpm -e and rpm
-U, because it generates files that are not listed in the rpm database and
deletes files that are listed there.
I can't think of a nice way to fix this at the moment, but I agree it's a
problem.
Comment 2 Daniel Roesen 2000-11-20 13:31:27 EST
Nod. Same problem applies to chrooted bind setups. :-(
Comment 3 kpinc 2000-12-18 14:54:56 EST
FYI, I believe that postfix reports chroot/system lib mismatches when it starts.
Comment 4 Bernhard Rosenkraenzer 2002-02-02 06:26:28 EST
This is done using %trigger scripts in postfix 1.1.2-2 (rawhide).

Note You need to log in before you can comment on or make changes to this bug.