Bug 20995 - Chroot environment not updated
Summary: Chroot environment not updated
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Powertools
Classification: Retired
Component: postfix   
(Show other bugs)
Version: 7.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-11-17 03:56 UTC by Damien Miller
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-12-18 20:01:30 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Damien Miller 2000-11-17 03:56:27 UTC
The powertools packages run chrooted, and set up a chroot environment at
install time (consisting of libraries, etc). 

Unfortunatly the libs in this environment are not updated along with the
system copies. This could lead to a situation where security problems which
have been fixed in system libraries are still present in the libraries that
postfix uses.

Below is an updated postfix init script which tries to solve the problem at
daemon start time. It appears to work OK, but it could be improved by
dynamically determining which libs are needed from the output of ldd. 

---------------------------------------------

#!/bin/sh
#
# postfix      This shell script takes care of starting and stopping
#               postfix.
#
# chkconfig: 2345 80 30
# description: Postfix is a Mail Transport Agent, which is the program \
#              that moves mail from one machine to another.
# processname: postfix
# config: /etc/postfix/
# pidfile: /var/run/postfix.pid

# Hacked by jam 25 Feb 99.  Mostly s/sendmail/postfix/g :-)

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -f /usr/sbin/postfix ] || exit 0

# Checks and updates the chroot environment (eg. if libraries have been
# updated)
check_chroot_env() {
	TESTBIN=/usr/libexec/postfix/cleanup
	QUEUEDIR=/var/spool/postfix

	NSSDNS1=/lib/libnss_dns.so.1
	NSSDNS2=/lib/libnss_dns.so.2
	LIBLDAP=/usr/lib/libldap.so.1
	LIBLBER=/usr/lib/liblber.so.1

	umask 022

	install -d ${QUEUEDIR}/lib ${QUEUEDIR}/usr/lib
	install -c -m 644 /etc/localtime /etc/services /etc/resolv.conf
${QUEUEDIR}/etc
	ln -sf /etc/localtime ${QUEUEDIR}/usr/lib/zoneinfo

	# XXX: should dynamically determine what libs to use from output of ldd
	if test -e ${NSSDNS2} ; then
		if ! cmp -s ${NSSDNS2} ${QUEUEDIR}/${NSSDNS2} 2>/dev/null ;then
			install -c ${NSSDNS2} ${QUEUEDIR}/lib
		fi
	elif test -e ${NSSDNS1} ; then
		if ! cmp -s ${NSSDNS1} ${QUEUEDIR}/${NSSDNS1} 2>/dev/null ;then
			install -c ${NSSDNS1} ${QUEUEDIR}/lib
		fi
	fi
	if test -e ${LIBLDAP} && \
		/usr/bin/ldd ${TESTBIN} | /bin/grep `basename ${LIBLDAP}` 2>&1 >/dev/null
;then
		if ! cmp -s ${LIBLDAP} ${QUEUEDIR}/${LIBLDAP} 2>/dev/null ;then
			install -c ${LIBLDAP} ${QUEUEDIR}/usr/lib
		fi
	fi
	if test -e ${LIBLBER} && \
		/usr/bin/ldd ${TESTBIN} | /bin/grep `basename ${LIBLBER}` 2>&1 >/dev/null
;then
		if ! cmp -s ${LIBLBER} ${QUEUEDIR}/${LIBLBER} 2>/dev/null ;then
			install -c ${LIBLBER} ${QUEUEDIR}/usr/lib
		fi
	fi
	
	/usr/sbin/postfix check >/dev/null
}

RETVAL=0

# See how we were called.
case "$1" in
  start)
	# Start daemons.
	check_chroot_env
	echo -n "Starting postfix: "
	/usr/sbin/postfix start
	RETVAL=$?
	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/postfix
	;;
  stop)
	# Stop daemons.
	echo -n "Shutting down postfix: "
	/usr/sbin/postfix stop
	RETVAL=$?
	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/postfix
	echo
	;;
  restart)
	$0 stop
	$0 start
	;;
  reload)
	/usr/sbin/postfix reload
        exit $?
	;;
  abort)
	/usr/sbin/postfix abort
        exit $?
	;;
  flush)
	/usr/sbin/postfix flush
        exit $?
	;;
  check)
	/usr/sbin/postfix check
        exit $?
	;;
  *)
	echo "Usage: postfix {start|stop|restart|reload|abort|flush|check}"
	exit 1
esac

exit $RETVAL

Comment 1 Bernhard Rosenkraenzer 2000-11-17 15:05:03 UTC
This is true... The problem is that this sort of script breaks rpm -e and rpm
-U, because it generates files that are not listed in the rpm database and
deletes files that are listed there.
I can't think of a nice way to fix this at the moment, but I agree it's a
problem.

Comment 2 Daniel Roesen 2000-11-20 18:31:27 UTC
Nod. Same problem applies to chrooted bind setups. :-(

Comment 3 Karl O. Pinc 2000-12-18 19:54:56 UTC
FYI, I believe that postfix reports chroot/system lib mismatches when it starts.

Comment 4 Bernhard Rosenkraenzer 2002-02-02 11:26:28 UTC
This is done using %trigger scripts in postfix 1.1.2-2 (rawhide).


Note You need to log in before you can comment on or make changes to this bug.