Bug 738768 - initscript marked as %config incorrectly
Summary: initscript marked as %config incorrectly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openldap
Version: 5.6
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jan Vcelak
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-15 18:20 UTC by Don Hoover
Modified: 2013-03-04 01:29 UTC (History)
5 users (show)

Fixed In Version: openldap-2.3.43-23.el5
Doc Type: Bug Fix
Doc Text:
- openldap-servers installed, manual modification of ldap initscript performed - when the package is upgraded, ldap init script is not overwritten by the new version because the initscript is incorrectly marked as a configuration file - updated specfile to reflect, that ldap initscript is not a configuration file - upgrade of openldap-servers package will overwrite ldap initscript with a new version when there were some local modifications
Clone Of:
Environment:
Last Closed: 2012-02-21 05:29:02 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0155 normal SHIPPED_LIVE openldap bug fix and enhancement update 2012-02-20 14:54:48 UTC

Description Don Hoover 2011-09-15 18:20:11 UTC
Description of problem:
On a recent update to RHEL 5.6, and installed openldap-servers-2.3.43-12.el5_6.5.i386, a new problem was created.

The new init script now EXPECTS /tmp to be execuitable which is very poor programming practices.  

In almost every 'harden your linux' guide in existence from CIS to Bastille, one of the recommendations is to mount /tmp with noexec.  

This is because no only is it handy for mr 'ldap init script writer', it is also one of the single most common places for worms and other nastiness to create self-executing stuff.

Version-Release number of selected component (if applicable):
openldap-servers-2.3.43-12.el5_6.5.i386

How reproducible:
Try to startup ldap (slapd) with /tmp mounted with noexec, and it will fail because it wants to create a temporary script and self-execute.

Steps to Reproduce:
1. mount /tmp with noexec
2. service ldap start
3. profit!
  
Actual results:


Expected results:
No one would be silly enough to create a script in /tmp and expect it to be executable.  :)

Additional info:

Comment 1 Jan Vcelak 2011-09-16 12:19:59 UTC
There were no recent changes in the ldap initscript. And looking into the source, I cannot see the place where it might happen. And I do not manage to reproduce it either.

[root@rhel5 ~]# rpm -q openldap-servers
openldap-servers-2.3.43-12.el5_6.5
[root@rhel5 ~]# rpm -qV openldap-servers
S.5....T  c /etc/openldap/slapd.conf
[root@rhel5 ~]# service ldap status
slapd is stopped
[root@rhel5 ~]# mount | grep /tmp
/dev/null on /tmp type tmpfs (rw,noexec)
[root@rhel5 ~]# ll /tmp/script.sh 
-rwxr-xr-x 1 root root 23 Sep 16 13:58 /tmp/script.sh
[root@rhel5 ~]# /tmp/script.sh 
-bash: /tmp/script.sh: /bin/bash: bad interpreter: Permission denied
[root@rhel5 ~]# service ldap start
Checking configuration files for slapd:  config file testing succeeded
                                                           [  OK  ]
Starting slapd:                                            [  OK  ]
[root@rhel5 ~]# service ldap status
slapd (pid 3419) is running...
[root@rhel5 ~]# ps -ef | grep slapd
ldap      3419     1  0 14:08 ?        00:00:00 /usr/sbin/slapd -h ldap:/// -u ldap
root      3435  2739  0 14:08 pts/0    00:00:00 grep slapd
[root@rhel5 ~]#

I need more information:

1.) what is the version of openldap you updated from?
2.) # rpm -qV openldap-servers
3.) # sh -x /etc/init.d/ldap start

Comment 2 Don Hoover 2011-09-16 19:18:19 UTC
You are totally correct.  


The offending lines in my init script on this box:
-------------------------------------------------------
	# Build a wrapper script to exec slapd with the right arguments, to
	# avoid being tripped out by changes or weirdness in how daemon()
	# handles quoted arguments.
	wrapper=`mktemp ${TMP:-/tmp}/start-slapd.XXXXXX`
	harg="ldap:///"
	if grep -q ^TLS /etc/openldap/slapd.conf || test x$SLAPD_LDAPS = xyes ; then
	    harg="$harg ldaps:///"
	fi
	if test x$SLAPD_LDAPI = xyes ; then
	    harg="$harg ldapi:///"
	fi
	if test -z "$wrapper" ; then
	    return 1
	fi
	cat >> $wrapper <<- EOF
	exec ${slapd} -h "$harg" -u ${user} $OPTIONS $SLAPD_OPTIONS
	EOF
	chmod u+x $wrapper
	trap "rm -f $wrapper" EXIT
	# Start daemons.
	echo -n $"Starting $prog: "
	daemon --check=$prog $wrapper
-------------------------------------------------------


Granted, this system was first installed in 2008.  I am guessing this is a left over from a previous version of openldap-servers.  I did a "yum reinstall openldap-servers" and it did not replace the /etc/init.d/ldap script with the current one or create a .rpmnew/.rpmold file or anything like that.


I am guessing this ldap init file is from a previews version of the rpm sometime in the RHEL5.x tree.


However, I do think the openldap-servers package probably should be updating the initscript with its own version to handle this sort of thing and keep the init script in sync with the software.



Apologies to whoever manages the CURRENT init script.

Comment 3 Don Hoover 2011-09-16 19:19:52 UTC
FYI.. I went through the logs, this box was INSTALLED as a RHEL 5.1 and has been going strong all the way through now on RHEL 5.6.   Not a bad service record, all things considered.

Comment 4 Jan Vcelak 2011-09-16 19:42:28 UTC
I see in the spec that the initscript is incorrectly marked as %config. Easy fix.

--- openldap.spec       29 Aug 2011 13:54:06 -0000      1.114
+++ openldap.spec       16 Sep 2011 19:40:45 -0000
@@ -842,7 +842,7 @@
 %doc TOOLS.migration
 %doc $RPM_SOURCE_DIR/README.upgrading $RPM_SOURCE_DIR/guide.html
 %ghost %config %{_sysconfdir}/pki/tls/certs/slapd.pem
-%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/ldap
+%attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/ldap
 %attr(0640,root,ldap) %config(noreplace) %{_sysconfdir}/openldap/slapd.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ldap
 %attr(0640,root,ldap) %{_sysconfdir}/openldap/DB_CONFIG.example

Comment 5 Jan Vcelak 2011-09-21 08:54:57 UTC
Resolved in openldap-2.3.43-23.el5

Comment 10 Jan Vcelak 2011-10-12 10:50:06 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- openldap-servers installed, manual modification of ldap initscript performed
- when the package is upgraded, ldap init script is not overwritten by the new version because the initscript is incorrectly marked as a configuration file
- updated specfile to reflect, that ldap initscript is not a configuration file
- upgrade of openldap-servers package will overwrite ldap initscript with a new version when there were some local modifications

Comment 12 errata-xmlrpc 2012-02-21 05:29:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0155.html


Note You need to log in before you can comment on or make changes to this bug.