Description of problem: On a recent update to RHEL 5.6, and installed openldap-servers-2.3.43-12.el5_6.5.i386, a new problem was created. The new init script now EXPECTS /tmp to be execuitable which is very poor programming practices. In almost every 'harden your linux' guide in existence from CIS to Bastille, one of the recommendations is to mount /tmp with noexec. This is because no only is it handy for mr 'ldap init script writer', it is also one of the single most common places for worms and other nastiness to create self-executing stuff. Version-Release number of selected component (if applicable): openldap-servers-2.3.43-12.el5_6.5.i386 How reproducible: Try to startup ldap (slapd) with /tmp mounted with noexec, and it will fail because it wants to create a temporary script and self-execute. Steps to Reproduce: 1. mount /tmp with noexec 2. service ldap start 3. profit! Actual results: Expected results: No one would be silly enough to create a script in /tmp and expect it to be executable. :) Additional info:
There were no recent changes in the ldap initscript. And looking into the source, I cannot see the place where it might happen. And I do not manage to reproduce it either. [root@rhel5 ~]# rpm -q openldap-servers openldap-servers-2.3.43-12.el5_6.5 [root@rhel5 ~]# rpm -qV openldap-servers S.5....T c /etc/openldap/slapd.conf [root@rhel5 ~]# service ldap status slapd is stopped [root@rhel5 ~]# mount | grep /tmp /dev/null on /tmp type tmpfs (rw,noexec) [root@rhel5 ~]# ll /tmp/script.sh -rwxr-xr-x 1 root root 23 Sep 16 13:58 /tmp/script.sh [root@rhel5 ~]# /tmp/script.sh -bash: /tmp/script.sh: /bin/bash: bad interpreter: Permission denied [root@rhel5 ~]# service ldap start Checking configuration files for slapd: config file testing succeeded [ OK ] Starting slapd: [ OK ] [root@rhel5 ~]# service ldap status slapd (pid 3419) is running... [root@rhel5 ~]# ps -ef | grep slapd ldap 3419 1 0 14:08 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -u ldap root 3435 2739 0 14:08 pts/0 00:00:00 grep slapd [root@rhel5 ~]# I need more information: 1.) what is the version of openldap you updated from? 2.) # rpm -qV openldap-servers 3.) # sh -x /etc/init.d/ldap start
You are totally correct. The offending lines in my init script on this box: ------------------------------------------------------- # Build a wrapper script to exec slapd with the right arguments, to # avoid being tripped out by changes or weirdness in how daemon() # handles quoted arguments. wrapper=`mktemp ${TMP:-/tmp}/start-slapd.XXXXXX` harg="ldap:///" if grep -q ^TLS /etc/openldap/slapd.conf || test x$SLAPD_LDAPS = xyes ; then harg="$harg ldaps:///" fi if test x$SLAPD_LDAPI = xyes ; then harg="$harg ldapi:///" fi if test -z "$wrapper" ; then return 1 fi cat >> $wrapper <<- EOF exec ${slapd} -h "$harg" -u ${user} $OPTIONS $SLAPD_OPTIONS EOF chmod u+x $wrapper trap "rm -f $wrapper" EXIT # Start daemons. echo -n $"Starting $prog: " daemon --check=$prog $wrapper ------------------------------------------------------- Granted, this system was first installed in 2008. I am guessing this is a left over from a previous version of openldap-servers. I did a "yum reinstall openldap-servers" and it did not replace the /etc/init.d/ldap script with the current one or create a .rpmnew/.rpmold file or anything like that. I am guessing this ldap init file is from a previews version of the rpm sometime in the RHEL5.x tree. However, I do think the openldap-servers package probably should be updating the initscript with its own version to handle this sort of thing and keep the init script in sync with the software. Apologies to whoever manages the CURRENT init script.
FYI.. I went through the logs, this box was INSTALLED as a RHEL 5.1 and has been going strong all the way through now on RHEL 5.6. Not a bad service record, all things considered.
I see in the spec that the initscript is incorrectly marked as %config. Easy fix. --- openldap.spec 29 Aug 2011 13:54:06 -0000 1.114 +++ openldap.spec 16 Sep 2011 19:40:45 -0000 @@ -842,7 +842,7 @@ %doc TOOLS.migration %doc $RPM_SOURCE_DIR/README.upgrading $RPM_SOURCE_DIR/guide.html %ghost %config %{_sysconfdir}/pki/tls/certs/slapd.pem -%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/ldap +%attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/ldap %attr(0640,root,ldap) %config(noreplace) %{_sysconfdir}/openldap/slapd.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ldap %attr(0640,root,ldap) %{_sysconfdir}/openldap/DB_CONFIG.example
Resolved in openldap-2.3.43-23.el5
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: - openldap-servers installed, manual modification of ldap initscript performed - when the package is upgraded, ldap init script is not overwritten by the new version because the initscript is incorrectly marked as a configuration file - updated specfile to reflect, that ldap initscript is not a configuration file - upgrade of openldap-servers package will overwrite ldap initscript with a new version when there were some local modifications
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0155.html