Bug 772043 - Adding a netgroup with a "+" in the name that overlaps hostgroup causes crash
Summary: Adding a netgroup with a "+" in the name that overlaps hostgroup causes crash
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On: 770952
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-05 18:13 UTC by Dmitri Pal
Modified: 2013-05-21 12:32 UTC (History)
6 users (show)

Fixed In Version: ipa-2.2.0-3.el6
Doc Type: Bug Fix
Doc Text:
Cause: IPA netgroup plugin does not validate netgroup names. Consequence: A netgroup with invalid name can be stored in LDAP server which may then crash when the invalid value is processed by NIS plugin. Fix: IPA netgroup plugin enforces stricter validation for netgroup names. Result: User cannot accidentally enter invalid netgroup and thus cause an LDAP server to crash because of NIS plugin processing.
Clone Of: 770952
Environment:
Last Closed: 2012-06-20 13:28:40 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Dmitri Pal 2012-01-05 18:13:24 UTC
+++ This bug was initially created as a clone of Bug #770952 +++

Description of problem:

When you create an NIS netgroup named +(hostgroup), 389 crashes and then crashes on startup (last log item is a note about database recovery).

Version-Release number of selected component (if applicable):

2.1.4-3.fc16.x86_64 (from updates-testing as of 2011-12-29)

How reproducible:

Haven't tried on a test setup, consistently crashed, however.

Steps to Reproduce:
1. Create a hostgroup "buildserv"
2. Add a server to it
3. Create a sudo command-group "software-install" that mirrors the standard SOFTWARE cmnd_alias.
4. Create a sudo rule "developers_buildserv" which allows members of the "developers" group to run softare on the host named "+buildserv"
5. Create an NIS netgroup "+buildserv"

Actual results:

389 crashes, crashes again when restarting.

Expected results:

The server refuses to create +buildserv, lets you know you're doing something dumb.

Additional info:

The corrective action was:

1. Use db2ldif to dump the database to LDIF
2. Manually edit the dump to rename the "buildserv" netgroup
3. Re-import with ldif2db
4. Delete the host group
5. Delete the netgroup
6. Re-add the host group.

Comment 1 Dmitri Pal 2012-01-05 18:14:31 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2221

Comment 3 Rob Crittenden 2012-02-27 22:17:23 UTC
Allowed characters are a-z, 0-9, -, _ and .

Also restricting hostgroup names with same list.

Fixed upstream

master: 7d7322de2eb0de61ea917d03662452d3efa4c834

ipa-2-2: 85462d063453f8614b63eddbba568fed034b0037

Comment 5 Scott Poore 2012-03-16 21:35:05 UTC
Verified.

Version :: ipa-server-2.2.0-4.el6.x86_64

Automated Test Results ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: netgroup_bz_772043: Adding a netgroup with a + in the name that overlaps hostgroup causes crash
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'ipa netgroup-add +badtestnetgroup --desc=netgroup_with_plus_kills_dirsrv > /netgroup_bz_772043.29569.out 2>&1'
:: [   PASS   ] :: BZ 772043 not found...fix is in place for ipa command
:: [   PASS   ] :: Running 'ipactl status > /netgroup_bz_772043.29569.out 2>&1'
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: netgroup_bz_772043: Adding a netgroup with a + in the name that overlaps hostgroup causes crash

Manual Test Results ::

[root@hp-xw6600-01 ipa-netgroup-cli]# ipa-compat-manage status
Directory Manager password: 

Plugin Enabled

[root@hp-xw6600-01 ipa-netgroup-cli]# ipa netgroup-add +badtestnetgroup --desc=netgroup_with_plus_kills_dirsrv
ipa: ERROR: invalid 'name': may only include letters, numbers, _, -, and .

[root@hp-xw6600-01 ipa-netgroup-cli]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

Comment 6 Martin Kosek 2012-04-19 19:43:56 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: IPA netgroup plugin does not validate netgroup names.
Consequence: A netgroup with invalid name can be stored in LDAP server which may then crash when the invalid value is processed by NIS plugin.
Fix: IPA netgroup plugin enforces stricter validation for netgroup names.
Result: User cannot accidentally enter invalid netgroup and thus cause an LDAP server to crash because of NIS plugin processing.

Comment 9 errata-xmlrpc 2012-06-20 13:28:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html


Note You need to log in before you can comment on or make changes to this bug.