From 45f722d160a9890f517b19e97baac6f803385ba5 Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Sep 24 2009 11:30:24 +0000 Subject: - new configuration schema - directory instead of file - fixed buffer overflow issue pointed out by new glibc - fixed behaviour during installation / upgrade caused by renamed init script --- diff --git a/ldap.init b/ldap.init index 3354f0f..99be9dc 100644 --- a/ldap.init +++ b/ldap.init @@ -1,6 +1,6 @@ #!/bin/bash # -# ldap This shell script takes care of starting and stopping +# slapd This shell script takes care of starting and stopping # ldap servers (slapd). # # chkconfig: - 27 73 @@ -42,7 +42,7 @@ fi slapd=/usr/sbin/slapd slaptest=/usr/sbin/slaptest lockfile=/var/lock/subsys/slapd -configfile=/etc/openldap/slapd.conf +configdir=/etc/openldap/slapd.d/ pidfile=/var/run/slapd.pid slapd_pidfile=/var/run/openldap/slapd.pid @@ -104,14 +104,19 @@ function checkkeytab() { function configtest() { local user= ldapuid= dbdir= file= - [ -f $configfile ] || exit 6 + [ -d $configdir ] || exit 6 # Check for simple-but-common errors. user=ldap prog=`basename ${slapd}` ldapuid=`id -u $user` # Unaccessible database files. slaptestflags="" - for dbdir in `LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' $configfile | sed s,^directory,,` ; do + dbdirs="" + for configfile in `ls -1 $configdir/cn\=config/olcDatabase*`; do + dbdirs=$dbdirs" + "`LANG=C egrep '^olcDbDirectory[[:space:]]*:[[:space:]]+[[:print:]]+$' $configfile | sed 's,^olcDbDirectory: ,,'` + done + for dbdir in $dbdirs; do for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name alock \)` ; do echo -n $"$file is not owned by \"$user\"" ; warning ; echo done @@ -129,7 +134,7 @@ function configtest() { echo -n $"$file is not readable by \"$user\"" ; warning ; echo fi # Unaccessible TLS configuration files. - tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]' $configfile | awk '{print $2}'` + tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'` for file in $tlsconfigs ; do if ! testasuser $user -r $file ; then echo -n $"$file is not readable by \"$user\"" ; warning ; echo @@ -151,8 +156,8 @@ function configtest() { echo -n $"Checking configuration files for $prog: " ; failure ; echo echo "$slaptestout" if /sbin/runuser -m -s "$slaptest" -- "$user" "-u" > /dev/null 2> /dev/null ; then - dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' $configfile | awk '{print $2}'` - for directory in $dirs ; do + #dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' $configfile | awk '{print $2}'` + for directory in $dbdirs ; do if test -r $directory/__db.001 ; then echo -n $"stale lock files may be present in $directory" ; warning ; echo fi diff --git a/openldap-2.4.18-ldif-buf-overflow.patch b/openldap-2.4.18-ldif-buf-overflow.patch new file mode 100644 index 0000000..5fba60d --- /dev/null +++ b/openldap-2.4.18-ldif-buf-overflow.patch @@ -0,0 +1,26 @@ +--- openldap-2.4.18/servers/slapd/back-ldif/ldif.c.orig 2009-09-24 09:46:01.000000000 +0200 ++++ openldap-2.4.18/servers/slapd/back-ldif/ldif.c 2009-09-24 12:41:09.000000000 +0200 +@@ -593,9 +593,12 @@ typedef struct bvlist { + char *trunc; /* filename was truncated here */ + int inum; /* num from "attr={num}" in filename, or INT_MIN */ + char savech; /* original char at *trunc */ +- char fname; /* variable length array BVL_NAME(bvl) = &fname */ +-# define BVL_NAME(bvl) ((char *) (bvl) + offsetof(bvlist, fname)) +-# define BVL_SIZE(namelen) (sizeof(bvlist) + (namelen)) ++ char *fname; /* variable length array BVL_NAME(bvl) = &fname */ ++ //char fname; /* variable length array BVL_NAME(bvl) = &fname */ ++# define BVL_NAME(bvl) ((bvl)->fname) ++# define BVL_SIZE(namelen) (sizeof(bvlist)) ++//# define BVL_NAME(bvl) ((char *) (bvl) + offsetof(bvlist, fname)) ++//# define BVL_SIZE(namelen) (sizeof(bvlist) + (namelen)) + } bvlist; + + static int +@@ -710,6 +713,7 @@ ldif_readdir( + *fname_maxlenp = fname_len; + + bvl = SLAP_MALLOC( BVL_SIZE( fname_len ) ); ++ bvl->fname = SLAP_MALLOC( fname_len+1 ); + if ( bvl == NULL ) { + rc = LDAP_OTHER; + save_errno = errno; diff --git a/openldap.spec b/openldap.spec index b74f5bd..b2410ef 100644 --- a/openldap.spec +++ b/openldap.spec @@ -11,7 +11,7 @@ Summary: LDAP support libraries Name: openldap Version: %{version} -Release: 1%{?dist} +Release: 2%{?dist} License: OpenLDAP Group: System Environment/Daemons Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz @@ -35,6 +35,7 @@ Patch6: openldap-2.3.19-gethostbyXXXX_r.patch Patch9: openldap-2.3.37-smbk5pwd.patch Patch10: openldap-2.4.6-multilib.patch Patch11: openldap-2.4.16-doc-cacertdir.patch +Patch12: openldap-2.4.18-ldif-buf-overflow.patch # Patches for the evolution library Patch200: openldap-2.4.6-evolution-ntlm.patch @@ -141,6 +142,7 @@ pushd openldap-%{version} %patch9 -p1 -b .smbk5pwd %patch10 -p1 -b .multilib %patch11 -p1 -b .cacertdir +%patch12 -p1 -b .malloc cp %{_datadir}/libtool/config/config.{sub,guess} build/ popd @@ -425,6 +427,14 @@ if [ "$1" = "2" ]; then OLD_SLAPD_VERSION=$( rpm -q --qf "%{VERSION}" openldap-servers | sed 's/\.[0-9]*$//' ) NEW_SLAPD_VERSION=$( echo %{version} | sed 's/\.[0-9]*$//' ) + # we need to detect how is the init script named + # - in older versions ldap + # - in newer versions slapd + if [ -f %{_initrddir}/ldap ]; then + SERVICE_NAME=ldap + elif [ -f %{_initrddir}/slapd ]; then + SERVICE_NAME=slapd + fi if [ "$OLD_SLAPD_VERSION" != "$NEW_SLAPD_VERSION" ]; then # Minor version number has changed -> slapcat/slapadd of the BDB database @@ -433,9 +443,9 @@ if [ "$1" = "2" ]; then # directory - Just In Case (TM) # stop the server - if /sbin/service ldap status &>/dev/null; then + if /sbin/service $SERVICE_NAME status &>/dev/null; then touch /var/lib/ldap/need_start - /sbin/service ldap stop &>/dev/null + /sbin/service $SERVICE_NAME stop &>/dev/null fi files=$(echo /var/lib/ldap/{log.*,__db.*,[a]lock}) @@ -456,9 +466,9 @@ if [ "$1" = "2" ]; then # Minor version number of bdb has changed -> run db_upgrade in % post script # stop the server - if /sbin/service ldap status &>/dev/null; then + if /sbin/service $SERVICE_NAME status &>/dev/null; then touch /var/lib/ldap/need_start - /sbin/service ldap stop &>/dev/null + /sbin/service $SERVICE_NAME stop &>/dev/null fi # Ensure, that the database is correct @@ -472,7 +482,7 @@ exit 0 %post servers /sbin/ldconfig -/sbin/chkconfig --add ldap +/sbin/chkconfig --add slapd # If there's a /var/lib/ldap/upgrade.ldif file, slapadd it and delete it. # It was created by the % pre above. if [ -f /var/lib/ldap/upgrade.ldif ] ; then @@ -505,11 +515,34 @@ chmod 640 slapd.pem popd fi +if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then + # if there is no slapd.conf, we probably already have new configuration in place + mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak + mkdir -p %{_sysconfdir}/openldap/slapd.d/ + lines=`egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1` + lines=$(($lines-1)) + head -n $lines %{_sysconfdir}/openldap/slapd.conf.bak > %{_sysconfdir}/openldap/slapd.conf + cat >> %{_sysconfdir}/openldap/slapd.conf << EOF +database config +rootdn "cn=admin,cn=config" +#rootpw secret +EOF + lines_r=`wc --lines %{_sysconfdir}/openldap/slapd.conf.bak | cut -f1 -d" "` + lines_r=$(($lines_r-$lines)) + tail -n $lines_r %{_sysconfdir}/openldap/slapd.conf.bak >> %{_sysconfdir}/openldap/slapd.conf + slaptest -f %{_sysconfdir}/openldap/slapd.conf -F %{_sysconfdir}/openldap/slapd.d > /dev/null 2> /dev/null + chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d + chmod -R 000 %{_sysconfdir}/openldap/slapd.d + chmod -R u+rwX %{_sysconfdir}/openldap/slapd.d + rm -f %{_sysconfdir}/openldap/slapd.conf +fi + + if [ $1 -ge 1 ] ; then - /sbin/service ldap condrestart &>/dev/null - /sbin/service ldap status &>/dev/null + /sbin/service slapd condrestart &>/dev/null + /sbin/service slapd status &>/dev/null if [ "$?" != "0" -a -f /var/lib/ldap/need_start ]; then - /sbin/service ldap start &>/dev/null + /sbin/service slapd start &>/dev/null rm -f /var/lib/ldap/need_start &>/dev/null fi fi @@ -518,8 +551,8 @@ exit 0 %preun servers if [ "$1" = "0" ] ; then - /sbin/service ldap stop > /dev/null 2>&1 || : - /sbin/chkconfig --del ldap + /sbin/service slapd stop > /dev/null 2>&1 || : + /sbin/chkconfig --del slapd # Openldap-servers are being removed from system. # Do not touch the database! Older versions of this # package attempted to store database in LDIF format, so @@ -606,6 +639,12 @@ fi %attr(0644,root,root) %{evolution_connector_libdir}/*.a %changelog +* Tue Sep 22 2009 Jan Zeleny 2.4.18-2 +- changed configuration approach. Instead od slapd.conf slapd + is using slapd.d directory now +- fix of some issues caused by renaming of init script +- fix of buffer overflow issue in ldif.c pointed out by new glibc + * Fri Sep 18 2009 Jan Zeleny 2.4.18-1 - rebase of openldap to 2.4.18 @@ -614,6 +653,7 @@ fi * Wed Sep 16 2009 Jan Zeleny 2.4.16-6 - updated init script to be LSB-compliant (#523434) +- init script renamed to slapd * Thu Aug 27 2009 Tomas Mraz - 2.4.16-5 - rebuilt with new openssl