Bug 35173 - ldap-group-to-file may run multiple times
ldap-group-to-file may run multiple times
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: PAM
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.4-1-errata
Assigned To: Florian Best
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-06-20 10:51 CEST by Janis Meybohm
Modified: 2020-04-14 18:09 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.086
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2014102021000413, 2015090321000536, 2019062021000351
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments
patch (git:fbest/35173-lock-ldap-group-to-file) (4.13 KB, patch)
2019-07-12 16:04 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2014-06-20 10:51:52 CEST
If ldap-group-to-file takes very long, it may be startet multiple times by cron.

I think a second process should be prohibited.
Comment 1 Janis Meybohm univentionstaff 2014-10-20 16:00:44 CEST
Reported again via Ticket#2014102021000413
Comment 2 Janis Meybohm univentionstaff 2015-09-03 16:06:13 CEST
Reported again (for UCS 4): 2015090321000536
Comment 3 Florian Best univentionstaff 2017-06-28 14:52:50 CEST
There is a Customer ID set so I set the flag "Enterprise Customer affected".
Comment 4 Stefan Gohmann univentionstaff 2019-01-03 07:17:31 CET
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016.

Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
Comment 6 Florian Best univentionstaff 2019-07-12 16:04:59 CEST
Created attachment 10119 [details]
patch (git:fbest/35173-lock-ldap-group-to-file)

Attached is a patch which adds a simple locking mechanism via a file in /var/run.

Reproducible via:
echo -en '#!/usr/bin/python\nimport time; time.sleep(1000)' > /var/lib/ldap-group-to-file-hooks.d/sleep.py
chmod +x /var/lib/ldap-group-to-file-hooks.d/sleep.py
Comment 7 Arvid Requate univentionstaff 2019-07-16 13:05:53 CEST
I'd put the _lock into the try/except to reduce the possibility of leaving a lock behind when the process gets killed at the wrong time.
Also, I'd use lockf (which we use in the listener, or instead flock) to avoid stale locks. See http://0pointer.de/blog/projects/locking.html though.
Comment 8 Florian Best univentionstaff 2019-07-16 13:09:52 CEST
Yes, thanks!
Comment 9 Florian Best univentionstaff 2019-07-17 12:22:24 CEST
The patch has been adjusted to use univention.lib.locking which uses fcntl.lockf().

univention-pam (12.0.2-2)
c5d171f66ca7 | Bug #35173: add locking for ldap-group-to-file

univention-pam.yaml
b55abe78e5cd | YAML Bug #35173
Comment 10 Arvid Requate univentionstaff 2019-07-23 11:21:19 CEST
Verified:
* code review
* functional test  (lock file: /var/run/ldap-group-to-file.pid)
* advisory
Comment 11 Erik Damrose univentionstaff 2019-07-24 15:03:11 CEST
<http://errata.software-univention.de/ucs/4.4/191.html>