Bug 43409 - drop_privileges() after import of python handler
drop_privileges() after import of python handler
Status: RESOLVED WONTFIX
Product: UCS
Classification: Unclassified
Component: Listener (univention-directory-listener)
UCS 4.1
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks: 43399
  Show dependency treegraph
 
Reported: 2017-01-24 16:01 CET by Felix Botner
Modified: 2019-01-03 07:19 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2017-01-24 16:01:23 CET
We should drop the "root" privileges after the import of the handler modules.

Problem:
/usr/lib/univention-directory-listener/system/keytab.py calls "listener.setuid(0)" during the import. Now the listener runs as root until the first handler_exec.

I will create another bug for fixing keytab.py nevertheless we should also change the listener.

As some other listener handler have clean/initialize functions with a unsetuid call, this happens only in special setups (e.g. in app box docker container).
To reproduce this on a master system remove all handlers expect keytab.py and well-known-sid-name-mapping.py.

-> mv /usr/lib/univention-directory-listener/system/*.py /opt/
-> mv /opt/keytab.py .
-> mv /opt/well-known-sid-name-mapping.py .

Add 

univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, 'my euid: %s' % os.geteuid())

to the well-known-sid-name-mapping.py handler function.

-> /etc/init.d/univention-directory-listener stop
-> rm /var/lib/univention-directory-listener/handlers/well-known-sid-name-mapping 
-> /usr/sbin/univention-directory-listener -F -d 3 -b "$(ucr get ldap/base)" -m /usr/lib/univention-directory-listener/system -c /var/lib/univention-directory-listener -ZZ -x -D cn=admin,dc=four,dc=test -y /etc/ldap.secret

24.01.17 03:57:05.113  LISTENER    ( ERROR   ) : my euid: 0
...
24.01.17 03:57:05.114  LISTENER    ( ERROR   ) : my euid: 102
...
24.01.17 03:57:05.115  LISTENER    ( ERROR   ) : my euid: 102
Comment 1 Philipp Hahn univentionstaff 2017-02-03 14:19:07 CET
The call-chains is something like this:

main()
  drop_privileges()
    seteuid()
  handlers_init()
    handlers_load_all_paths()
      handlers_load_path()
        handler_import()
          module_import()

So yes, another drop_priviledges() should be added.
Please note that this might break some existing listener modules which are called after keytab[-member].py were imported and used the thus already gained seteuid() privileges. It's a bug in those modules and should be fixed there.
Comment 2 Stefan Gohmann univentionstaff 2019-01-03 07:19:35 CET
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.