Bug 43409 – drop_privileges() after import of python handler

Bug 43409 - drop_privileges() after import of python handler


Summary:	drop_privileges() after import of python handler

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	Listener (univention-directory-listener)
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:	43399
	Show dependency tree / graph

Reported:	2017-01-24 16:01 CET by Felix Botner
Modified:	2019-01-03 07:19 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.046
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2017-01-24 16:01:23 CET

We should drop the "root" privileges after the import of the handler modules.

Problem:
/usr/lib/univention-directory-listener/system/keytab.py calls "listener.setuid(0)" during the import. Now the listener runs as root until the first handler_exec.

I will create another bug for fixing keytab.py nevertheless we should also change the listener.

As some other listener handler have clean/initialize functions with a unsetuid call, this happens only in special setups (e.g. in app box docker container).
To reproduce this on a master system remove all handlers expect keytab.py and well-known-sid-name-mapping.py.

-> mv /usr/lib/univention-directory-listener/system/*.py /opt/
-> mv /opt/keytab.py .
-> mv /opt/well-known-sid-name-mapping.py .

Add 

univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, 'my euid: %s' % os.geteuid())

to the well-known-sid-name-mapping.py handler function.

-> /etc/init.d/univention-directory-listener stop
-> rm /var/lib/univention-directory-listener/handlers/well-known-sid-name-mapping 
-> /usr/sbin/univention-directory-listener -F -d 3 -b "$(ucr get ldap/base)" -m /usr/lib/univention-directory-listener/system -c /var/lib/univention-directory-listener -ZZ -x -D cn=admin,dc=four,dc=test -y /etc/ldap.secret

24.01.17 03:57:05.113  LISTENER    ( ERROR   ) : my euid: 0
...
24.01.17 03:57:05.114  LISTENER    ( ERROR   ) : my euid: 102
...
24.01.17 03:57:05.115  LISTENER    ( ERROR   ) : my euid: 102

Comment 1 Philipp Hahn

2017-02-03 14:19:07 CET

The call-chains is something like this:

main()
  drop_privileges()
    seteuid()
  handlers_init()
    handlers_load_all_paths()
      handlers_load_path()
        handler_import()
          module_import()

So yes, another drop_priviledges() should be added.
Please note that this might break some existing listener modules which are called after keytab[-member].py were imported and used the thus already gained seteuid() privileges. It's a bug in those modules and should be fixed there.

Comment 2 Stefan Gohmann

2019-01-03 07:19:35 CET

This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.