Univention Bugzilla – Bug 43409
drop_privileges() after import of python handler
Last modified: 2019-01-03 07:19:35 CET
We should drop the "root" privileges after the import of the handler modules.
/usr/lib/univention-directory-listener/system/keytab.py calls "listener.setuid(0)" during the import. Now the listener runs as root until the first handler_exec.
I will create another bug for fixing keytab.py nevertheless we should also change the listener.
As some other listener handler have clean/initialize functions with a unsetuid call, this happens only in special setups (e.g. in app box docker container).
To reproduce this on a master system remove all handlers expect keytab.py and well-known-sid-name-mapping.py.
-> mv /usr/lib/univention-directory-listener/system/*.py /opt/
-> mv /opt/keytab.py .
-> mv /opt/well-known-sid-name-mapping.py .
univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, 'my euid: %s' % os.geteuid())
to the well-known-sid-name-mapping.py handler function.
-> /etc/init.d/univention-directory-listener stop
-> rm /var/lib/univention-directory-listener/handlers/well-known-sid-name-mapping
-> /usr/sbin/univention-directory-listener -F -d 3 -b "$(ucr get ldap/base)" -m /usr/lib/univention-directory-listener/system -c /var/lib/univention-directory-listener -ZZ -x -D cn=admin,dc=four,dc=test -y /etc/ldap.secret
24.01.17 03:57:05.113 LISTENER ( ERROR ) : my euid: 0
24.01.17 03:57:05.114 LISTENER ( ERROR ) : my euid: 102
24.01.17 03:57:05.115 LISTENER ( ERROR ) : my euid: 102
The call-chains is something like this:
So yes, another drop_priviledges() should be added.
Please note that this might break some existing listener modules which are called after keytab[-member].py were imported and used the thus already gained seteuid() privileges. It's a bug in those modules and should be fixed there.
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.
Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.
If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.