Bug 35173

Summary: ldap-group-to-file may run multiple times
Product: UCS Reporter: Janis Meybohm <meybohm>
Component: PAMAssignee: Florian Best <best>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P5 CC: best, gohmann, markus.daehlmann, requate, schwardt
Version: UCS 4.3Flags: best: Patch_Available+
Target Milestone: UCS 4.4-1-errata   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=51104
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.086 Enterprise Customer affected?: Yes
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2014102021000413, 2015090321000536, 2019062021000351 Bug group (optional):
Max CVSS v3 score:
Attachments: patch (git:fbest/35173-lock-ldap-group-to-file)

Description Janis Meybohm univentionstaff 2014-06-20 10:51:52 CEST 
If ldap-group-to-file takes very long, it may be startet multiple times by cron.

I think a second process should be prohibited.
Comment 1 Janis Meybohm univentionstaff 2014-10-20 16:00:44 CEST 
Reported again via Ticket#2014102021000413
Comment 2 Janis Meybohm univentionstaff 2015-09-03 16:06:13 CEST 
Reported again (for UCS 4): 2015090321000536
Comment 3 Florian Best univentionstaff 2017-06-28 14:52:50 CEST 
There is a Customer ID set so I set the flag "Enterprise Customer affected".
Comment 4 Stefan Gohmann univentionstaff 2019-01-03 07:17:31 CET 
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016.

Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
Comment 6 Florian Best univentionstaff 2019-07-12 16:04:59 CEST 
Created attachment 10119 [details]
patch (git:fbest/35173-lock-ldap-group-to-file)

Attached is a patch which adds a simple locking mechanism via a file in /var/run.

Reproducible via:
echo -en '#!/usr/bin/python\nimport time; time.sleep(1000)' > /var/lib/ldap-group-to-file-hooks.d/sleep.py
chmod +x /var/lib/ldap-group-to-file-hooks.d/sleep.py
Comment 7 Arvid Requate univentionstaff 2019-07-16 13:05:53 CEST 
I'd put the _lock into the try/except to reduce the possibility of leaving a lock behind when the process gets killed at the wrong time.
Also, I'd use lockf (which we use in the listener, or instead flock) to avoid stale locks. See http://0pointer.de/blog/projects/locking.html though.
Comment 8 Florian Best univentionstaff 2019-07-16 13:09:52 CEST 
Yes, thanks!
Comment 9 Florian Best univentionstaff 2019-07-17 12:22:24 CEST 
The patch has been adjusted to use univention.lib.locking which uses fcntl.lockf().

univention-pam (12.0.2-2)
c5d171f66ca7 | Bug #35173: add locking for ldap-group-to-file

univention-pam.yaml
b55abe78e5cd | YAML Bug #35173
Comment 10 Arvid Requate univentionstaff 2019-07-23 11:21:19 CEST 
Verified:
* code review
* functional test  (lock file: /var/run/ldap-group-to-file.pid)
* advisory
Comment 11 Erik Damrose univentionstaff 2019-07-24 15:03:11 CEST 
<http://errata.software-univention.de/ucs/4.4/191.html>