Univention Bugzilla – Full Text Bug Listing |
Summary: | ldap-group-to-file may run multiple times | ||
---|---|---|---|
Product: | UCS | Reporter: | Janis Meybohm <meybohm> |
Component: | PAM | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | best, gohmann, markus.daehlmann, requate, schwardt |
Version: | UCS 4.3 | Flags: | best:
Patch_Available+
|
Target Milestone: | UCS 4.4-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=51104 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 1: Will affect a very few installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.086 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2014102021000413, 2015090321000536, 2019062021000351 | Bug group (optional): | |
Max CVSS v3 score: | |||
Attachments: | patch (git:fbest/35173-lock-ldap-group-to-file) |
Description
Janis Meybohm
2014-06-20 10:51:52 CEST
Reported again via Ticket#2014102021000413 Reported again (for UCS 4): 2015090321000536 There is a Customer ID set so I set the flag "Enterprise Customer affected". This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016. Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you. Created attachment 10119 [details]
patch (git:fbest/35173-lock-ldap-group-to-file)
Attached is a patch which adds a simple locking mechanism via a file in /var/run.
Reproducible via:
echo -en '#!/usr/bin/python\nimport time; time.sleep(1000)' > /var/lib/ldap-group-to-file-hooks.d/sleep.py
chmod +x /var/lib/ldap-group-to-file-hooks.d/sleep.py
I'd put the _lock into the try/except to reduce the possibility of leaving a lock behind when the process gets killed at the wrong time. Also, I'd use lockf (which we use in the listener, or instead flock) to avoid stale locks. See http://0pointer.de/blog/projects/locking.html though. Yes, thanks! The patch has been adjusted to use univention.lib.locking which uses fcntl.lockf(). univention-pam (12.0.2-2) c5d171f66ca7 | Bug #35173: add locking for ldap-group-to-file univention-pam.yaml b55abe78e5cd | YAML Bug #35173 Verified: * code review * functional test (lock file: /var/run/ldap-group-to-file.pid) * advisory |