Bug#723957: marked as done (slapd: commented olcDbDirectory config line causes unusable system and potential data loss on upgrade)

[Debian Bug Tracking System]

Your message dated Sun, 19 Oct 2014 22:19:56 +0000
with message-id <e1xfypq-0005i0...@franck.debian.org>
and subject line Bug#723957: fixed in openldap 2.4.40-1
has caused the Debian Bug report #723957,
regarding slapd: commented olcDbDirectory config line causes unusable system 
and potential data loss on upgrade
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
723957: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723957
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: slapd
Version: 2.4.31-1+nmu2
Severity: critical
Justification: breaks the whole system

Additional Justification details:
- Breaks whole system: slapd is used to provide accounts -> no user
accounts available -> system unusable.
- Data loss: database is physically on disk, but inaccessible due to
upgraded software, slapd, slapcat, slapadd cannot use it.

The get_directory method used in several maint scripts contains a bug
that causes it to return multiple lines of output if a commented
olcDbDirectory line also exists in the configuration file. The callers
of get_directory use filesystem existence checks on the output of
get_directory to determine whether to actually backup the database,
and silently continue without backing up when multiple lines of output
are returned.

Exact failure mode:
1) Begin upgrade
2) 2.4.23-7.3 prerm script doesn't perform any backups (as expected)
3) 2.4.31-1+nmu2 preinst attempts to backup, but silently skips
backups due to above bug
4) 2.4.31-1+nmu2 is unpacked (database now inaccessible due to format mismatch)
5) 2.4.31-1+nmu2 postinst attempts to move old db directory (skips
move silently due to same bug as above)
6) 2.4.31-1+nmu2 postinst attempts to import ldif backup (fails as no
ldif backup exists)
7) dpkg exits with error, slapd is unusable and not easily
recoverable, system unusable.

Output from step 3 and 4:
 Preparing to replace slapd 2.4.23-7.3 (using
.../slapd_2.4.31-1+nmu2_i386.deb) ...
 Stopping OpenLDAP: slapd.
   Dumping to /var/backups/slapd-2.4.23-7.3:
 Unpacking replacement slapd ...

Note the expected output from line 178 of the preinst is not printed
after the "Dumping... " line, this is because the check on line 176 of
the preinst script returns false when presented with multi-line input
in the $dbdir variable.

Output from steps 5, 6 and 7:
   Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.4.23-7.3... done.
   Moving old database directories to /var/backups:
   Loading from /var/backups/slapd-2.4.23-7.3:
   - directory dc=katalinabrown,dc=co,dc=nz... failed.

 Loading the database from the LDIF dump failed with the following
 error while running slapadd:
     /var/backups/slapd-2.4.23-7.3/dc=katalinabrown,dc=co,dc=nz.ldif:
No such file or directory
 dpkg: error processing slapd (--configure):
  subprocess installed post-installation script returned error exit status 1

 Errors were encountered while processing:
  slapd
 E: Sub-process /usr/bin/dpkg returned an error code (1)

Again, the expected per suffix line is missing after the "Moving..."
line, due to the check on line 384 of postinst returning false when
presented with mutli-line input in the $databasedir variable.

I believe the bug is found on line 293 of preinst and postinst:

grep "olcDbDirectory:" `grep -l "olcSuffix: $1"
${SLAPD_CONF}/cn\=config/olcDatabase*.ldif` | cut -d: -f 2 | sed 's/^
*//g'

the first grep is not anchored, so if a file contains content like:
 olcDbDirectory: "/var/lib/ldap"
 #olcDbDirectory: "/var/lib/ldap"

both paths are returned, and the subsequent checks of the return value
cause the failures described above.

The following patch (anchoring the match to start of line) would be a
minimal fix for this critical issue, but a more proper fix
would be for the preinst to bail out if it is unable to actually
backup a database that it knows to exist from the config!

--- slapd.preinst.orig  2013-09-21 16:59:18.000000000 +0100
+++ slapd.preinst       2013-09-21 16:58:25.000000000 +0100
@@ -290,7 +290,7 @@
 get_directory() {                                                      # {{{
 # Returns the db directory for a given suffix
        if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -q "$1" ; then
-               grep "olcDbDirectory:" `grep -l "olcSuffix: $1"
${SLAPD_CONF}/cn\=config/olcDatabase*.ldif` | cut -d: -f 2 | sed 's/^
*//g'
+               grep "^olcDbDirectory:" `grep -l "olcSuffix: $1"
${SLAPD_CONF}/cn\=config/olcDatabase*.ldif` | cut -d: -f 2 | sed 's/^
*//g'
        elif [ -f "${SLAPD_CONF}" ]; then
                # Extract the directory for the given suffix ($1)
                for f in `get_all_slapd_conf_files`; do

The same fix would need to be made in postinst, and wherever else this
command is used.

Luckily, I'm testing this upgrade on my dev system... :)


-- System Information:
Debian Release: 6.0.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd depends on:
ii  adduser            3.113+nmu3            add and remove users and groups
ii  coreutils          8.13-3.5              GNU core utilities
ii  debconf [debconf-2 1.5.49                Debian configuration management sy
ii  libc6              2.13-38               Embedded GNU C Library: Shared lib
ii  libdb5.1           5.1.29-5              Berkeley v5.1 Database Libraries [
ii  libgcrypt11        1.5.0-5+deb7u1        LGPL Crypto library - runtime libr
ii  libgnutls26        2.12.20-7             GNU TLS library - runtime library
ii  libldap-2.4-2      2.4.31-1+nmu2         OpenLDAP libraries
ii  libltdl7           2.4.2-1.1             A system independent dlopen wrappe
ii  libodbc1           2.2.14p2-5            ODBC library for Unix
ii  libperl5.14        5.14.2-21             shared Perl library
ii  libsasl2-2         2.1.25.dfsg1-6+deb7u1 Cyrus SASL - authentication abstra
ii  libslp1            1.2.1-9               OpenSLP libraries
ii  libwrap0           7.6.q-24              Wietse Venema's TCP wrappers libra
ii  lsb-base           4.1+Debian8+deb7u1    Linux Standard Base 4.1 init scrip
ii  multiarch-support  2.13-38               Transitional package to ensure mul
ii  perl [libmime-base 5.14.2-21             Larry Wall's Practical Extraction
ii  psmisc             22.19-1+deb7u1        utilities that use the proc file s
ii  unixodbc           2.2.14p2-5            Basic ODBC tools

Versions of packages slapd recommends:
ii  libsasl2-modules   2.1.25.dfsg1-6+deb7u1 Cyrus SASL - pluggable authenticat

Versions of packages slapd suggests:
ii  ldap-utils                 2.4.31-1+nmu2 OpenLDAP utilities

-- debconf information:
  slapd/internal/adminpw: (password omitted)
* slapd/password1: (password omitted)
  slapd/internal/generated_adminpw: (password omitted)
* slapd/password2: (password omitted)
  slapd/allow_ldap_v2: false
  slapd/password_mismatch:
  slapd/invalid_config: true
  shared/organization: home.mattb.net.nz
* slapd/upgrade_slapcat_failure:
  slapd/no_configuration: false
  slapd/move_old_database: true
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/purge_database: false
  slapd/domain: home.mattb.net.nz
  slapd/backend: HDB
  slapd/dump_database: when needed

--- End Message ---

--- Begin Message ---

Source: openldap
Source-Version: 2.4.40-1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryan Tandy <r...@nardis.ca> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 17 Oct 2014 08:19:28 -0700
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg 
libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.40-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers 
<pkg-openldap-de...@lists.alioth.debian.org>
Changed-By: Ryan Tandy <r...@nardis.ca>
Description:
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 465024 594711 599235 637996 640384 661641 666515 706123 723957 741248 
742841 742862 745231 745356 750022 759596 760559 761406 761407 762111 762424
Changes:
 openldap (2.4.40-1) unstable; urgency=low
 .
   [ Ryan Tandy ]
   * New upstream release.
     - fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes: #465024)
     - fixed slapcat with external schema (ITS#7895) (Closes: #599235)
     - fixed double free with invalid ciphersuite (ITS#7500) (Closes: #640384)
     - fixed modrdn crash on naming attr with no matching rule (ITS#7850)
       (Closes: #666515)
     - fixed slapacl causing unclean database (ITS#7827) (Closes: #741248)
   * slapd.scripts-common:
     - Anchor grep patterns to avoid matching commented lines in ldif files
       under cn=config. (Closes: #723957)
     - Don't silently ignore nonexistent directories that should be dumped.
     - Invoke find, chmod, and chown with -H in case /var/lib/ldap is a
       symlink. (Closes: #742862)
     - When upgrading a database, ignore extra nested directories as they might
       contain other databases. Patch from Kenny Millington. (LP: #1003854)
     - Fix dumping and reloading when multiple databases hold the same suffix,
       thanks Peder Stray. (Closes: #759596, LP: #1362481)
     - Remove trailing dot from slapd/domain. (Closes: #637996)
   * debian/rules:
     - Enable parallel building.
     - Copy libldap-2.4-2.shlibs into place manually, as a workaround for
       #676168. (Closes: #742841)
   * debian/slapd.README.Debian: Add a note about database format upgrades and
     the consequences of missing one. (Closes: #594711)
   * Build with GnuTLS 3 (Closes: #745231, #760559).
   * Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed.
   * Drop debconf-utils from Build-Depends, no longer used (replaced by
     po-debconf). Thanks Johannes Schauer.
   * Acknowledge NMU fixing #729367, thanks to Michael Gilbert.
   * Offer the MDB backend as a choice during initial configuration. (Closes:
     #750022)
   * debian/slapd.init.ldif:
     - Disallow modifying one's own entry by default, except specific
       attributes. (Closes: #761406)
     - Index some more common search attributes by default. (Closes: #762111)
   * Introduce a symbols file for libldap-2.4-2.
   * debian/schema/pmi.schema: Add a copyright clarification. There does not
     appear to be any copyrighted text in this file, only ASN.1 assignments and
     LDAP schema definitions. Fixes a Lintian error on the original.
   * debian/schema/duaconf.schema: Strip Internet-Draft text from
     duaconf.schema.
   * Drop debian/patches/CVE-2013-4449.patch, applied upstream.
   * Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes.
   * debian/schema/ppolicy.schema: Update with ordering rules added in
     draft-behera-ldap-password-policy-11.
   * Suggest GSSAPI SASL modules. (Closes: #762424)
   * debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in
     slapd-config.5 the fact that changes to olcAuthzRegexp only take effect
     after the server is restarted. (Closes: #761407)
   * Add myself to Uploaders.
 .
   [ Jelmer Vernooij ]
   * Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356,
     #706123)
 .
   [ Updated debconf translations ]
   * Turkish, thanks to Atila KOÇ <a...@artielektronik.com.tr>.
     (Closes: #661641)
Checksums-Sha1:
 d6c256c02f78a2c9cbe97c51232b86578c6d3a21 2756 openldap_2.4.40-1.dsc
 587baa8257d51f3908975b931f87c8c3e6a17e06 4799804 openldap_2.4.40.orig.tar.gz
 15cc81377a6ad768f2245cd105dd489962ac4170 169835 openldap_2.4.40-1.diff.gz
 17483c43a66aec3b9f6cc35db56f66a418961d80 1402408 slapd_2.4.40-1_amd64.deb
 8cc4be49b008d07289c46b1b15517d5ad8bba551 82142 
slapd-smbk5pwd_2.4.40-1_amd64.deb
 3716e3ad77f9ac0c1feae26bfa61c107babe1ad8 187240 ldap-utils_2.4.40-1_amd64.deb
 93bd1210a6ae88ac187d30b6b931f966f9f1a1ae 216892 
libldap-2.4-2_2.4.40-1_amd64.deb
 a0f2d60759c5362106724dbc3f5657d9fe75a40d 440406 
libldap-2.4-2-dbg_2.4.40-1_amd64.deb
 a0c669dc7135eeb82e53040fc03f832586f9e0d5 322004 libldap2-dev_2.4.40-1_amd64.deb
 42372583cec6bc8060cd46e420374347a79be660 4867878 slapd-dbg_2.4.40-1_amd64.deb
Checksums-Sha256:
 431bda80fca16cbe6cfce206f4a8bcb3e39d042c1b76efba7e070c41a4fed0f9 2756 
openldap_2.4.40-1.dsc
 6d3e7ba688382bebca3410125d3f801a7fd2a5da6352b58b0663ef20bc3adbb3 4799804 
openldap_2.4.40.orig.tar.gz
 024d5553d530e0aa3223778ad75d680fe3d0bde3a2787c81c6c3396d998c5bfc 169835 
openldap_2.4.40-1.diff.gz
 f6512e2db7fe3a3801520b85618c476a665d0705830249f9267ece6654b9f9fe 1402408 
slapd_2.4.40-1_amd64.deb
 db9b4c61671385208fbaeca0d29cc20b8822c39e0e9934204968f75aed20206f 82142 
slapd-smbk5pwd_2.4.40-1_amd64.deb
 4c871b777b6f066bde2f1be24cda8a5ccf4edde0de075b89a81bc4ced92b5632 187240 
ldap-utils_2.4.40-1_amd64.deb
 b9161aafa5b4cb57b4708de6d1a2dfccfec456216183a37dcedb3b68fa39f98b 216892 
libldap-2.4-2_2.4.40-1_amd64.deb
 65749fa729f2ac268d42df13283fcf91594803e68bf1d32df0502d8dbf90f26a 440406 
libldap-2.4-2-dbg_2.4.40-1_amd64.deb
 25f83faf530602073c67213ca727797466fe12ab1257c37c72a1f30d1230b44d 322004 
libldap2-dev_2.4.40-1_amd64.deb
 5ed3396db8827f77479a05366d526ac8d13000e7701b41aa8a0a1c3c3ff07258 4867878 
slapd-dbg_2.4.40-1_amd64.deb
Files:
 1e0a323c13852342a69200c9e9b4902f 2756 net optional openldap_2.4.40-1.dsc
 03a8658e62131c0cdbf85dd604e498db 4799804 net optional 
openldap_2.4.40.orig.tar.gz
 afd82110729ba7b4e49f44f28acaafd3 169835 net optional openldap_2.4.40-1.diff.gz
 bc1d89ce34b65533faa3d2575862e3d3 1402408 net optional slapd_2.4.40-1_amd64.deb
 24642b3b7cc15344a2fda06ba08d9453 82142 net extra 
slapd-smbk5pwd_2.4.40-1_amd64.deb
 fd0cd57edd9eec1b8de9a85750da82cc 187240 net optional 
ldap-utils_2.4.40-1_amd64.deb
 fa9d0608ecd546945784d0d7eff2affb 216892 libs standard 
libldap-2.4-2_2.4.40-1_amd64.deb
 ed3ca41c6573254f6ef129601d963bf9 440406 debug extra 
libldap-2.4-2-dbg_2.4.40-1_amd64.deb
 5d2fcee0e5cf2625126933529491ead5 322004 libdevel extra 
libldap2-dev_2.4.40-1_amd64.deb
 68141e603c11f35295d672bf6032dbaf 4867878 debug extra 
slapd-dbg_2.4.40-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJURDYdAAoJEFC7AtTIpr9hIi0P/RL2VtIYKt9fZyJ192ErnC/W
qEGwLaxaQ2v7eAWSpHraWQ6vmkkRxiQ/nHfukcrmZOEdPY+vqi/MEGBTD8KIiZlc
YmkCwcxMPdhuzg2zVS7HZvJF6Pk2J2vy+6H8cCrYvwqY4ZBI2ZMQ2m0hc9hFKilq
mG37elo++7psUBcEdDeZyGNK7CCew6+vbGkwKWqGoH+qkMWdO4dlG1LI1IDuLM00
F3Nc1ZXFFaJ4h1O19oR1HnwjkdOyY+o0EeoJxYrR3xUrQBF8RwVgIoPo5K4ctzYj
mj97EhgOuztE4KuTtmW4Ww4uoFO9P2K7owFjVB00LeOGhR1IqfdlQLPXPA60uzu7
IjCKjyOllEbCdIKcd9GDshAL/PBeuFdXYLBQLynymDgj1IsARYB+uhSFlCaRZ7+y
zEI9629wMN6u/y87PxIZJ+NO4sT6D0Eg6JF0DOFNKh4B/qRzkJMFrD0FVvKC8TXW
HYJpLvPh4lDZIH1NeO1OVS9N8MPTn419ytlxFDKEh8NStg/Y86p0QIAOFbVHuIOT
u308HwG31b4rPuuD6tuFqZAq18Iy+zuQ+aFqbYCvtVo4NaZPoPjuZx3co1GeI/vc
NQI8RtJzT1wnZ45lmrOWlkj/kRXavbYqMbbNjcSlUWxMH12f55dfL63HDdL9Bj7C
WfP33meWWpoiadQhH65p
=jf4o
-----END PGP SIGNATURE-----

--- End Message ---