apparmor stops /var/run/ldapi from being read causing ldap to fail

Bug #1392018 reported by Arjan.S on 2014-11-12
36
This bug affects 7 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Undecided
Ryan Tandy
Utopic
Undecided
Unassigned
Vivid
Undecided
Unassigned

Bug Description

[Impact]

* Changes to AppArmor's unix socket mediation in utopic and later require servers to have 'rw' file permissions on socket paths, compared to just 'w' previously.

* This bug breaks any application that tries to communicate with slapd via the ldapi:// scheme, for example heimdal-kdc.

* The recommended way to configure slapd in Ubuntu is to authenticate via SASL EXTERNAL over the ldapi socket. This bug prevents online configuration of slapd (via ldapmodify) in the default setup.

[Test Case]

apt-get install slapd
ldapwhoami -H ldapi:// -QY EXTERNAL

Expected result:
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Actual result:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

[Regression Potential]

* Extremely low potential for regression. No code changes, only granting an additional permission on contents of two directories. The worst possible regression is that slapd might be permitted to read some files it shouldn't, but having such files in /run/{slapd,nslcd} seems unlikely.

[Other Info]

Test packages can be found in ppa:rtandy/lp1392018

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openldap (Ubuntu):
status: New → Confirmed
Jayesh Bhoot (bhoot-jayesh) wrote :

I confirm that the bug is present on Kubuntu 14.10 as well.

When installing a clean ubuntu 14.10 server and installing slapd with :
apt-get install slapd ldap-utils
configure it with :
dpkg-reconfigure slapd
with ldap address of ldapi://xxx.xxx.xxx
the following command :
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
gives the following error:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Also, the provided solution of modifying apparmor config for slapd worked.

Mats Luspa (matsl) wrote :

This bug can also be found in Ubuntu 15.04 vivid. The workaround of modifying apparmor works.

Ryan Tandy (rtandy) on 2015-05-25
tags: added: apparmor
Ryan Tandy (rtandy) on 2015-05-26
Changed in openldap (Ubuntu):
assignee: nobody → Ryan Tandy (rtandy)
status: Confirmed → In Progress
Ryan Tandy (rtandy) wrote :

Based on reading apparmor code and changes, it sounds like changing 'w' to 'rw' actually is the correct fix (f.ex. [1]). My proposed merge (bug 1395098) includes that change.

This should probably be SRUed to U and V after getting fixed in the development release. Considering that ldapi is our default and recommended way of doing config changes, this is certainly a grave bug.

[1] http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/tests/regression/apparmor/unix_socket_pathname.sh#L40

Launchpad Janitor (janitor) wrote :
Download full text (10.3 KiB)

This bug was fixed in the package openldap - 2.4.40+dfsg-1ubuntu1

---------------
openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low

  * Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
    - Enable AppArmor support:
      - d/apparmor-profile: add AppArmor profile
      - d/rules: use dh_apparmor
      - d/control: Build-Depends on dh-apparmor
      - d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support:
      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
          principal
      - d/configure.options: Configure with --with-gssapi
      - d/control: Added heimdal-dev as a build depend
    - Enable ufw support:
      - d/control: suggest ufw.
      - d/rules: install ufw profile.
      - d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      - d/{patches/nssov-build,rules}: Apply, build and package the
        nss overlay.
    - d/{rules,slapd.py}: Add apport hook.
    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
      either the default DIT nor via an Authn mapping.
    - d/slapd.scripts-common:
      - add slapcat_opts to local variables.
      - Remove unused variable new_conf.
      - Fix backup directory naming for multiple reconfiguration.
    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
      in the openldap library, as required by Likewise-Open
    - Show distribution in version:
      - d/control: added lsb-release
      - d/patches/fix-ldap-distribution.patch: show distribution in version
  * Drop patches included upstream:
    - d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
    - d/patches/bdb-deadlock.patch
    - d/patches/its-7354-fix-delta-sync-mmr.diff
  * Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
  * debian/patches/nssov-build: Adjust for upstream changes.
  * debian/apparmor-profile:
    - Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
      kernel ABI v7 (utopic and later). (LP: #1392018)
    - Reduce permissions on /run/nslcd to just the nslcd socket.
  * Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
    (LP: #1293250)

openldap (2.4.40+dfsg-1) unstable; urgency=medium

  * Remove inetorgperson.schema from the upstream source. Replace it with a
    copy stripped of RFC text. (Closes: #780283)
  * Adjust debian/watch for +dfsg versioning.
  * debian/patches/ITS7975-fix-mdb-onelevel-search.patch: Import upstream
    patch to fix scope=onelevel searches wrongly including the search base in
    results under the MDB backend. (ITS#7975) (Closes: #782212)

openldap (2.4.40-4) unstable; urgency=medium

  * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
    patch to fix a crash when a search includes the Deref control with an
    empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
  * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
    patch to fix a double free triggered by...

Changed in openldap (Ubuntu):
status: In Progress → Fix Released
Ryan Tandy (rtandy) wrote :
description: updated
Ryan Tandy (rtandy) wrote :
Massé (davon24) wrote :

Hello! I have a problem with the vivid patch

sudo patch -p1 < ../openldap_2.4.31-1+nmu2ubuntu12.debdiff
bash: ../openldap_2.4.31-1+nmu2ubuntu12.debdiff: Aucun fichier ou dossier de ce type

On Tue, Jun 02, 2015 at 01:36:04AM -0000, Massé wrote:
>Hello! I have a problem with the vivid patch
>
>sudo patch -p1 < ../openldap_2.4.31-1+nmu2ubuntu12.debdiff
>bash: ../openldap_2.4.31-1+nmu2ubuntu12.debdiff: Aucun fichier ou dossier de ce type

That's not a problem with the patch. That's bash telling you it can't
find the patch in the place you told it to look :)

Moritz (morrez) wrote :

I try to apply the vivid patch, but don't seem to have openldap installed, only slapd – is that the same?

apt-get install openldap -> Unable to locate package

If slapd is correct, what is the proper patch location? slapd is located as follows:

/etc/init.d/slapd
/etc/ufw/applications.d/slapd
/etc/default/slapd
/run/slapd
/usr/share/lintian/overrides/slapd
/usr/share/slapd
/usr/share/doc/slapd
/usr/sbin/slapd
/var/lib/slapd

Ryan Tandy (rtandy) wrote :

On Wed, Jun 17, 2015 at 07:28:44AM -0000, Moritz wrote:
>I try to apply the vivid patch, but don't seem to have openldap
>installed, only slapd – is that the same?

openldap is the source package. slapd is one of the binary packages
built from it.

http://packages.ubuntu.com/source/vivid/openldap

https://www.debian.org/doc/manuals/debian-faq/ch-pkg_basics.en.html

The patch applies to the source package.

>If slapd is correct, what is the proper patch location?

The patch changes one file: /etc/apparmor.d/usr.sbin.slapd

Marc Deslauriers (mdeslaur) wrote :

The actual fix that went into wily is:

# pid files and sockets
/{,var/}run/slapd/* w,
/{,var/}run/slapd/ldapi rw,
/{,var/}run/nslcd/socket rw,

Ryan, could you please update your proposed debdiffs to reflect the actual changes that went into the development release?

Thanks!

Ryan Tandy (rtandy) wrote :

Apologies for the inconvenience. Attaching fixed (and tested) patches.

Ryan Tandy (rtandy) wrote :
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs, they look good. Thanks!

Uploaded for processing by the SRU team.

Changed in openldap (Ubuntu Utopic):
status: New → In Progress
Changed in openldap (Ubuntu Vivid):
status: New → In Progress

Hello Arjan.S, or anyone else affected,

Accepted openldap into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.31-1+nmu2ubuntu12.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openldap (Ubuntu Vivid):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in openldap (Ubuntu Utopic):
status: In Progress → Won't Fix
Ryan Tandy (rtandy) wrote :

With slapd from vivid-updates:

# dpkg-query -W slapd
slapd 2.4.31-1+nmu2ubuntu12.1
# ldapwhoami -H ldapi:// -QY EXTERNAL
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

With slapd from vivid-proposed:

# dpkg-query -W slapd
slapd 2.4.31-1+nmu2ubuntu12.2
# ldapwhoami -H ldapi:// -QY EXTERNAL
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Marking verified.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.31-1+nmu2ubuntu12.2

---------------
openldap (2.4.31-1+nmu2ubuntu12.2) vivid; urgency=medium

  * debian/apparmor-profile: Change 'r' to 'rw' for ldapi and nslcd sockets,
    required for apparmor kernel ABI v7 (utopic and later). (LP: #1392018)

 -- Ryan Tandy <email address hidden> Thu, 25 Jun 2015 09:40:29 -0700

Changed in openldap (Ubuntu Vivid):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for openldap has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

David Bonner (thed-2011) wrote :

This bug seems to still be be present in Ubuntu 16.04. How do i fix it so & can use ldap?

Seth Arnold (seth-arnold) wrote :

David, please file a new bug report and be sure to include any AppArmor DENIED messages from your logs.

Thanks

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers