[Pkg-openldap-devel] Bug#723957: slapd: commented olcDbDirectory config line causes unusable system and potential data loss on upgrade

Matt Brown mattb at debian.org
Sat Sep 21 16:13:43 UTC 2013 

Package: slapd
Version: 2.4.31-1+nmu2
Severity: critical
Justification: breaks the whole system

Additional Justification details:
- Breaks whole system: slapd is used to provide accounts -> no user
accounts available -> system unusable.
- Data loss: database is physically on disk, but inaccessible due to
upgraded software, slapd, slapcat, slapadd cannot use it.

The get_directory method used in several maint scripts contains a bug
that causes it to return multiple lines of output if a commented
olcDbDirectory line also exists in the configuration file. The callers
of get_directory use filesystem existence checks on the output of
get_directory to determine whether to actually backup the database,
and silently continue without backing up when multiple lines of output
are returned.

Exact failure mode:
1) Begin upgrade
2) 2.4.23-7.3 prerm script doesn't perform any backups (as expected)
3) 2.4.31-1+nmu2 preinst attempts to backup, but silently skips
backups due to above bug
4) 2.4.31-1+nmu2 is unpacked (database now inaccessible due to format mismatch)
5) 2.4.31-1+nmu2 postinst attempts to move old db directory (skips
move silently due to same bug as above)
6) 2.4.31-1+nmu2 postinst attempts to import ldif backup (fails as no
ldif backup exists)
7) dpkg exits with error, slapd is unusable and not easily
recoverable, system unusable.

Output from step 3 and 4:
 Preparing to replace slapd 2.4.23-7.3 (using
.../slapd_2.4.31-1+nmu2_i386.deb) ...
 Stopping OpenLDAP: slapd.
   Dumping to /var/backups/slapd-2.4.23-7.3:
 Unpacking replacement slapd ...

Note the expected output from line 178 of the preinst is not printed
after the "Dumping... " line, this is because the check on line 176 of
the preinst script returns false when presented with multi-line input
in the $dbdir variable.

Output from steps 5, 6 and 7:
   Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.4.23-7.3... done.
   Moving old database directories to /var/backups:
   Loading from /var/backups/slapd-2.4.23-7.3:
   - directory dc=katalinabrown,dc=co,dc=nz... failed.

 Loading the database from the LDIF dump failed with the following
 error while running slapadd:
     /var/backups/slapd-2.4.23-7.3/dc=katalinabrown,dc=co,dc=nz.ldif:
No such file or directory
 dpkg: error processing slapd (--configure):
  subprocess installed post-installation script returned error exit status 1

 Errors were encountered while processing:
  slapd
 E: Sub-process /usr/bin/dpkg returned an error code (1)

Again, the expected per suffix line is missing after the "Moving..."
line, due to the check on line 384 of postinst returning false when
presented with mutli-line input in the $databasedir variable.

I believe the bug is found on line 293 of preinst and postinst:

grep "olcDbDirectory:" `grep -l "olcSuffix: $1"
${SLAPD_CONF}/cn\=config/olcDatabase*.ldif` | cut -d: -f 2 | sed 's/^
*//g'

the first grep is not anchored, so if a file contains content like:
 olcDbDirectory: "/var/lib/ldap"
 #olcDbDirectory: "/var/lib/ldap"

both paths are returned, and the subsequent checks of the return value
cause the failures described above.

The following patch (anchoring the match to start of line) would be a
minimal fix for this critical issue, but a more proper fix
would be for the preinst to bail out if it is unable to actually
backup a database that it knows to exist from the config!

--- slapd.preinst.orig  2013-09-21 16:59:18.000000000 +0100
+++ slapd.preinst       2013-09-21 16:58:25.000000000 +0100
@@ -290,7 +290,7 @@
 get_directory() {                                                      # {{{
 # Returns the db directory for a given suffix
        if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -q "$1" ; then
-               grep "olcDbDirectory:" `grep -l "olcSuffix: $1"
${SLAPD_CONF}/cn\=config/olcDatabase*.ldif` | cut -d: -f 2 | sed 's/^
*//g'
+               grep "^olcDbDirectory:" `grep -l "olcSuffix: $1"
${SLAPD_CONF}/cn\=config/olcDatabase*.ldif` | cut -d: -f 2 | sed 's/^
*//g'
        elif [ -f "${SLAPD_CONF}" ]; then
                # Extract the directory for the given suffix ($1)
                for f in `get_all_slapd_conf_files`; do

The same fix would need to be made in postinst, and wherever else this
command is used.

Luckily, I'm testing this upgrade on my dev system... :)


-- System Information:
Debian Release: 6.0.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd depends on:
ii  adduser            3.113+nmu3            add and remove users and groups
ii  coreutils          8.13-3.5              GNU core utilities
ii  debconf [debconf-2 1.5.49                Debian configuration management sy
ii  libc6              2.13-38               Embedded GNU C Library: Shared lib
ii  libdb5.1           5.1.29-5              Berkeley v5.1 Database Libraries [
ii  libgcrypt11        1.5.0-5+deb7u1        LGPL Crypto library - runtime libr
ii  libgnutls26        2.12.20-7             GNU TLS library - runtime library
ii  libldap-2.4-2      2.4.31-1+nmu2         OpenLDAP libraries
ii  libltdl7           2.4.2-1.1             A system independent dlopen wrappe
ii  libodbc1           2.2.14p2-5            ODBC library for Unix
ii  libperl5.14        5.14.2-21             shared Perl library
ii  libsasl2-2         2.1.25.dfsg1-6+deb7u1 Cyrus SASL - authentication abstra
ii  libslp1            1.2.1-9               OpenSLP libraries
ii  libwrap0           7.6.q-24              Wietse Venema's TCP wrappers libra
ii  lsb-base           4.1+Debian8+deb7u1    Linux Standard Base 4.1 init scrip
ii  multiarch-support  2.13-38               Transitional package to ensure mul
ii  perl [libmime-base 5.14.2-21             Larry Wall's Practical Extraction
ii  psmisc             22.19-1+deb7u1        utilities that use the proc file s
ii  unixodbc           2.2.14p2-5            Basic ODBC tools

Versions of packages slapd recommends:
ii  libsasl2-modules   2.1.25.dfsg1-6+deb7u1 Cyrus SASL - pluggable authenticat

Versions of packages slapd suggests:
ii  ldap-utils                 2.4.31-1+nmu2 OpenLDAP utilities

-- debconf information:
  slapd/internal/adminpw: (password omitted)
* slapd/password1: (password omitted)
  slapd/internal/generated_adminpw: (password omitted)
* slapd/password2: (password omitted)
  slapd/allow_ldap_v2: false
  slapd/password_mismatch:
  slapd/invalid_config: true
  shared/organization: home.mattb.net.nz
* slapd/upgrade_slapcat_failure:
  slapd/no_configuration: false
  slapd/move_old_database: true
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/purge_database: false
  slapd/domain: home.mattb.net.nz
  slapd/backend: HDB
  slapd/dump_database: when needed

More information about the Pkg-openldap-devel mailing list