istana / libnss-maria Goto Github PK

Hi,

if you plan to replace the original libnss-mysql , the new version needs SSL/TLS support badly. Otherwise the entire login security inside a used network is compromised.

Not sure why this is reproducible only in spamassassin only, and only at 50% chance, but many spamd tests fails. It's tested again later, so no email loss, but still messages are delayed.
Here is an backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ff1188686cf in ma_simple_command (mysql=0x55ea5969a9f0,
    command=COM_RESET_CONNECTION, arg=0x0, length=0, skipp_check=0 '\000',
    opt_arg=0x0)
    at /usr/src/debug/mariadb-connector-c-3.0.7-1.el8.x86_64/libmariadb/mariadb_lib.c:431
431       return mysql->methods->db_command(mysql, command, arg, length, skipp_check, opt_arg);
(gdb) bt
#0  0x00007ff1188686cf in ma_simple_command (mysql=0x55ea5969a9f0,
    command=COM_RESET_CONNECTION, arg=0x0, length=0, skipp_check=0 '\000',
    opt_arg=0x0)
    at /usr/src/debug/mariadb-connector-c-3.0.7-1.el8.x86_64/libmariadb/mariadb_lib.c:431
#1  0x00007ff118869b1f in mysql_reset_connection (mysql=0x55ea5969a9f0)
    at /usr/src/debug/mariadb-connector-c-3.0.7-1.el8.x86_64/libmariadb/mariadb_lib.c:3973
#2  0x00007ff118caadd6 in maria_reset_connection (conn=0x55ea57cdc028,
    errnop=0x7ffd334ad544)
    at /usr/src/debug/libnss-maria-0.92-3.el8.x86_64/src/mariadb/query.c:179
#3  0x00007ff118caafaf in maria_query_no_param (caller=<optimized out>,
    query=0x55ea596ccd78 "SELECT name, password, gid AS gid FROM groups",
    settings=<optimized out>, conn=0x55ea57cdc028, result=0x55ea57cdc020,
    errnop=0x7ffd334ad544, use_root_user=0)
    at /usr/src/debug/libnss-maria-0.92-3.el8.x86_64/src/mariadb/query.c:148
#4  0x00007ff118ca9dd2 in _nss_maria_setgrent ()
    at /usr/src/debug/libnss-maria-0.92-3.el8.x86_64/src/nss/group.c:328
#5  0x00007ff11e2da593 in __nss_getent_r () from /lib64/libc.so.6
#6  0x00007ff11e27fffc in getgrent_r@@GLIBC_2.2.5 () from /lib64/libc.so.6
#7  0x00007ff11f4a733c in Perl_pp_ggrent () from /lib64/libperl.so.5.26
#8  0x00007ff11f447f95 in Perl_runops_standard () from /lib64/libperl.so.5.26
#9  0x00007ff11f3c7faf in perl_run () from /lib64/libperl.so.5.26
#10 0x000055ea531efeaa in main ()
(gdb)

Hi,

the while ( --count ) () Loop contains code, that could lead to a race condition while executed.

the strstr() in the for-loop is used internally in conjunction with a conditional break on the pointer returned,
but that check is missing in the while-loop part, assuming that the content of the to be replaced string did not change.

You wanne use this routine in an secure environment with heavyly parallel processes and threads without the usage of protecting guards => bad idea.

Two improvments: a) copy the src string in temp buffer and do all ops on this buffer b) use conditional break on the result of strstr() too. If a) is implemented, b) can be skipped. but b) alone is not secure enough for a lib used in root context. Please add a) as a protective meassure.

Please, can you add an libnss-mysql compatible configuration? I am preparing an centos/fedora package and it would be useful to have also compatibility configuration. Attaching an example configuration.
libnss-maria.conf.txt

Putting UTF-8 data into GECOS is problematic and gets mangled. Data are stored in database properly and selecting them is still all right. Setting UTF-8 for mysql client connection or SET NAMES = utf8 didnt't work. Probably is mangled when it's copied into the structure.

Sep  8 15:02:03 xxx postfix/smtpd[15364]: warning: proxy:unix:passwd.byname: key "test": non-UTF-8 value "test:x:8885:1002:Test??kov?,,,:/network/home/testcikova:/usr/bin/rssh": malformed UTF-8 or invalid codepoint

Using a "find /home -nouser" command on a filesystem with many files, there is "Too many files" error displayed.

opening file failed, file=/etc/libnss-maria.conf, error number=24, error description=Too many open filesplaceholder not found in database query, _nss_maria_getpwuid_r/home/user/x/apps
find: '/home/user/x/apps': Too many open files

shadow (root) and password/group (user) grants in examples/ are broken. User queries need to use views to filter out hashed password

Running the script ./scripts/build-debug.sh I got this error message:

cp: cannot stat '/home/libnss-maria/examples/sos-sso/nsswitch.conf': No such file or directory

I saw that the variable HOME_PATH in the compile_and_test.sh file is (line 5)

HOME_PATH="/home/libnss-maria"

but it is not used when cp command is running (eg. line 46)
$SUDO_COMMAND cp -bf /home/libnss-maria/examples/$EXAMPLE_SET/nsswitch.conf /etc

why not
$SUDO_COMMAND cp -bf ${HOME_PATH}/examples/$EXAMPLE_SET/nsswitch.conf /etc
?

Hello,

First of all, thanks for putting this all together, it has served me well so far.

A memory leak was found on my host Ubuntu 20.04 system, spotted with a bizarre increase in swap space up to around 400mb over a period of time.

With analysis using Valgrind, a memory leak was found losing around 16k bytes, 1024 bytes at a time (from the malloc below)
config_lookup_string doesn't need to take a memory allocated parameter. The leak most likely happened because memory was allocated inside the config struct, and only the struct was freed leaving a trail of memory unhandled.

To replicate this, I wrote a hacky C script to plug into _nss_maria_getpwnam_r, then compiled it and ran it against Valgrind. For a given mariadb user account, e.g. testgroup in this case, Valgrind highlighted the leak.

#include <stdlib.h>
#include <nss.h>
#include <pwd.h>

extern enum nss_status _nss_maria_getpwnam_r (
		const char *name, 
		struct passwd *result_buf, 
		char *buffer, 
		size_t buflen, 
		int *errnop, 
	        int *h_errnop
);


int main() {
   printf("Running check for leaks\n");

   const char *accounts[] = { "testgroup" };
   struct passwd *result;
   size_t buflen = 1024;
   char buffer[buflen];
   int num = 2;
   int *numP = &num;
   int nssResult;
   result = (struct passwd *) malloc(sizeof(struct passwd));
   
   size_t i = 0;
   for ( i = 0; i < sizeof(accounts) / sizeof(accounts[0]); i++){
       nssResult = _nss_maria_getpwnam_r(accounts[i], result, buffer, buflen, numP, numP);
       printf("_nss_maria_getpwnam_r result = %d\n", nssResult);
   }
   free(result);
}

I then removed the malloc and replaced it with a const char * and Valgrind then detected no leaks. It might be worth digging into other methods to see memory leaks occur, but I haven't experienced any other untoward behaviour.

I don't have access to create branches, but here is the proposed change:

void maria_load_string_setting(config_t libconfig_object, char *destination, const char *selector) {
  const char *buffer;

  if(config_lookup_string(&libconfig_object, selector, &buffer) == CONFIG_TRUE) {
  ...