istana / libnss-maria Goto Github PK
View Code? Open in Web Editor NEWReplacement for old libnss-mysql as naming service library.
License: GNU General Public License v3.0
Replacement for old libnss-mysql as naming service library.
License: GNU General Public License v3.0
Hi,
if you plan to replace the original libnss-mysql , the new version needs SSL/TLS support badly. Otherwise the entire login security inside a used network is compromised.
Not sure why this is reproducible only in spamassassin only, and only at 50% chance, but many spamd tests fails. It's tested again later, so no email loss, but still messages are delayed.
Here is an backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00007ff1188686cf in ma_simple_command (mysql=0x55ea5969a9f0,
command=COM_RESET_CONNECTION, arg=0x0, length=0, skipp_check=0 '\000',
opt_arg=0x0)
at /usr/src/debug/mariadb-connector-c-3.0.7-1.el8.x86_64/libmariadb/mariadb_lib.c:431
431 return mysql->methods->db_command(mysql, command, arg, length, skipp_check, opt_arg);
(gdb) bt
#0 0x00007ff1188686cf in ma_simple_command (mysql=0x55ea5969a9f0,
command=COM_RESET_CONNECTION, arg=0x0, length=0, skipp_check=0 '\000',
opt_arg=0x0)
at /usr/src/debug/mariadb-connector-c-3.0.7-1.el8.x86_64/libmariadb/mariadb_lib.c:431
#1 0x00007ff118869b1f in mysql_reset_connection (mysql=0x55ea5969a9f0)
at /usr/src/debug/mariadb-connector-c-3.0.7-1.el8.x86_64/libmariadb/mariadb_lib.c:3973
#2 0x00007ff118caadd6 in maria_reset_connection (conn=0x55ea57cdc028,
errnop=0x7ffd334ad544)
at /usr/src/debug/libnss-maria-0.92-3.el8.x86_64/src/mariadb/query.c:179
#3 0x00007ff118caafaf in maria_query_no_param (caller=<optimized out>,
query=0x55ea596ccd78 "SELECT name, password, gid AS gid FROM groups",
settings=<optimized out>, conn=0x55ea57cdc028, result=0x55ea57cdc020,
errnop=0x7ffd334ad544, use_root_user=0)
at /usr/src/debug/libnss-maria-0.92-3.el8.x86_64/src/mariadb/query.c:148
#4 0x00007ff118ca9dd2 in _nss_maria_setgrent ()
at /usr/src/debug/libnss-maria-0.92-3.el8.x86_64/src/nss/group.c:328
#5 0x00007ff11e2da593 in __nss_getent_r () from /lib64/libc.so.6
#6 0x00007ff11e27fffc in getgrent_r@@GLIBC_2.2.5 () from /lib64/libc.so.6
#7 0x00007ff11f4a733c in Perl_pp_ggrent () from /lib64/libperl.so.5.26
#8 0x00007ff11f447f95 in Perl_runops_standard () from /lib64/libperl.so.5.26
#9 0x00007ff11f3c7faf in perl_run () from /lib64/libperl.so.5.26
#10 0x000055ea531efeaa in main ()
(gdb)
Hi,
the while ( --count ) () Loop contains code, that could lead to a race condition while executed.
the strstr() in the for-loop is used internally in conjunction with a conditional break on the pointer returned,
but that check is missing in the while-loop part, assuming that the content of the to be replaced string did not change.
You wanne use this routine in an secure environment with heavyly parallel processes and threads without the usage of protecting guards => bad idea.
Two improvments: a) copy the src string in temp buffer and do all ops on this buffer b) use conditional break on the result of strstr() too. If a) is implemented, b) can be skipped. but b) alone is not secure enough for a lib used in root context. Please add a) as a protective meassure.
Please, can you add an libnss-mysql compatible configuration? I am preparing an centos/fedora package and it would be useful to have also compatibility configuration. Attaching an example configuration.
libnss-maria.conf.txt
Putting UTF-8 data into GECOS is problematic and gets mangled. Data are stored in database properly and selecting them is still all right. Setting UTF-8 for mysql client connection or SET NAMES = utf8
didnt't work. Probably is mangled when it's copied into the structure.
Sep 8 15:02:03 xxx postfix/smtpd[15364]: warning: proxy:unix:passwd.byname: key "test": non-UTF-8 value "test:x:8885:1002:Test??kov?,,,:/network/home/testcikova:/usr/bin/rssh": malformed UTF-8 or invalid codepoint
Using a "find /home -nouser" command on a filesystem with many files, there is "Too many files" error displayed.
opening file failed, file=/etc/libnss-maria.conf, error number=24, error description=Too many open filesplaceholder not found in database query, _nss_maria_getpwuid_r/home/user/x/apps
find: '/home/user/x/apps': Too many open files
shadow (root) and password/group (user) grants in examples/ are broken. User queries need to use views to filter out hashed password
Running the script ./scripts/build-debug.sh I got this error message:
cp: cannot stat '/home/libnss-maria/examples/sos-sso/nsswitch.conf': No such file or directory
I saw that the variable HOME_PATH in the compile_and_test.sh file is (line 5)
HOME_PATH="/home/libnss-maria"
but it is not used when cp command is running (eg. line 46)
$SUDO_COMMAND cp -bf /home/libnss-maria/examples/$EXAMPLE_SET/nsswitch.conf /etc
why not
$SUDO_COMMAND cp -bf ${HOME_PATH}/examples/$EXAMPLE_SET/nsswitch.conf /etc
?
Hello,
First of all, thanks for putting this all together, it has served me well so far.
A memory leak was found on my host Ubuntu 20.04 system, spotted with a bizarre increase in swap space up to around 400mb over a period of time.
With analysis using Valgrind, a memory leak was found losing around 16k bytes, 1024 bytes at a time (from the malloc below)
config_lookup_string
doesn't need to take a memory allocated parameter. The leak most likely happened because memory was allocated inside the config struct, and only the struct was freed leaving a trail of memory unhandled.
To replicate this, I wrote a hacky C script to plug into _nss_maria_getpwnam_r
, then compiled it and ran it against Valgrind. For a given mariadb user account, e.g. testgroup in this case, Valgrind highlighted the leak.
#include <stdlib.h>
#include <nss.h>
#include <pwd.h>
extern enum nss_status _nss_maria_getpwnam_r (
const char *name,
struct passwd *result_buf,
char *buffer,
size_t buflen,
int *errnop,
int *h_errnop
);
int main() {
printf("Running check for leaks\n");
const char *accounts[] = { "testgroup" };
struct passwd *result;
size_t buflen = 1024;
char buffer[buflen];
int num = 2;
int *numP = #
int nssResult;
result = (struct passwd *) malloc(sizeof(struct passwd));
size_t i = 0;
for ( i = 0; i < sizeof(accounts) / sizeof(accounts[0]); i++){
nssResult = _nss_maria_getpwnam_r(accounts[i], result, buffer, buflen, numP, numP);
printf("_nss_maria_getpwnam_r result = %d\n", nssResult);
}
free(result);
}
I then removed the malloc and replaced it with a const char *
and Valgrind then detected no leaks. It might be worth digging into other methods to see memory leaks occur, but I haven't experienced any other untoward behaviour.
I don't have access to create branches, but here is the proposed change:
void maria_load_string_setting(config_t libconfig_object, char *destination, const char *selector) {
const char *buffer;
if(config_lookup_string(&libconfig_object, selector, &buffer) == CONFIG_TRUE) {
...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.