https://bugs.openldap.org/show_bug.cgi?id=9639
Issue ID: 9639 Summary: slapd -r : what must be present in the chroot environment Product: OpenLDAP Version: 2.4.59 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: documentation Assignee: bugs@openldap.org Reporter: dpa-openldap@aegee.org Target Milestone: ---
`man slapd` - https://www.openldap.org/software/man.cgi?query=slapd&apropos=0&sekt... - says that the -r option calls chroot.
Please clarify, what must be present in the chroot environment: /proc, /tmp, /dev/shm , libc
https://bugs.openldap.org/show_bug.cgi?id=9639
--- Comment #1 from Howard Chu hyc@openldap.org --- (In reply to dpa-openldap@aegee.org from comment #0)
`man slapd` - https://www.openldap.org/software/man. cgi?query=slapd&apropos=0&sektion=0&manpath=OpenLDAP+2.5- Release&arch=default&format=html - says that the -r option calls chroot.
Please clarify, what must be present in the chroot environment: /proc, /tmp, /dev/shm , libc
That depends entirely on your OS and how you built OpenLDAP. It's not our job to document how to use your own OS.
https://bugs.openldap.org/show_bug.cgi?id=9639
--- Comment #2 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- The chroot’ed environment is never provided by the OS.
As far as I can see, at least /dev/null must be within the chrooted environment.
Each software has different requirements on what needs to be in the chroot’ed environment.
https://bugs.openldap.org/show_bug.cgi?id=9639
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |needs_review
https://bugs.openldap.org/show_bug.cgi?id=9639
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review |
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- documentation patches welcome
https://bugs.openldap.org/show_bug.cgi?id=9639
--- Comment #4 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- Sure, but I do not know what must be present in the chroot environment, and when is /dev/null necessary there.
https://bugs.openldap.org/show_bug.cgi?id=9639
--- Comment #5 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- Created attachment 846 --> https://bugs.openldap.org/attachment.cgi?id=846&action=edit Update documentation for slapd -r <DIRECTORY>
This adds some text about the requirements for the chroot directory. I run openldap with Kerberos authentication and as systemd service with type=notify, therefore the patch focuses on this use-case.
https://bugs.openldap.org/show_bug.cgi?id=9639
dpa-openldap@aegee.org dpa-openldap@aegee.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #846 is|0 |1 obsolete| |
--- Comment #6 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- Created attachment 847 --> https://bugs.openldap.org/attachment.cgi?id=847&action=edit Update documentation for slapd -r <DIRECTORY>, including /dev/urandom
https://bugs.openldap.org/show_bug.cgi?id=9639
--- Comment #7 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- To be precise, slapd does read the libcyrus-sasl plugins before calling chroot, but if the sasl plugins are not in addition included in the chroot environment, the root DSE shows no supportedSASLMechanisms .
https://bugs.openldap.org/show_bug.cgi?id=9639
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |needs_review
https://bugs.openldap.org/show_bug.cgi?id=9639
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.8 Assignee|bugs@openldap.org |quanah@openldap.org Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=9639
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |IN_PROGRESS
--- Comment #8 from Quanah Gibson-Mount quanah@openldap.org --- https://git.openldap.org/openldap/openldap/-/merge_requests/415
https://bugs.openldap.org/show_bug.cgi?id=9639
--- Comment #9 from Quanah Gibson-Mount quanah@openldap.org --- Note: since you already have a github account, you could just submit fixes like this as a merge request.
If you want to keep providing patches, that's ok, but it would be preferable if you provided them as a git commit from git format-patch as documented on the contributions page.
https://bugs.openldap.org/show_bug.cgi?id=9639
--- Comment #10 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to Quanah Gibson-Mount from comment #9)
Note: since you already have a github account, you could just submit fixes like this as a merge request.
s/github/gitlab/
https://bugs.openldap.org/show_bug.cgi?id=9639
--- Comment #11 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- libgcc_s.so.1 must also be included in the chroot environment, and referenced from the chrooted etc/ld.so.cache, otherwise on restart slapd crashes with bt:
Program terminated with signal SIGABRT, Aborted. #0 __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:45 45 val = (INTERNAL_SYSCALL_ERROR_P (val) [Current thread is 1 (Thread 0x7f95f77fe640 (LWP 216899))] gdb /tmp/cores bt #0 __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:45 #1 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at pthread_kill.c:62 #2 0x00007f95ffb301f2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f95ffb1b43b in __GI_abort () at abort.c:79 #4 0x00007f95ffb6ec00 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f95ffc9f219 "%s") at ../sysdeps/posix/libc_fatal.c:155 #5 0x00007f95ffb6ec22 in __GI___libc_fatal (message=0x7f95ffca1810 "libgcc_s.so.1 must be installed for pthread_exit to work\n") at ../ sysdeps/posix/libc_fatal.c:164 #6 0x00007f95ffb79642 in __GI___pthread_exit (value=0x0) at pthread_exit.c:31 #7 0x00007f96002ef119 in ldap_pvt_thread_exit () from /git/openldap/libraries/libldap/.libs/libldap-2.5.releng.so.0 #8 0x00007f96002efb48 in ?? () from /git/openldap/libraries/libldap/.libs/libldap-2.5.releng.so.0 #9 0x00007f95ffb78507 in start_thread (arg=<optimized out>) at pthread_create.c:434 #10 0x00007f95ffbf7a5c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
-
openldap-its@openldap.org