When one nsslapd-pluginarg argument is missing in 7-bit plugin config configuration, DS crashes:
nsslapd-pluginarg
# 7-bit check, plugins, config dn: cn=7-bit check,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: 7-bit check nsslapd-pluginPath: libattr-unique-plugin nsslapd-pluginInitfunc: NS7bitAttr_Init nsslapd-pluginType: betxnpreoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail <<< Missing nsslapd-pluginarg2 nsslapd-pluginarg3: , nsslapd-pluginarg4: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NS7bitAttr nsslapd-pluginVersion: 1.3.1.0 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Enforce 7-bit clean attribute values
/var/log/messages:
May 27 03:59:47 vm-119 systemd[1]: Stopping 389 Directory Server IDM-LAB-BOS-REDHAT-COM.... May 27 03:59:49 vm-119 systemd[1]: Starting 389 Directory Server IDM-LAB-BOS-REDHAT-COM.... May 27 03:59:49 vm-119 kernel: [497353.168414] ns-slapd[22836]: segfault at 0 ip 00007fdff9eca82b sp 00007fffd07d4dc0 error 4 in libattr-unique-plugin.so[7fdff9ec8000+5000]
I was hoping this fix (currently, it's only in master/389-ds-base-1.3.2) solves this bug, as well. I think partially, yes. {{{ commit bce5557 Author: Mark Reynolds mreynolds@redhat.com Date: Mon May 20 15:09:00 2013 -0400
Ticket 47340 - Deleting a separator ',' in 7-bit check plugin arguments makes the server fail to start with segfault Bug Description: If invalid or missing plugin arguments are present in the config entry, the server will crash at startup. This is because we were not fully validating all argument values. Fix Description: Generate an appropriate error at startup when invalid settings are detected, and gracefully exit. https://fedorahosted.org/389/ticket/47340
}}} Once the patch is applied, if we delete nsslapd-pluginarg2 in cn=7-bit check,cn=plugins,cn=config as follows, {{{ nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg3: , nsslapd-pluginarg4: dc=gsslab,dc=pnq,dc=redhat,dc=com }}} the server does not start instead of crashes, and the error is log'ed like this: {{{ Starting program: /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-ID/ ... [-] NS7bitAttr_Init - Invalid plugin arguments - missing "," separator argument [-] - Init function "NS7bitAttr_Init" for "7-bit check" plugin in library "libattr-unique-plugin" failed [-] - Unable to load plugin "cn=7-bit check,cn=plugins,cn=config" }}} Indeed, the arguments are invalid. But error 'missing "," separator argument' is not perfect...
How important is this bug for IPA? Can it be waited till 1.3.2 or should it be in 1.3.1.1?
missing nsslapd-pluginarg fix 0001-Ticket-47370-DS-crashes-with-some-7-bit-check-plugin.patch
I've applied your patch and run some tests. Your patch fixes the original bug and it issues the right error message: {{{ [..] NS7bitAttr_Init - Invalid plugin arguments - missing arguments [..] - Init function "NS7bitAttr_Init" for "7-bit check" plugin in library "libattr-unique-plugin" failed [..] - Unable to load plugin "cn=7-bit check,cn=plugins,cn=config" }}} I ran some more extra tests. case 1) {{{ dn: cn=7-bit check,cn=plugins,cn=config ... nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: cn nsslapd-pluginarg2: sn nsslapd-pluginarg2: uid nsslapd-pluginarg2: l nsslapd-pluginarg3: , nsslapd-pluginarg4: dc=test,dc=com }}} I started the server, then the server has successfully started without any errors/warnings. I wonder all values of pluginarg2 are set to the 7-bit check target or just one? If just one, which one? If one of them is picked up, the rest should be removed from the config entry with warnings in the error log.
case 2) I repeated 28 same values :) {{{ dn: cn=7-bit check,cn=plugins,cn=config ... nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg3: , nsslapd-pluginarg4: dc=test,dc=com }}} Then, just 14 were detected. {{{ [..] - str2entry_dupcheck: 14 duplicate values for attribute type nsslapd-pluginarg2 detected in entry cn=7-bit check,cn=plugins,cn=config. Extra values ignored. }}} And 14 duplicate values are left indeed. {{{ nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg3: , nsslapd-pluginarg4: dc=test,dc=com }}} Why 14? Could you eliminate 27 duplicates out of 28?
7-bit check plugin userpassword validation fix 0001-Ticket-47423-7-bit-check-plugin-does-not-work-for-us.patch
Replying to [comment:5 nhosoi]:
I've applied your patch and run some tests. Your patch fixes the original bug and it issues the right error message: {{{ [..] NS7bitAttr_Init - Invalid plugin arguments - missing arguments [..] - Init function "NS7bitAttr_Init" for "7-bit check" plugin in library "libattr-unique-plugin" failed [..] - Unable to load plugin "cn=7-bit check,cn=plugins,cn=config" }}} I ran some more extra tests. case 1) {{{ dn: cn=7-bit check,cn=plugins,cn=config ... nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: cn nsslapd-pluginarg2: sn nsslapd-pluginarg2: uid nsslapd-pluginarg2: l nsslapd-pluginarg3: , nsslapd-pluginarg4: dc=test,dc=com }}} I started the server, then the server has successfully started without any errors/warnings. I wonder all values of pluginarg2 are set to the 7-bit check target or just one? If just one, which one? If one of them is picked up, the rest should be removed from the config entry with warnings in the error log. case 2) I repeated 28 same values :) {{{ dn: cn=7-bit check,cn=plugins,cn=config ... nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg3: , nsslapd-pluginarg4: dc=test,dc=com }}} Then, just 14 were detected. {{{ [..] - str2entry_dupcheck: 14 duplicate values for attribute type nsslapd-pluginarg2 detected in entry cn=7-bit check,cn=plugins,cn=config. Extra values ignored. }}} And 14 duplicate values are left indeed. {{{ nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg3: , nsslapd-pluginarg4: dc=test,dc=com }}} Why 14? Could you eliminate 27 duplicates out of 28? These problems are not specific to 7 bit plugin and not related to this fix. So, I have created Ticket #47431 for these issues
case 2) I repeated 28 same values :) {{{ dn: cn=7-bit check,cn=plugins,cn=config ... nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg3: , nsslapd-pluginarg4: dc=test,dc=com }}} Then, just 14 were detected. {{{ [..] - str2entry_dupcheck: 14 duplicate values for attribute type nsslapd-pluginarg2 detected in entry cn=7-bit check,cn=plugins,cn=config. Extra values ignored. }}} And 14 duplicate values are left indeed. {{{ nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg2: userpassword nsslapd-pluginarg3: , nsslapd-pluginarg4: dc=test,dc=com }}} Why 14? Could you eliminate 27 duplicates out of 28? These problems are not specific to 7 bit plugin and not related to this fix. So, I have created Ticket #47431 for these issues
You removed this error message in your patch, but I'd like you to keep it. {{{ 771 771 slapi_log_error(SLAPI_LOG_FATAL, "NS7bitAttr_Init", 772 "Invalid plugin arguments - missing \",\" separator argument\n"); }}} Testing with this parameters: nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: dc=test,dc=com the error message looks like this with your patch: {{{ [..] NS7bitAttr_Init - Invalid plugin arguments - missing arguments [..] - Init function "NS7bitAttr_Init" for "7-bit check" plugin in library "libattr-unique-plugin" failed [..] - Unable to load plugin "cn=7-bit check,cn=plugins,cn=config" }}} Your fix is less informative than before, which is not nice.
Currently, we cannot distinguish {{{ nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: dc=test,dc=com }}} from {{{ nsslapd-pluginarg0: uid nsslapd-pluginarg2: , nsslapd-pluginarg3: dc=test,dc=com }}} Both are diagnosed as missing argument. To issue a right message, I think you have to fix this first: https://fedorahosted.org/389/ticket/47431#comment:1 Then, come back to this ticket. Once you could fix 47431#comment:1, then this case {{{ nsslapd-pluginarg0: uid nsslapd-pluginarg2: , nsslapd-pluginarg3: dc=test,dc=com }}} should be able to treated as {{{ nsslapd-pluginarg0: uid nsslapd-pluginarg1: , nsslapd-pluginarg2: dc=test,dc=com }}}
Replying to [comment:8 nhosoi]:
You removed this error message in your patch, but I'd like you to keep it. {{{ 771 771 slapi_log_error(SLAPI_LOG_FATAL, "NS7bitAttr_Init", 772 "Invalid plugin arguments - missing \",\" separator argument\n"); }}}
I have modified my fix to keep this error message
Testing with this parameters: nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: dc=test,dc=com the error message looks like this with your patch: {{{ [..] NS7bitAttr_Init - Invalid plugin arguments - missing arguments [..] - Init function "NS7bitAttr_Init" for "7-bit check" plugin in library "libattr-unique-plugin" failed [..] - Unable to load plugin "cn=7-bit check,cn=plugins,cn=config" }}} Your fix is less informative than before, which is not nice. Currently, we cannot distinguish {{{ nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: dc=test,dc=com }}} from {{{ nsslapd-pluginarg0: uid nsslapd-pluginarg2: , nsslapd-pluginarg3: dc=test,dc=com }}} Both are diagnosed as missing argument. To issue a right message, I think you have to fix this first: https://fedorahosted.org/389/ticket/47431#comment:1 Then, come back to this ticket. Once you could fix 47431#comment:1, then this case {{{ nsslapd-pluginarg0: uid nsslapd-pluginarg2: , nsslapd-pluginarg3: dc=test,dc=com }}} should be able to treated as {{{ nsslapd-pluginarg0: uid nsslapd-pluginarg1: , nsslapd-pluginarg2: dc=test,dc=com }}}
Testing with this parameters: nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail nsslapd-pluginarg2: dc=test,dc=com the error message looks like this with your patch: {{{ [..] NS7bitAttr_Init - Invalid plugin arguments - missing arguments [..] - Init function "NS7bitAttr_Init" for "7-bit check" plugin in library "libattr-unique-plugin" failed [..] - Unable to load plugin "cn=7-bit check,cn=plugins,cn=config" }}} Your fix is less informative than before, which is not nice.
Fixed this case
missing nsslapd-pluginarg fix 0001-Ticket-47370-DS-crashes-with-some-7-bit-check-plugin.2.patch
On behalf of Anupam, pushed to master: commit 67b248e
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1044156
Metadata Update from @nhosoi: - Issue assigned to anjain - Issue set to the milestone: 1.3.2 - 09/13 (September)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/707
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.