[Bug 1397250] Re: SIGPIPE not caught in do_atfork_child()

Thu Oct 20 20:15:25 UTC 2016

How I test:

1) Configure slapd (server) and libnss-ldap/ldap-utils (client)
Note: Ubuntu Server Guide is a godsend to a newbie.  https://help.ubuntu.com/lts/serverguide/openldap-server.html

2) Configure slapd (server) to serve up desired /etc/hosts information
Note: The Arch folks have some good examples of this:
https://wiki.archlinux.org/index.php/LDAP_Hosts

3) Configure nsswitch to use ldap
- Add 'ldap' to the 'hosts' entry in /etc/nsswitch
NOTE: make sure to disable 'nscd'!

4) Test libldap-nss/ldap working as expected:
$ getent hosts 
-Should see the hosts as entered into slapd added now

5) Now configure for StartTLS
Again see Ubuntu documentation:
https://help.ubuntu.com/lts/serverguide/openldap-server.html

6) Retest to make sure still working
$getent hosts
Note: You can verify that StartTLS is working by enabling logging on slapd and then,
$ grep STARTTLS /var/log/syslog

Note: log enabling for slapd:
http://blog.suretecsystems.com/archives/163-OpenLDAP-Quick-Tips-Change-loglevels-on-the-fly!.html

, i enabled 'all'

You should see a STARTTLS connection every time you call 'getent hosts',
if its working as expected.   If you are hardcore, you can also
configure the server to _only_ accept STARTTLS, but I'll leave that as
an exercise for the reader.

7) Now you can test the bug! (Note: I modified the testcase provided to use getbyhostname)
ubuntu at tldapclient:~$ ./testhosts.pl 
Parent!
Parent wake!
Done!

^^ Note the lack of "Child!", because the child has segfaulted.

8) With the fix:
ubuntu at tldapclient:~$ ./testhosts.pl 
Parent!
Child!
Done!
Parent wake!
Done!

^^ Note the child survived. \o/

** Attachment added: "testhosts.pl"
   https://bugs.launchpad.net/ubuntu/+source/libnss-ldap/+bug/1397250/+attachment/4764554/+files/testhosts.pl

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1397250

Title:
  SIGPIPE not caught in do_atfork_child()

Status in nss_ldap:
  Fix Released
Status in libnss-ldap package in Ubuntu:
  Triaged
Status in libnss-ldap source package in Trusty:
  New
Status in libnss-ldap source package in Xenial:
  New
Status in libnss-ldap source package in Yakkety:
  New

Bug description:
  Ubuntu version: Ubuntu 14.04.1 LTS
  Package version: libnss-ldap_264-2.2ubuntu4

  If a process using libnss-ldap calls fork() and SIGPIPE was blocked, the atfork() handler in the child process failed to catch the SIGPIPE as it was supposed to do, that is in the call to  do_close_no_unbind().  So that, the uncaught SIGPIPE will be eventually
  delivered when the child unblocks signals. This usually make the child process die unexpectedly.

  I found a well-known Linux vendor fixed this issue with the following
  patch. This unblocks the SIGPIPE before calling do_close_no_unbind()
  and restores the original sigmask afterwards:

  diff -up nss_ldap/ldap-nss.c nss_ldap/ldap-nss.c
  --- nss_ldap/ldap-nss.c 2009-12-07 20:57:33.000000000 -0500
  +++ nss_ldap/ldap-nss.c 2009-12-07 20:58:56.000000000 -0500
  @@ -532,8 +532,13 @@
   static void
   do_atfork_child (void)
   {
  +  sigset_t unblock, mask;
     debug ("==> do_atfork_child");
  +  sigemptyset(&unblock);
  +  sigaddset(&unblock, SIGPIPE);
  +  sigprocmask(SIG_UNBLOCK, &unblock, &mask);
     do_close_no_unbind ();
  +  sigprocmask(SIG_SETMASK, &mask, NULL);
     _nss_ldap_leave ();
     debug ("<== do_atfork_child");
   }

  I'd like to see this patch applied.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nss-ldap/+bug/1397250/+subscriptions