Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/7714
Full headers

Subject: Making slapd easier to jail (enhancement?)
Compose comment
Download message
0 replies:
0 followups:

Major security issue: yes  no



Date: Tue, 01 Oct 2013 22:25:13 +0000
Subject: Making slapd easier to jail (enhancement?)
Full_Name: Barry Lance
Version: 2.4.35
OS: Linux (Debian 7)
Submission from: (NULL) (

Operating System: 	Debian 7.1.0 (Wheezy) 64-bit
Openldap version: 	2.4.35

Configure Options:	--prefix=/usr/local 

config:			slapd.conf from make install

Jail directory:		/var/chroot/openldap

Files copied into jail:	

/etc/openldap -> <jaildir>/etc/openldap
/etc/nsswitch.cond -> <jaildir>/etc
/etc/pam.d -> <jaildir>/etc/pam.d
/etc/passwd (or fragment of) -> <jaildir>/etc/passwd
/etc/groups (or fragment of) -> <jaildir>/etc/groups
/etc/shadow -> <jaildir>/etc/shadow
all other libs referenced by ldd slapd into respective <jaildir>/dir
/usr/local/libexec/openldap -> <jaildir>//usr/local/libexec/openldap
/lib/x86_64-linux-gnu/libnss_* -> <jaildir>/lib/x86_64-linux-gnu
commandline: /usr/local/libexec/slapd -d -1 -f /etc/openldap/slapd.conf -h
"ldap:/// ldapi:///" -n slapd -r /var/chroot/openldap -u ldap -g ldap

The behavior I have experienced is as follows:

1, Launch slapd without user (-u), group (-g), and jail dir (-r) options is
successful.  Slapd is running under the current user id (root).

2. Launch slapd with user and group parameters, but without a jail directory
successful and the root privilege is dropped to the username given

Takeaway - slapd is able to read passwd and groups outside jail. This is
definitely expected.

3, Launch slapd with user, group and jail dir options, slapd fails with a
message that no such user exists in passwd.

4.  Launching slapd given a jail directory, but no user or group options
succeeds with the daemon jailed in jail dir, butrunning as root (undesirable). 

Takeaway - chroot code works, but passwd/groups cannot be accessed after it (as
seen in (3)).  (4) is expected given the code in servers/slapd/main.c attempts
to get the real uid/gid and drop root permission only if the -u and -g options
are given on the command line.

Comparing servers/slapd/main.c to the code for a few other daemons (ntpd, named,
isc-dhcp), the jailing process follows the chdir/chroot process as expected. 
The difference in these other daemon is that, in all cases, the real uid/gid are
retrieved before the chroot code.  By doing this, nsswitch.conf, passwd, groups,
etc are all still available outside the jail.  Once the chroot is completed,
they then drop root permission to the non privileged user given on the command

The code in servers/slapd/main.c gets the real uid/gid AFTER the chroot.  As
such, the authentication infrastructure (nsswitch.conf, passwd, groups, etc)
must be duplicated in the jail.  In my opinion, this makes jailing slapd more
difficult (inconvenient) than the other daemons mentioned.  The jailing code in
slapd may work, but I was unable to make it go as a non-root user.  Didn't find
very much useful information available via Google with respect to
troubleshooting my chroot issue.

To test a few theories, I added some scaffolding code in main.c and user.c to
see where the process was going bad for me.  As expected after looking at the
source, the failure was happening in the slap_init_user function of user.c. 
More specifically, the call to getpwnam was returning NULL (failure) and causing
the corresponding Debug statement to print the error message I am seeing when
attempting to jail as a non-privileged user.  No surprise there.

Not being that familiar with the code in these two files, I am reluctant to
modify too much for fear of introducing unintentional side effects. But in
testing I found a few ways of working around the issue. 

Initially, I thought it might be easiest to move the call to slap_init_user
before the chroot code.  But then I realized that cannot work, because this
function drops root permission before returning which will then cause the chroot
code to fail.

The first, and simplest, workaround I found was that by making an initial call
to getpwnam and discarding the result before hitting the chroot code seemed to
make the subsequent call in slap_init_user succeed.  Wierd.  I can only
speculate two possibilities for that.  The most reasonable is that the getpwnam
call before the chroot code loads some shared library(ies) into memory that I'm
missing in my jail allowing the later call after the chroot call to succeed. 
The second, and least reasonable, is that the man page for getpwnam states the
returned pointer is to a static passwd struct which when initi

Message of length 7996 truncated
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

© Copyright 2013, OpenLDAP Foundation,