It seems that heartbeat-2 leaks a file descriptor to it's child
processes. From the SELinux audit log:
avc: denied { read } for pid=2403 comm="ip" name="heartbeat.pid"
dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ifconfig_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
avc: denied { read } for pid=3210 comm="rndc" name="heartbeat.pid"
dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ndc_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
avc: denied { read } for pid=3303 comm="openvpn" name="heartbeat.pid"
dev=ida/c0d0p5 ino=86181 scontext=root:system_r:openvpn_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
The best explanaition for these errors I have is that a file descriptor
(such as STDIN) of these processes points to the heartbeat.pid file.
I havn't verified it in the heartbeat-2 code yet. It's not very likely
that this is exploitable; the heartbeat scripts are started with root
privileges anyway. But in theory it could be possible to trick one of
these scripts into writing a differend PID into the pidfile maybe?
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.20.3 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
On Mon, Apr 23, 2007 at 07:28:53PM +0200, Erich Schubert wrote:
> Package: heartbeat-2
> Version: 2.0.7-2
> Severity: normal
>
> It seems that heartbeat-2 leaks a file descriptor to it's child
> processes. From the SELinux audit log:
>
> avc: denied { read } for pid=2403 comm="ip" name="heartbeat.pid"
> dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ifconfig_t:s0
> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
>
> avc: denied { read } for pid=3210 comm="rndc" name="heartbeat.pid"
> dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ndc_t:s0
> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
>
> avc: denied { read } for pid=3303 comm="openvpn" name="heartbeat.pid"
> dev=ida/c0d0p5 ino=86181 scontext=root:system_r:openvpn_t:s0
> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
>
> The best explanaition for these errors I have is that a file descriptor
> (such as STDIN) of these processes points to the heartbeat.pid file.
> I havn't verified it in the heartbeat-2 code yet. It's not very likely
> that this is exploitable; the heartbeat scripts are started with root
> privileges anyway. But in theory it could be possible to trick one of
> these scripts into writing a differend PID into the pidfile maybe?
Hi Eric,
that does indeed look like a bit of a problem. Thanks for reporting it.
Hopefully it isn't too hard to track down and fix.
I'm CCing the linux-ha-dev list so their eyes pass over this problem.
--
Horms
H: http://www.vergenet.net/~horms/
W: http://www.valinux.co.jp/en/
Re CCing, as I used the wrong address the first time around.
On Thu, Apr 26, 2007 at 11:14:46AM +0900, Simon Horman wrote:
> On Tue, Apr 24, 2007 at 09:51:45AM +0900, Simon Horman wrote:
> > forwarded 420637 linux-...@linux-ha.org
> > thanks
> >
> > On Mon, Apr 23, 2007 at 07:28:53PM +0200, Erich Schubert wrote:
> > > Package: heartbeat-2
> > > Version: 2.0.7-2
> > > Severity: normal
> > >
> > > It seems that heartbeat-2 leaks a file descriptor to it's child
> > > processes. From the SELinux audit log:
> > >
> > > avc: denied { read } for pid=2403 comm="ip" name="heartbeat.pid"
> > > dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ifconfig_t:s0
> > > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> > >
> > > avc: denied { read } for pid=3210 comm="rndc" name="heartbeat.pid"
> > > dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ndc_t:s0
> > > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> > >
> > > avc: denied { read } for pid=3303 comm="openvpn" name="heartbeat.pid"
> > > dev=ida/c0d0p5 ino=86181 scontext=root:system_r:openvpn_t:s0
> > > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
I don't speak SElinux: comm= denotes a program? I suppose that ip
is from IPaddr2 then. Do you have openvpn and bind in your
heartbeat config? Perhaps you could also post your heartbeat
configuration (ha.cf and haresources/cib.xml).
Thanks.
> > >
> > > The best explanaition for these errors I have is that a file descriptor
> > > (such as STDIN) of these processes points to the heartbeat.pid file.
> > > I havn't verified it in the heartbeat-2 code yet. It's not very likely
> > > that this is exploitable; the heartbeat scripts are started with root
> > > privileges anyway. But in theory it could be possible to trick one of
> > > these scripts into writing a differend PID into the pidfile maybe?
> >
> > Hi Eric,
> >
> > that does indeed look like a bit of a problem. Thanks for reporting it.
> > Hopefully it isn't too hard to track down and fix.
> >
> > I'm CCing the linux-ha-dev list so their eyes pass over this problem.
>
> Re CCing, as I used the wrong address the first time around.
>
> --
> Horms
> H: http://www.vergenet.net/~horms/
> W: http://www.valinux.co.jp/en/
>
> _______________________________________________________
> Linux-HA-Dev: Linux-...@lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/
--
Dejan
I don't see any pidfile fd leaks in the code. This code handling
pidfiles is in lib/clplumbing/cl_pidfile.c.
I also looked for references to "heartbeat.pid" which appears only in
the #define PIDFILE - from outside the functions in cl_pidfile. I can't
find any.
I could easily believe that there are file descriptor leaks from the
LRM, but I don't know how a file descriptor pointing at "heartbeat.pid"
could have leaked. Do I understand this correctly?
So, I wonder if I understand what's in the logs, I don't see how that
could have come from heartbeat 2.0.7.
Never mind. This was apparently fixed sometime after 2.0.7.
http://hg.linux-ha.org/dev/rev/549c74fc1e33
--
Alan Robertson <al...@unix.sh>
"Openness is the foundation and preservative of friendship... Let me
claim from you at all times your undisguised opinions." - William
Wilberforce
Thanks Alan. I'll work out weather that change went into 2.0.8 or will
be going into 2.0.9 and mangle the bug's status accordingly.
Eric, are you in a poisition to test if this patch resolves the problem?
I can make a package for you to test if that helps you.
--
Horms
H: http://www.vergenet.net/~horms/
W: http://www.valinux.co.jp/en/
--
I don't know yet when I'll have time to do so.
I'm considering to do a couple of backports for getting better SELinux
support for etch, and I'll probably include heartbeat 2.0.9 there.
(Since that one also resolves the bashism in IPAddr2)
Thank you for investigating this closer; hearing that it has already
been solved upstream is of course nice. :-)
best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
A man doesn't know what he knows until he knows what he doesn't know. //\
Ein Freund ist ein Geschenk, das man sich selbst macht. V_/_