Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#420637: heartbeat-2: File descriptor leak?

2 views
Skip to first unread message

Erich Schubert

unread,
Apr 23, 2007, 1:40:20 PM4/23/07
to
Package: heartbeat-2
Version: 2.0.7-2
Severity: normal

It seems that heartbeat-2 leaks a file descriptor to it's child
processes. From the SELinux audit log:

avc: denied { read } for pid=2403 comm="ip" name="heartbeat.pid"
dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ifconfig_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

avc: denied { read } for pid=3210 comm="rndc" name="heartbeat.pid"
dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ndc_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

avc: denied { read } for pid=3303 comm="openvpn" name="heartbeat.pid"
dev=ida/c0d0p5 ino=86181 scontext=root:system_r:openvpn_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

The best explanaition for these errors I have is that a file descriptor
(such as STDIN) of these processes points to the heartbeat.pid file.
I havn't verified it in the heartbeat-2 code yet. It's not very likely
that this is exploitable; the heartbeat scripts are started with root
privileges anyway. But in theory it could be possible to trick one of
these scripts into writing a differend PID into the pidfile maybe?

-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.20.3 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash


--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Simon Horman

unread,
Apr 23, 2007, 9:00:12 PM4/23/07
to
forwarded 420637 linux-...@linux-ha.org
thanks

On Mon, Apr 23, 2007 at 07:28:53PM +0200, Erich Schubert wrote:
> Package: heartbeat-2
> Version: 2.0.7-2
> Severity: normal
>
> It seems that heartbeat-2 leaks a file descriptor to it's child
> processes. From the SELinux audit log:
>
> avc: denied { read } for pid=2403 comm="ip" name="heartbeat.pid"
> dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ifconfig_t:s0
> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
>
> avc: denied { read } for pid=3210 comm="rndc" name="heartbeat.pid"
> dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ndc_t:s0
> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
>
> avc: denied { read } for pid=3303 comm="openvpn" name="heartbeat.pid"
> dev=ida/c0d0p5 ino=86181 scontext=root:system_r:openvpn_t:s0
> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
>
> The best explanaition for these errors I have is that a file descriptor
> (such as STDIN) of these processes points to the heartbeat.pid file.
> I havn't verified it in the heartbeat-2 code yet. It's not very likely
> that this is exploitable; the heartbeat scripts are started with root
> privileges anyway. But in theory it could be possible to trick one of
> these scripts into writing a differend PID into the pidfile maybe?

Hi Eric,

that does indeed look like a bit of a problem. Thanks for reporting it.
Hopefully it isn't too hard to track down and fix.

I'm CCing the linux-ha-dev list so their eyes pass over this problem.

--
Horms
H: http://www.vergenet.net/~horms/
W: http://www.valinux.co.jp/en/

Simon Horman

unread,
Apr 25, 2007, 10:30:08 PM4/25/07
to

Re CCing, as I used the wrong address the first time around.

Dejan Muhamedagic

unread,
Apr 26, 2007, 10:50:09 AM4/26/07
to
Hi,

On Thu, Apr 26, 2007 at 11:14:46AM +0900, Simon Horman wrote:
> On Tue, Apr 24, 2007 at 09:51:45AM +0900, Simon Horman wrote:
> > forwarded 420637 linux-...@linux-ha.org
> > thanks
> >
> > On Mon, Apr 23, 2007 at 07:28:53PM +0200, Erich Schubert wrote:
> > > Package: heartbeat-2
> > > Version: 2.0.7-2
> > > Severity: normal
> > >
> > > It seems that heartbeat-2 leaks a file descriptor to it's child
> > > processes. From the SELinux audit log:
> > >
> > > avc: denied { read } for pid=2403 comm="ip" name="heartbeat.pid"
> > > dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ifconfig_t:s0
> > > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> > >
> > > avc: denied { read } for pid=3210 comm="rndc" name="heartbeat.pid"
> > > dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ndc_t:s0
> > > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> > >
> > > avc: denied { read } for pid=3303 comm="openvpn" name="heartbeat.pid"
> > > dev=ida/c0d0p5 ino=86181 scontext=root:system_r:openvpn_t:s0
> > > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

I don't speak SElinux: comm= denotes a program? I suppose that ip
is from IPaddr2 then. Do you have openvpn and bind in your
heartbeat config? Perhaps you could also post your heartbeat
configuration (ha.cf and haresources/cib.xml).

Thanks.


> > >
> > > The best explanaition for these errors I have is that a file descriptor
> > > (such as STDIN) of these processes points to the heartbeat.pid file.
> > > I havn't verified it in the heartbeat-2 code yet. It's not very likely
> > > that this is exploitable; the heartbeat scripts are started with root
> > > privileges anyway. But in theory it could be possible to trick one of
> > > these scripts into writing a differend PID into the pidfile maybe?
> >
> > Hi Eric,
> >
> > that does indeed look like a bit of a problem. Thanks for reporting it.
> > Hopefully it isn't too hard to track down and fix.
> >
> > I'm CCing the linux-ha-dev list so their eyes pass over this problem.
>
> Re CCing, as I used the wrong address the first time around.
>
> --
> Horms
> H: http://www.vergenet.net/~horms/
> W: http://www.valinux.co.jp/en/
>

> _______________________________________________________
> Linux-HA-Dev: Linux-...@lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/

--
Dejan

Alan Robertson

unread,
May 1, 2007, 3:40:12 PM5/1/07
to

I don't see any pidfile fd leaks in the code. This code handling
pidfiles is in lib/clplumbing/cl_pidfile.c.

I also looked for references to "heartbeat.pid" which appears only in
the #define PIDFILE - from outside the functions in cl_pidfile. I can't
find any.

I could easily believe that there are file descriptor leaks from the
LRM, but I don't know how a file descriptor pointing at "heartbeat.pid"
could have leaked. Do I understand this correctly?

So, I wonder if I understand what's in the logs, I don't see how that
could have come from heartbeat 2.0.7.

Never mind. This was apparently fixed sometime after 2.0.7.
http://hg.linux-ha.org/dev/rev/549c74fc1e33

--
Alan Robertson <al...@unix.sh>

"Openness is the foundation and preservative of friendship... Let me
claim from you at all times your undisguised opinions." - William
Wilberforce

Simon Horman

unread,
May 1, 2007, 10:40:07 PM5/1/07
to

Thanks Alan. I'll work out weather that change went into 2.0.8 or will
be going into 2.0.9 and mangle the bug's status accordingly.

Eric, are you in a poisition to test if this patch resolves the problem?
I can make a package for you to test if that helps you.

--

Erich Schubert

unread,
May 2, 2007, 4:40:11 AM5/2/07
to
Hi,
> it seems to me that this fix was included in 2.0.8, and thus the
> 2.0.8-1 debian package. Making the assumption that this fixes
> the problem at hand I am going to close the bug. Eric, please
> feel free to reopen the bug if this is not the case

I don't know yet when I'll have time to do so.
I'm considering to do a couple of backports for getting better SELinux
support for etch, and I'll probably include heartbeat 2.0.9 there.
(Since that one also resolves the bashism in IPAddr2)

Thank you for investigating this closer; hearing that it has already
been solved upstream is of course nice. :-)

best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
A man doesn't know what he knows until he knows what he doesn't know. //\
Ein Freund ist ein Geschenk, das man sich selbst macht. V_/_

0 new messages