Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Segfault in Apache/Courier using LDAP on Amd64 hardened
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Dragonlord
Guru
Guru


Joined: 22 Aug 2004
Posts: 446
Location: Switzerland
PostPosted: Sun Jul 29, 2007 6:54 pm    Post subject: Segfault in Apache/Courier using LDAP on Amd64 hardened Reply with quote
I'm in progress of migrating an old i386 non-hardened server over to a new amd64 hardened machine. So far everything went well except a few buggers ( ocaml not compilable with PIE enabled ) which I could sort out myself but now I'm stuck on a huge fun killler.

The network system relies on LDAP for doing all security checks ( email, web, svn and so forth ). OpenLDAP works without a problem. I could mirgrate the LDAP database over and I can query from another computer or using ldapsearch without a problem. But whenever Apache or Courier-IMAP tries to authenticate using LDAP the child processes always segfault right away.

I tried already recompiling openldap, apache and courier-authlib but without success. I don't know where the problem could be. I don't mind compiling some package there without PIE enabled if this is the problem since LDAP access is only on the server in the end ( although I would prefer not having to do so ). The following situation I have:

1) OpenLDAP server runs ( OK )
2) ldapsearch yields correct results ( OK )
3) Test connection from another computer on LDAP works ( OK )
4) courier-authlib crashes trying to use LDAP ( BAD )
5) apache2 crashes trying to authenticate against LDAP ( BAD )

For point 4 I checked the logs but they showed not much useful even if debug is at max. What I found out is that courier-authlib queries for the informations in the LDAP and successfully received but then things crash right afterwards.

For point 5 I have no pointers at all. In the logs I only get "[notice] child pid 2365 exit signal Segmentation fault (11)". It happens only as soon as LDAP is used.

Has anybody an idea what could be the problem? Is there a sort of libldap that could react bad to PIE and would require particular recompilation?
_________________
DragonDreams: Leader and Head Programmer
Back to top
View user's profile Send private message
Dragonlord
Guru
Guru


Joined: 22 Aug 2004
Posts: 446
Location: Switzerland
PostPosted: Sun Jul 29, 2007 7:56 pm    Post subject: Reply with quote
I played around with the noPIE compiler to test which package seems to be broken. I tried the following( P=PIE, N=NoPIE )

1) openldap(P), apr-util(P), apache(P) => Segfault
2) openldap(P), apr-util(N), apache(P) => Segfault
3) openldap(P), apr-util(P), apache(N) => No Segfault

As it looks it is the apache package which has a broken LDAP support ( or rather PIE is broken ). This though bugs me a bit since I had the intention to protect Apache being a potential brake-in point. Any ideas why apache fails under PIE with LDAP but not PHP/PostgreSQL?
_________________
DragonDreams: Leader and Head Programmer
Back to top
View user's profile Send private message
kimptoc
n00b
n00b


Joined: 28 May 2004
Posts: 36
PostPosted: Wed Aug 01, 2007 7:22 am    Post subject: Reply with quote
Hi,

Not sure if this is related, but I have an amd64 gentoo box, not hardened and just upgraded PHP and started getting segfaults in squirrelmail - that uses php/courier.

I have now downgraded PHP and things are working ok.

That is php-5.2.3-r3 causes segfaults, but returning to php-5.2.2-r1 fixes it.

Quote:

worf ~ # emerge -pv apache dev-lang/php

These are the packages that would be merged, in order:

Calculating dependencies ... done!
[ebuild R ] www-servers/apache-2.0.58-r2 USE="apache2 doc ssl -debug -ldap -mpm-itk -mpm-leader -mpm-peruser -mpm-prefork -mpm-threadpool -mpm-worker (-selinux) -static-modules -threads" 0 kB
[ebuild U ] dev-lang/php-5.2.3-r3 [5.2.2-r1] USE="apache2 berkdb cli crypt doc gdbm iconv imap ipv6 mysql ncurses nls pcre readline reflection session spl ssl unicode xml zlib (-adabas) -bcmath (-birdstep) -bzip2 -calendar -cdb -cgi -cjk -concurrentmodphp -ctype -curl -curlwrappers -db2 -dbase (-dbmaker) -debug -discard-path (-empress) (-empress-bcs) (-esoob) -exif -fastbuild (-fdftk) -filter (-firebird) -flatfile -force-cgi-redirect (-frontbase) -ftp -gd -gd-external -gmp -hash -inifile -interbase -iodbc -java-external -json -kerberos -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -mysqli -oci8 (-oci8-instant-client) -odbc -pcntl -pdo -pdo-external -pic -posix -postgres -qdbm -recode -sapdb -sharedext -sharedmem -simplexml -snmp -soap -sockets (-solid) -spell -sqlite -suhosin (-sybase) (-sybase-ct) -sysvipc -threads -tidy -tokenizer -truetype -wddx -xmlreader -xmlrpc -xmlwriter -xpm -xsl -yaz -zip -zip-external" 7,262 kB


Regards,
Chris

PS I don't know what PIE is... :(
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy