Your message dated Wed, 2 May 2007 12:19:25 +0900 with message-id <[EMAIL PROTECTED]> and subject line [Linux-ha-dev] Re: Bug#420637: heartbeat-2: File descriptor leak? has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: heartbeat-2 Version: 2.0.7-2 Severity: normal It seems that heartbeat-2 leaks a file descriptor to it's child processes. From the SELinux audit log: avc: denied { read } for pid=2403 comm="ip" name="heartbeat.pid" dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ifconfig_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file avc: denied { read } for pid=3210 comm="rndc" name="heartbeat.pid" dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ndc_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file avc: denied { read } for pid=3303 comm="openvpn" name="heartbeat.pid" dev=ida/c0d0p5 ino=86181 scontext=root:system_r:openvpn_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file The best explanaition for these errors I have is that a file descriptor (such as STDIN) of these processes points to the heartbeat.pid file. I havn't verified it in the heartbeat-2 code yet. It's not very likely that this is exploitable; the heartbeat scripts are started with root privileges anyway. But in theory it could be possible to trick one of these scripts into writing a differend PID into the pidfile maybe? -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.20.3 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---Version: 2.0.8-1 On Wed, May 02, 2007 at 10:59:13AM +0900, Simon Horman wrote: > On Tue, May 01, 2007 at 01:27:20PM -0600, Alan Robertson wrote: > > Dejan Muhamedagic wrote: > > > Hi, > > > > > > On Thu, Apr 26, 2007 at 11:14:46AM +0900, Simon Horman wrote: > > >> On Tue, Apr 24, 2007 at 09:51:45AM +0900, Simon Horman wrote: > > >>> forwarded 420637 [EMAIL PROTECTED] > > >>> thanks > > >>> > > >>> On Mon, Apr 23, 2007 at 07:28:53PM +0200, Erich Schubert wrote: > > >>>> Package: heartbeat-2 > > >>>> Version: 2.0.7-2 > > >>>> Severity: normal > > >>>> > > >>>> It seems that heartbeat-2 leaks a file descriptor to it's child > > >>>> processes. From the SELinux audit log: > > >>>> > > >>>> avc: denied { read } for pid=2403 comm="ip" name="heartbeat.pid" > > >>>> dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ifconfig_t:s0 > > >>>> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file > > >>>> > > >>>> avc: denied { read } for pid=3210 comm="rndc" name="heartbeat.pid" > > >>>> dev=ida/c0d0p5 ino=86181 scontext=root:system_r:ndc_t:s0 > > >>>> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file > > >>>> > > >>>> avc: denied { read } for pid=3303 comm="openvpn" > > >>>> name="heartbeat.pid" > > >>>> dev=ida/c0d0p5 ino=86181 scontext=root:system_r:openvpn_t:s0 > > >>>> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file > > > > > > I don't speak SElinux: comm= denotes a program? I suppose that ip > > > is from IPaddr2 then. Do you have openvpn and bind in your > > > heartbeat config? Perhaps you could also post your heartbeat > > > configuration (ha.cf and haresources/cib.xml). > > > > I don't see any pidfile fd leaks in the code. This code handling > > pidfiles is in lib/clplumbing/cl_pidfile.c. > > > > I also looked for references to "heartbeat.pid" which appears only in > > the #define PIDFILE - from outside the functions in cl_pidfile. I can't > > find any. > > > > I could easily believe that there are file descriptor leaks from the > > LRM, but I don't know how a file descriptor pointing at "heartbeat.pid" > > could have leaked. Do I understand this correctly? > > > > So, I wonder if I understand what's in the logs, I don't see how that > > could have come from heartbeat 2.0.7. > > > > Never mind. This was apparently fixed sometime after 2.0.7. > > http://hg.linux-ha.org/dev/rev/549c74fc1e33 > > Thanks Alan. I'll work out weather that change went into 2.0.8 or will > be going into 2.0.9 and mangle the bug's status accordingly. > > Eric, are you in a poisition to test if this patch resolves the problem? > I can make a package for you to test if that helps you. Hi, it seems to me that this fix was included in 2.0.8, and thus the 2.0.8-1 debian package. Making the assumption that this fixes the problem at hand I am going to close the bug. Eric, please feel free to reopen the bug if this is not the case -- Horms H: http://www.vergenet.net/~horms/ W: http://www.valinux.co.jp/en/
--- End Message ---
