Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG, Page 126 of 807  Not logged in ELOG logo
 Find |  Login |  Help 
 Full | Summary | Threaded | Show attachments  Show only new entries    6451 Entries 
Goto page Previous  1, 2, 3 ... 125, 126, 127 ... 805, 806, 807   Next  
ID Date Icon Author Author Email Category OS ELOG Version Subjectdown
  69354   Sun Apr 25 15:17:27 2021 Reply Laurent Jean-Rigaudlollspam@free.frBug reportLinuxELOG V3.1.4-611Re: segfault in auth.c:366

Hi,

Maybe it could be useful to add new parameters in elogd.cfg to define the attribute name to use to retrieve the given name, login name and email from LDAP server.

By example :

LDAP email attribute = mail
LDAP surname attribute = id
LDAP givename attribute = gn

 

So users can define them according to their exotic LDAP schema ;-)

 

Laurent

  69358   Wed Apr 28 04:01:49 2021 Reply gary holmanholman@uw.eduBug reportLinuxELOG V3.1.4-611Re: segfault in auth.c:366

Dear Mr Ritt, Mr Schenk,

Thank you for the responses.  This was indeed my issue and direction to fix the crash.

Thank you,

Gary

Sebastian Schenk wrote:

Hi Mr. Holman,

The problem you are facing is more likely the issue, that the LDAP method is only provided as-is from a different developer.

I had a similar issue with the LDAP of my university.
I can't remember the correct error messages, but it looks similar, which arises from the used c library for LDAP.
The LDAP connection response can have 2 different variable types and only one of them is implemented in the elog, the other one crashes the elog with segfault.

I could fix it with this patch:
https://bitbucket.org/merrx/elog/commits/5a75fdb3e0b723380dae73bb57653946ed72690c
Obviously you have to adapt "displayName" and "postOfficeBox" to represent the name and email attributes of your LDAP structure.

I didn't made a PR for this commit, because it would break the current LDAP implementation, i assume.

Best wishes,
Sebastian

gary holman wrote:

Elog version:  ELOG V3.1.4-611489ba

I am running openldap on the localhost.  For some reason now, elogd is segfaulting when (I believe) when a new user is being added to the password file.  For example:

1. I delete user passord file defined in elogd.cfg

2. Bind/Authenticate to LDAP successfully

3.  Segfaults in auth.c ldap_adduser_file()

 

Makefile:
...
ELOGDIR    = /opt/elog
DESTDIR    = $(ROOT)$(PREFIX)/bin
SDESTDIR   = $(ROOT)$(PREFIX)/sbin
RCDIR      = $(ROOT)/etc/rc.d/init.d
SRVDIR     = $(ROOT)/usr/lib/systemd/system

# flag for SSL support
USE_SSL    = 1

# flag for Kerberos support, please turn off if you don't need Kerberos
USE_KRB5   = 0

# flag for LDAP support, please turn off if you don't need LDAP
USE_LDAP   = 1# flag for PAM support, please turn of if you don't need PAM
USE_PAM    = 0
...

For authentication, I am using openldap in the localhost:

----
Authentication = LDAP
LDAP server = ldap://localhost:389
LDAP userbase = ou=people,dc=example,dc=org
LDAP login attribute = uid
LDAP register = 1
Password file = /opt/elog/users
 

gdb output

----------

(gdb) run -s /opt/elog -c /opt/elog/elogd.cfg -f /var/run/elog/elog.pid
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/ubuntu/UPGRADE-42221/work-src/elog/elogd -s /opt/elog -c /opt/elog/elogd.cfg -f /var/run/elog/elog.pid
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
elogd 3.1.4 built Apr 22 2021, 19:19:39 revision 611489ba
File "/var/run/elog/elog.pid" exists, overwriting it.
CKeditor detected
ImageMagick detected
Indexing logbooks ... done
Server listening on port 9011 ...

Breakpoint 1, ldap_adduser_file (lbs=0x555556811ad8, user=0x7ffffffd3bd0 "testuser", password=0x5555558ea110 <_value+6000> "testuser", error_str=0x7ffffffd53d0 "", error_size=<optimized out>) at src/auth.c:350
350       if (rc != LDAP_SUCCESS) {
(gdb) n
337       rc = ldap_search_ext_s(
(gdb) n
350       if (rc != LDAP_SUCCESS) {
(gdb) n
358       for(entry = ldap_first_entry(ldap_ld,result);
(gdb) n
371                   if(strcmp(attribute,"mail")==0 || strcmp(attribute,"rfc822Mailbox")==0)
(gdb) n
361          for(attribute = ldap_first_attribute(ldap_ld,entry,&ber);
(gdb) n
365             if((values = ldap_get_values(ldap_ld,entry,attribute)) != NULL ) {
(gdb) n
366                for(i=0; values[i] != NULL; i++) {
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
ldap_adduser_file (lbs=0x555556811ad8, user=0x7ffffffd3bd0 "testuser", password=0x5555558ea110 <_value+6000> "testuser", error_str=<optimized out>, error_size=<optimized out>) at src/auth.c:366
366                for(i=0; values[i] != NULL; i++) {
(gdb) p attribute
$1 = 0x5555567f6a20 "uid"
(gdb) p values
$2 = (char **) 0x567f74f0
 

This user in LDAP:
-------------------------
# TESTUSER, people, example.org
dn: uid=TESTUSER,ou=people,dc=example,dc=org
uid: TESTUSER
cn: TESTUSER
givenName: TESTUSER
sn:: VEVTVFVTRVIg
mail: TESTUSER
uidNumber: 10000
gidNumber: 10000
homeDirectory: /dev/null
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userPassword:: e1NTSEF9Y21ua1lsdFpMZ3ZrZlZ4OUp3MFN3cUY3NWIzdkFCSWY=
 

 

 

 

 

 

  186   Tue Jan 7 09:39:29 2003 Reply Stefan Rittstefan.ritt@psi.chBug report  Re: security in find option as a guest
> if you are guest in the find option  
> 
> select 'all logbook'
> 
> it will display all 'attributes' from other logbook 
> with no option  'guest command ...'
> but having the same 'attribute' name
> 
> Solution :
> **********
> I use the copy to command to make a copy to other logbook
> with option 'guest command' enabled
> 
> in this section I remove some field so the guest user can't no see all field
> 
> I suggest to give acces to 'guest' on a second run of elog to another
> port or other computer ?

I see your problem. I could either disable the "Search all logbooks" switch 
for certain logbooks (like the guest one), or restrict the search to logbooks 
which have a "guest command" option. What would you prefer?

- Stefan
  187   Tue Jan 7 16:04:14 2003 Reply Etienne Van Caillieetienne.vancaillie@mba.beBug report  Re: security in find option as a guest
> > if you are guest in the find option  
> > 
> > select 'all logbook'
> > 
> > it will display all 'attributes' from other logbook 
> > with no option  'guest command ...'
> > but having the same 'attribute' name
> > 
> > Solution :
> > **********
> > I use the copy to command to make a copy to other logbook
> > with option 'guest command' enabled
> > 
> > in this section I remove some field so the guest user can't no see all 
field
> > 
> > I suggest to give acces to 'guest' on a second run of elog to another
> > port or other computer ?
> 
> I see your problem. I could either disable the "Search all logbooks" switch 
> for certain logbooks (like the guest one), or restrict the search to 
logbooks 
> which have a "guest command" option. What would you prefer?
> 
> - Stefan

may be add a parameter

Restrict Search all logboog = 1 or 0
if 1 the switch will not appear
  188   Tue Jan 7 17:30:50 2003 Idea Stefan Rittstefan.ritt@psi.chBug report  Re: security in find option as a guest
> may be add a parameter
> 
> Restrict Search all logboog = 1 or 0
> if 1 the switch will not appear 

The flag "Search all logbooks" is already there! (I forgot about it!). So 
just set it to "0" and you should be fine.

- Stefan
  192   Fri Jan 10 15:10:53 2003 Smile Etienne Van Caillieetienne.vancaillie@mba.beBug fix  Re: security in find option as a guest
> > may be add a parameter
> > 
> > Restrict Search all logboog = 1 or 0
> > if 1 the switch will not appear 
> 
> The flag "Search all logbooks" is already there! (I forgot about it!). So 
> just set it to "0" and you should be fine.
> 
> - Stefan

I do and it work fine
  67323   Wed Aug 29 10:46:49 2012 Reply Stefan Rittstefan.ritt@psi.chQuestionLinuxlatestRe: secure way to allow users create logbook

Szu-Ching Peckner wrote:

I don't think there is a good secure way so far, but would like to have your opinion. 

If I want user to create logbook for themselves, what's the best way to do it? I guess Execute $attribute = <command> may work, have it write to cfg file, but obviously it impose security problem. Is there a good and secure way to allow user to create logbook themselves?

Actually there is no good secure way. What I usually do is to give users admin rights on individual logbooks, then they can change the config of that logbook. Many times adding some attribute is as good as creating new logbooks. Like if you need two logbooks "home" and "work", you can create an attribute "type" and let the type be "home" or "work". With conditional attributes you can make the logbook behave differently for the two values of "type" and get most functionality of two separate logbooks.

- Stefan 

  67324   Wed Aug 29 14:35:45 2012 Agree Szu-Ching Pecknerspeckner@nd.eduQuestionLinuxlatestRe: secure way to allow users create logbook

Stefan Ritt wrote:

Szu-Ching Peckner wrote:

I don't think there is a good secure way so far, but would like to have your opinion. 

If I want user to create logbook for themselves, what's the best way to do it? I guess Execute $attribute = <command> may work, have it write to cfg file, but obviously it impose security problem. Is there a good and secure way to allow user to create logbook themselves?

Actually there is no good secure way. What I usually do is to give users admin rights on individual logbooks, then they can change the config of that logbook. Many times adding some attribute is as good as creating new logbooks. Like if you need two logbooks "home" and "work", you can create an attribute "type" and let the type be "home" or "work". With conditional attributes you can make the logbook behave differently for the two values of "type" and get most functionality of two separate logbooks.

- Stefan 

 Thanks, that is good option. 

Goto page Previous  1, 2, 3 ... 125, 126, 127 ... 805, 806, 807   Next  
ELOG V3.1.5-3fb85fa6