kernel-packages team mailing list archive

Thread
Date

[Bug 1335478] Re: A new instance of IBM Domino 'bindsock' cannot bind to ports <1024 Kernel 3.13.0-29 and above

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Andy Whitcroft <apw@xxxxxxxxxxxxx>
Date: Fri, 19 Dec 2014 11:06:38 -0000
Reply-to: Bug 1335478 <1335478@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

@Ben -- the code is clear, the issue is the API is not clear.  These
issues have occurred because the userspace program is passing in junk in
one of the fields of the structure it passes to the kernel, literally
random bits from its stack.  In attempting to validate those to prevent
security issues this userspace application has been caught out.  The
main issue is the documentation for the call can be read to say you do
not need to fill in that field under some circumstances, a failure in
the documentation, but given that the validation needs to be more
targetted; and this final fix does that, zapping the "not needed to be
filled value" to zero when it is not required to avoid validation
failures.  The new code also documents this ABI weakness so that it
should not occur.

Of course none of that excuses the userspace programmer from not
initialising this structure sensibly regardless of the documentation.
It is plain sloppy practice.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1335478

Title:
  A new instance of IBM Domino 'bindsock' cannot bind to ports <1024
  Kernel  3.13.0-29 and above

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Lucid:
  Fix Committed
Status in linux-lts-trusty source package in Lucid:
  Invalid
Status in linux-lts-utopic source package in Lucid:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-lts-trusty source package in Precise:
  Fix Committed
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux source package in Utopic:
  Fix Committed
Status in linux-lts-trusty source package in Utopic:
  Invalid
Status in linux-lts-utopic source package in Utopic:
  Invalid
Status in linux source package in Vivid:
  Fix Committed
Status in linux-lts-trusty source package in Vivid:
  Invalid
Status in linux-lts-utopic source package in Vivid:
  Invalid

Bug description:
  Starting  with kernels  3.2.0-64 and 3.13.0-29  Something has changed
  to once again that prevents IBM Domino's
  "/opt/ibm/domino/notes/latest/linux/bindsock" binary that runs as root
  (setuid) to get ports lower than 1024 for it's LDAP, SMTP, IMAP, POP3,
  and HTTP processes.

  The Domino server reports  the following: :
    "Listener failure: 'bindsock' is missing, not executable, not owned by root, not setuid root or user needs net_privaddr privilege."

  This is the same behaviour that was reported and subsequently
  corrected in Bug # 1269053

  ===
  break-fix: dbb490b96584d4e958533fb637f08b557f505657 6a2a2b3ae0759843b22c929881cc184b00cc63ff

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1335478/+subscriptions