BIND 10 #2595: cmdctl with chusr crashes due to permission issue
BIND 10 Development
do-not-reply at isc.org
Wed Jan 23 18:17:43 UTC 2013
#2595: cmdctl with chusr crashes due to permission issue
-------------------------------------+-------------------------------------
Reporter: jinmei | Owner:
Type: defect | jinmei
Priority: medium | Status:
Component: cmd-ctl | reviewing
Keywords: | Milestone:
Sensitive: 0 | Sprint-20130205
Sub-Project: Core | Resolution:
Estimated Difficulty: 3 | CVSS Scoring:
Total Hours: 0 | Defect Severity: N/A
| Feature Depending on Ticket:
| Add Hours to Ticket: 0
| Internal?: 0
-------------------------------------+-------------------------------------
Comment (by jinmei):
First, I noticed one (unrelated) style issue and fixed it in the branch.
Replying to [comment:11 jelte]:
> > - shouldn't we close the socket here?
> > {{{#!python
> > except (CmdctlException, IOError) as cce:
> > logger.error(CMDCTL_SSL_SETUP_FAILURE_READING_CERT, cce)
> > # raise socket error to finish the request
> > raise socket.error
> > }}}
> > like the case of `SSLError`? In fact, probably due to this bindctl
> > now seems to revert to the previous unhelpful error message.
>
> doh, of course
Actually, it was still not sufficient. On a closer look, I realized
catching ECONNRESET at bindctl shouldn't help, because in this case
it's not "connection reset" (getting TCP RST). At the TCP level it
would be a close of the connection (FIN), and even that's not really
correct. As the (unhelpful) error message shows, the error was caught
at the SSL level and returned to bindcmd. So what we need to catch is
an sslSSLError exception whose errno is `SSL_ERROR_EOF`, e.g:
{{{#!python
try:
response = self.send_POST('/login', param)
data = response.read().decode()
return (response, data)
except ssl.SSLError as err:
self._print("SSL error while sending login information: ",
err)
if err.errno == ssl.SSL_ERROR_EOF:
self._print("Please check the logs of b10-cmdctl, there
may "
"be a problem accepting SSL connections, such
"
"as a permission problem on the server "
"certificate file.")
raise FailToLogin()
except socket.error as err:
self._print("Socket error while sending login information: ",
err)
raise FailToLogin()
}}}
(note that we'll need some additional tests). I'd also note that in
Python 3.3 this will have to be ssl.SSLEOFError (not sure if the errno
check also works).
Other changes look okay.
--
Ticket URL: <https://bind10.isc.org/ticket/2595#comment:12>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list