RHBA-2013:1685 - Bug Fix Advisory

Topic

Updated libcgroup packages that fix several bugs and add one enhancement are now
available for Red Hat Enterprise Linux 6.

Description

The libcgroup packages provide tools and libraries to manage and monitor control
groups.

This update fixes the following bugs:

• Previously, the pam_cgoup pluggable authentication module (PAM) did not use

caching. As a consequence, when a system had several thousand users and the
cgrules.conf file contained several thousand lines of configuration settings,
the login time could take several seconds. With this update, the libcgroup code
no longer reads the /etc/passwd file once for every line in cgrules.conf, and
the login time is no longer affected in the described scenario. (BZ#972893)

• Prior to this update, the cgroup files did not have write permissions set

correctly. Consequently, members of the group that owned the cgroup files could
not modify their content. The group permissions have been updated, and the
members of the group can now modify the content of the cgroup files. (BZ#863172)

• Previously, the behavior of the cgred service when opening the configuration

file was not set correctly. Consequently, cgred failed to start if the
configuration file was missing or empty. Explicit checks for the existence of
the configuration file have been removed, and cgred now starts with a missing or
empty configuration file as expected. (BZ#921328)

• The code in the cg_get_pid_from_flags() function assumed that every entry in

the /etc/cgrules.conf file had the process name specified. As a consequence, if
the entry in the /etc/cgrules.conf file did not specify the process name, the
cgred service terminated unexpectedly with a segmentation fault. This update
allows the code to accept empty process names and cgred no longer crashes.
(BZ#912425)

• Prior to this update, the permissions of the /bin/cgclassify file were set

incorrectly. As a consequence, the "--sticky" option of the cgclassify command
was ignored when running under a non-privileged user. The file permissions of
/bin/cgclassify have been updated, and the "--sticky" option now works correctly
for regular users. (BZ#946953)

• Previously, using commas in the lexical analyzer was not supported. As a

consequence, the cgconfig service failed to parse commas in the cgconfig.conf
file. Support for commas in the lexical analyzer has been added, and cgconfig
can now successfully parse commas in cgconfig.conf. (BZ#753334)

• The cgrulesengd daemon had different default logging level than the rest of

the library. Consequently, the log messages were inconsistent. With this update,
the logging level of the cgrulesengd daemon and the library has been unified,
and the log messages are now consistent as expected. (BZ#924399)

• Prior to this update, the cgcreate(1) manual page contained the invalid "-s"

option in the synopsis. This update removes this option. (BZ#809550)

• Previously, the cgred service was starting too early in the boot process. As a

consequence, if some services started before cgred, they could avoid being
restricted. The boot priority of cgred has been lowered, and all services are
now restricted correctly. (BZ#961844)

In addition, this update adds the following enhancement:

• After this update, the cgred daemon supports automated control groups for

every user in any UNIX group that logs in. A template is now used to create a
new control group automatically, and every process the user launches is started
in the appropriate group, which makes managing multiple users easier.
(BZ#589535)

Users of libcgroup are advised to upgrade to these updated packages, which fix
these bugs and add this enhancement.

Solution

Before applying this update, make sure all previously released errata relevant
to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x

Fixes

• BZ - 738620 - PID file of cgred is not labelled correctly
• BZ - 753334 - cgconfig fails to parse commas in the cgconfig.conf file
• BZ - 809550 - cgcreate man page shows "-s" option in synopsis
• BZ - 916397 - cgrulesengd segmentation fault
• BZ - 921328 - The cgred service fails to start with an empty configuration file.
• BZ - 924399 - cgrulesengd daemon has different default logging level than the rest of the library
• BZ - 951724 - Typo in cgget man page
• BZ - 961844 - after reboot cgred does not confine/move users' processes into relevant target...
• BZ - 964219 - cgred process dies
• BZ - 972893 - pam_cgroup is slow when cgrules.conf and /etc/passwd are large

CVEs

(none)

References

(none)