[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

Jorge Niedbalski 1584485 at bugs.launchpad.net
Thu Nov 10 19:28:46 UTC 2016 

OK, I have verified that the trusty-proposed version fixes the reported
issue.

The steps ran for verification:

1) Start an ubuntu Trusty container
2) cp /etc/apt/sources.list /etc/apt/sources.list.back
3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list
4) sudo apt-get update
5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
6) Set /etc/nsswitch.conf to : passwd: winbind compat
7) Restart the services
   7.1) sudo restart smbd
   7.2) sudo restart nmbd
   7.3) sudo restart winbind
8) cp /etc/apt/sources.list.back /etc/apt/sources.list
9) sudo apt-get update
7) sudo apt-get install samba winbind libnss-winbind libpam-winbind


The segmentation fault mentioned before is not experience,
Also with the patch applied:
root at samba:~# ldd /lib/x86_64-linux-gnu/security/pam_winbind.so
 linux-vdso.so.1 => (0x00007ffe0bdaf000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fb246748000)
 libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x00007fb246539000)
 libtalloc.so.2 => /usr/lib/x86_64-linux-gnu/libtalloc.so.2 (0x00007fb24632c000)
 libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fb24611e000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb245d59000)
 /lib64/ld-linux-x86-64.so.2 (0x000055695ab59000)
 libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fb245b34000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fb245930000)

root at samba:~# ldd /lib/x86_64-linux-gnu/libnss_winbind.so.2
 linux-vdso.so.1 => (0x00007fffe9195000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd3e84f7000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd3e8132000)
 /lib64/ld-linux-x86-64.so.2 (0x0000563f59046000)


** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

Status in samba package in Ubuntu:
  Fix Released
Status in samba source package in Trusty:
  Fix Committed
Status in samba source package in Xenial:
  Fix Committed
Status in samba source package in Yakkety:
  Fix Committed
Status in samba package in Debian:
  New

Bug description:
  [Impact]

  * Upgrading samba when using winbind as NSS service can break OS.
  * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
  * Huge impact due to big version different between winbind and libraries.

  [Test Case]

  1) Start an ubuntu Trusty container
  2) cp /etc/apt/sources.list /etc/apt/sources.list.back
  3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list
  4) sudo apt-get update
  5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
  6) Set /etc/nsswitch.conf to : passwd: winbind compat
  7) Restart the services
     7.1) sudo restart smbd
     7.2) sudo restart nmbd
     7.3) sudo restart winbind
  8) cp /etc/apt/sources.list.back /etc/apt/sources.list
  9) sudo apt-get update
  7) sudo apt-get install samba winbind libnss-winbind libpam-winbind

  While installing, you will see things similar to this :

  > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ...
  > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
  > dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (-
  > -unpack):
  >  subprocess dpkg-deb --control returned error exit status 2
  > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped

  [Regression Potential]

  * "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
  * uninstalling packages and reinstalling would bypass this change

  [Other Info]

  * Original Bug Description:

  It was brought to my attention that, because of latest security fixes
  for samba:

  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739

  samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
  samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
  samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium

  when library symbols changed, a samba upgrade MAY jeopardize an entire
  Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
  (specially if used before compat mechanism).

  ----

  How to reproduce easily:

  $ cat /etc/nsswitch.conf
  passwd: winbind compat
  shadow: compat
  group: winbind compat

  (winbind is usually used after compat, in this case it was used
  before)

  to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do
  a:

  $ sudo apt-get update

  and FINALLY:

  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1

  Leading into an unusable system in the following state:

  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2

  ## state

  Workaround:

  DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d
  with "pam-auth-update") before ANY attempt of upgrading samba to
  latest version.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

More information about the foundations-bugs mailing list