[Bug 1788459] Please test proposed package

Timo Aaltonen 1788459 at bugs.launchpad.net
Fri Jul 2 13:41:02 UTC 2021 

Hello Robert, or anyone else affected,

Accepted gssproxy into focal-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/gssproxy/0.8.2-2ubuntu0.20.04.1 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
focal to verification-done-focal. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-focal. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libselinux in Ubuntu.
https://bugs.launchpad.net/bugs/1788459

Title:
  gssproxy  crashes in libselinux.so.1 on Ubuntu 18.04 when called by
  rpc.gssd

Status in gssproxy package in Ubuntu:
  In Progress
Status in libselinux package in Ubuntu:
  Invalid
Status in gssproxy source package in Focal:
  Fix Committed
Status in libselinux source package in Focal:
  Invalid
Status in gssproxy source package in Hirsute:
  Fix Committed
Status in libselinux source package in Hirsute:
  Invalid

Bug description:
  [ Impact ]

  gssproxy users on Focal and Hiruste who configure the package to
  handle NFS mountpoints using Kerberos authentication will experience a
  segmentation fault when invoking the service either through systemd or
  by hand.

  [ Test Case]

  Inside a Focal LXD container:

  $ lxc launch images:ubuntu/focal gssproxy-bug1788459-focal
  $ lxc shell gssproxy-bug1788459-focal
  # apt update
  # apt install -y gssproxy nfs-kernel-server
  # cat > /etc/gssproxy/gssproxy.conf << __EOF__
  [gssproxy]
  debug = true
  debug_level = 3
  __EOF__
  # cat >> /etc/gssproxy/25-nfs-server.conf << __EOF__
  [service/nfs-server]
  mechs = krb5
  socket = /run/gssproxy.sock
  cred_store = keytab:/etc/krb5.keytab
  trusted = yes
  kernel_nfsd = yes
  euid = 0
  __EOF__
  # /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock
  [2021/06/30 14:34:14]: Debug Enabled (level: 3) 
  [2021/06/30 14:34:14]: Keytab /etc/krb5.keytab has no content (-1765328203)
  [2021/06/30 14:34:14]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18
  [2021/06/30 14:34:14]: Client [2021/06/30 14:34:14]: (/usr/sbin/gssproxy) [2021/06/30 14:34:14]:  connected (fd = 12)[2021/06/30 14:34:14]:  (pid = 3428) (uid = 0) (gid = 0)Segmentation fau
  lt (core dumped)

  [ Where problems could occur ]

  * The backported patch is simple and it is very unlikely that it will introduce a regression.
  * As usual, it is always risky to rebuild a package that hasn't been touched for more than 1 year, albeit in this case the risk is very low because the package is not very complex.

  [ Original Description ]

  I have apache configured to perform a kerberized NFS4 mount using
  rpc.gssd and gssproxy.

  If I request a web page that requires NFS4 access, then gssproxy
  crashes, reporting a segfault in libselinux.so.1 and the web request
  generates a 403 error.

  gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150
  error 4 in libselinux.so.1[7f2f5bb0d000+25000]

  If I run gssproxy at debug level = 3, and then load a web page, I can
  see the uid/principal request for www-data come in from rpc.gssd:

  # gssproxy -d --debug-level=3 -i -C /etc/gssproxy

  [2018/08/22 17:51:40]: Debug Enabled (level: 3)
  [2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]:  connected (fd = 10)[2018/08/22 17:52:06]:  (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped)

  Since gssproxy is required to initiate kerberos principals for any
  local application services - Ubuntu 18.04 does not currently support
  running application services with NFS4 kerberos dependencies.  This
  has a fairly significant impact on anyone attempting to implement
  kerberos on Ubuntu 18.04

  Ubuntu 18.04.1 LTS
  gssproxy 0.8.0-1
  libselinux1:amd64 2.7-2build2
  libgssrpc4:amd64 1.16-2build1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions

More information about the foundations-bugs mailing list