[Bug 1788459] [gssproxy/focal] verification still needed
Brian Murray
1788459 at bugs.launchpad.net
Fri Oct 1 19:30:23 UTC 2021
The fix for this bug has been awaiting testing feedback in the -proposed
repository for focal for more than 90 days. Please test this fix and
update the bug appropriately with the results. In the event that the
fix for this bug is still not verified 15 days from now, the package
will be removed from the -proposed repository.
** Tags added: removal-candidate
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libselinux in Ubuntu.
https://bugs.launchpad.net/bugs/1788459
Title:
gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by
rpc.gssd
Status in gssproxy package in Ubuntu:
In Progress
Status in libselinux package in Ubuntu:
Invalid
Status in gssproxy source package in Focal:
Fix Committed
Status in libselinux source package in Focal:
Invalid
Status in gssproxy source package in Hirsute:
Fix Committed
Status in libselinux source package in Hirsute:
Invalid
Bug description:
[ Impact ]
gssproxy users on Focal and Hiruste who configure the package to
handle NFS mountpoints using Kerberos authentication will experience a
segmentation fault when invoking the service either through systemd or
by hand.
[ Test Case]
Inside a Focal LXD container:
$ lxc launch images:ubuntu/focal gssproxy-bug1788459-focal
$ lxc shell gssproxy-bug1788459-focal
# apt update
# apt install -y gssproxy nfs-kernel-server
# cat > /etc/gssproxy/gssproxy.conf << __EOF__
[gssproxy]
debug = true
debug_level = 3
__EOF__
# cat >> /etc/gssproxy/25-nfs-server.conf << __EOF__
[service/nfs-server]
mechs = krb5
socket = /run/gssproxy.sock
cred_store = keytab:/etc/krb5.keytab
trusted = yes
kernel_nfsd = yes
euid = 0
__EOF__
# /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock
[2021/06/30 14:34:14]: Debug Enabled (level: 3)
[2021/06/30 14:34:14]: Keytab /etc/krb5.keytab has no content (-1765328203)
[2021/06/30 14:34:14]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18
[2021/06/30 14:34:14]: Client [2021/06/30 14:34:14]: (/usr/sbin/gssproxy) [2021/06/30 14:34:14]: connected (fd = 12)[2021/06/30 14:34:14]: (pid = 3428) (uid = 0) (gid = 0)Segmentation fau
lt (core dumped)
[ Where problems could occur ]
* The backported patch is simple and it is very unlikely that it will introduce a regression.
* As usual, it is always risky to rebuild a package that hasn't been touched for more than 1 year, albeit in this case the risk is very low because the package is not very complex.
[ Original Description ]
I have apache configured to perform a kerberized NFS4 mount using
rpc.gssd and gssproxy.
If I request a web page that requires NFS4 access, then gssproxy
crashes, reporting a segfault in libselinux.so.1 and the web request
generates a 403 error.
gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150
error 4 in libselinux.so.1[7f2f5bb0d000+25000]
If I run gssproxy at debug level = 3, and then load a web page, I can
see the uid/principal request for www-data come in from rpc.gssd:
# gssproxy -d --debug-level=3 -i -C /etc/gssproxy
[2018/08/22 17:51:40]: Debug Enabled (level: 3)
[2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped)
Since gssproxy is required to initiate kerberos principals for any
local application services - Ubuntu 18.04 does not currently support
running application services with NFS4 kerberos dependencies. This
has a fairly significant impact on anyone attempting to implement
kerberos on Ubuntu 18.04
Ubuntu 18.04.1 LTS
gssproxy 0.8.0-1
libselinux1:amd64 2.7-2build2
libgssrpc4:amd64 1.16-2build1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions
More information about the foundations-bugs
mailing list