[Bug 1788459] Re: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd
Sergio Durigan Junior
1788459 at bugs.launchpad.net
Mon Oct 4 18:32:49 UTC 2021
Performing the verification for Focal.
First, install the problematic package and reproduce the error:
# apt policy gssproxy
gssproxy:
Installed: 0.8.2-2
Candidate: 0.8.2-2
Version table:
*** 0.8.2-2 500
500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages
100 /var/lib/dpkg/status
# /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock
[2021/10/04 18:30:15]: Debug Enabled (level: 3)
[2021/10/04 18:30:15]: Keytab /etc/krb5.keytab has no content (-1765328203)
[2021/10/04 18:30:15]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18
[2021/10/04 18:30:15]: Client [2021/10/04 18:30:15]: (/usr/sbin/gssproxy) [2021/10/04 18:30:15]: connected (fd = 12)[2021/10/04 18:30:15]: (pid = 1877) (uid = 0) (gid = 0)Segmentation fault (core dumped)
Now, install the version from -proposed and verify that it works correctly:
# apt install gssproxy
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
gssproxy
1 upgraded, 0 newly installed, 0 to remove and 13 not upgraded.
Need to get 88.4 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal-proposed/universe amd64 gssproxy amd64 0.8.2-2ubuntu0.20.04.1 [88.4 kB]
Fetched 88.4 kB in 0s (224 kB/s)
(Reading database ... 15068 files and directories currently installed.)
Preparing to unpack .../gssproxy_0.8.2-2ubuntu0.20.04.1_amd64.deb ...
Unpacking gssproxy (0.8.2-2ubuntu0.20.04.1) over (0.8.2-2) ...
Setting up gssproxy (0.8.2-2ubuntu0.20.04.1) ...
# apt policy gssproxy
gssproxy:
Installed: 0.8.2-2ubuntu0.20.04.1
Candidate: 0.8.2-2ubuntu0.20.04.1
Version table:
*** 0.8.2-2ubuntu0.20.04.1 500
500 http://archive.ubuntu.com/ubuntu focal-proposed/universe amd64 Packages
100 /var/lib/dpkg/status
0.8.2-2 500
500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages
# /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock
[2021/10/04 18:31:59]: Debug Enabled (level: 3)
[2021/10/04 18:31:59]: Keytab /etc/krb5.keytab has no content (-1765328203)
[2021/10/04 18:31:59]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18
[2021/10/04 18:31:59]: Client [2021/10/04 18:31:59]: (/usr/sbin/gssproxy) [2021/10/04 18:31:59]: connected (fd = 12)[2021/10/04 18:31:59]: (pid = 2244) (uid = 0) (gid = 0)[2021/10/04 18:31:59]:
^C[2021/10/04 18:32:10]: Exiting after receiving a signal
Therefore, the new package indeed fixes the problem.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libselinux in Ubuntu.
https://bugs.launchpad.net/bugs/1788459
Title:
gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by
rpc.gssd
Status in gssproxy package in Ubuntu:
In Progress
Status in libselinux package in Ubuntu:
Invalid
Status in gssproxy source package in Focal:
Fix Committed
Status in libselinux source package in Focal:
Invalid
Status in gssproxy source package in Hirsute:
Fix Committed
Status in libselinux source package in Hirsute:
Invalid
Bug description:
[ Impact ]
gssproxy users on Focal and Hiruste who configure the package to
handle NFS mountpoints using Kerberos authentication will experience a
segmentation fault when invoking the service either through systemd or
by hand.
[ Test Case]
Inside a Focal LXD container:
$ lxc launch images:ubuntu/focal gssproxy-bug1788459-focal
$ lxc shell gssproxy-bug1788459-focal
# apt update
# apt install -y gssproxy nfs-kernel-server
# cat > /etc/gssproxy/gssproxy.conf << __EOF__
[gssproxy]
debug = true
debug_level = 3
__EOF__
# cat >> /etc/gssproxy/25-nfs-server.conf << __EOF__
[service/nfs-server]
mechs = krb5
socket = /run/gssproxy.sock
cred_store = keytab:/etc/krb5.keytab
trusted = yes
kernel_nfsd = yes
euid = 0
__EOF__
# /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock
[2021/06/30 14:34:14]: Debug Enabled (level: 3)
[2021/06/30 14:34:14]: Keytab /etc/krb5.keytab has no content (-1765328203)
[2021/06/30 14:34:14]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18
[2021/06/30 14:34:14]: Client [2021/06/30 14:34:14]: (/usr/sbin/gssproxy) [2021/06/30 14:34:14]: connected (fd = 12)[2021/06/30 14:34:14]: (pid = 3428) (uid = 0) (gid = 0)Segmentation fau
lt (core dumped)
[ Where problems could occur ]
* The backported patch is simple and it is very unlikely that it will introduce a regression.
* As usual, it is always risky to rebuild a package that hasn't been touched for more than 1 year, albeit in this case the risk is very low because the package is not very complex.
[ Original Description ]
I have apache configured to perform a kerberized NFS4 mount using
rpc.gssd and gssproxy.
If I request a web page that requires NFS4 access, then gssproxy
crashes, reporting a segfault in libselinux.so.1 and the web request
generates a 403 error.
gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150
error 4 in libselinux.so.1[7f2f5bb0d000+25000]
If I run gssproxy at debug level = 3, and then load a web page, I can
see the uid/principal request for www-data come in from rpc.gssd:
# gssproxy -d --debug-level=3 -i -C /etc/gssproxy
[2018/08/22 17:51:40]: Debug Enabled (level: 3)
[2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped)
Since gssproxy is required to initiate kerberos principals for any
local application services - Ubuntu 18.04 does not currently support
running application services with NFS4 kerberos dependencies. This
has a fairly significant impact on anyone attempting to implement
kerberos on Ubuntu 18.04
Ubuntu 18.04.1 LTS
gssproxy 0.8.0-1
libselinux1:amd64 2.7-2build2
libgssrpc4:amd64 1.16-2build1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions
More information about the foundations-bugs
mailing list