[Bug 1788459] Update Released
Brian Murray
1788459 at bugs.launchpad.net
Tue Oct 5 16:16:21 UTC 2021
The verification of the Stable Release Update for gssproxy has completed
successfully and the package is now being released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report. In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libselinux in Ubuntu.
https://bugs.launchpad.net/bugs/1788459
Title:
gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by
rpc.gssd
Status in gssproxy package in Ubuntu:
In Progress
Status in libselinux package in Ubuntu:
Invalid
Status in gssproxy source package in Focal:
Fix Released
Status in libselinux source package in Focal:
Invalid
Status in gssproxy source package in Hirsute:
Fix Released
Status in libselinux source package in Hirsute:
Invalid
Bug description:
[ Impact ]
gssproxy users on Focal and Hiruste who configure the package to
handle NFS mountpoints using Kerberos authentication will experience a
segmentation fault when invoking the service either through systemd or
by hand.
[ Test Case]
Inside a Focal LXD container:
$ lxc launch images:ubuntu/focal gssproxy-bug1788459-focal
$ lxc shell gssproxy-bug1788459-focal
# apt update
# apt install -y gssproxy nfs-kernel-server
# cat > /etc/gssproxy/gssproxy.conf << __EOF__
[gssproxy]
debug = true
debug_level = 3
__EOF__
# cat >> /etc/gssproxy/25-nfs-server.conf << __EOF__
[service/nfs-server]
mechs = krb5
socket = /run/gssproxy.sock
cred_store = keytab:/etc/krb5.keytab
trusted = yes
kernel_nfsd = yes
euid = 0
__EOF__
# /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock
[2021/06/30 14:34:14]: Debug Enabled (level: 3)
[2021/06/30 14:34:14]: Keytab /etc/krb5.keytab has no content (-1765328203)
[2021/06/30 14:34:14]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18
[2021/06/30 14:34:14]: Client [2021/06/30 14:34:14]: (/usr/sbin/gssproxy) [2021/06/30 14:34:14]: connected (fd = 12)[2021/06/30 14:34:14]: (pid = 3428) (uid = 0) (gid = 0)Segmentation fau
lt (core dumped)
[ Where problems could occur ]
* The backported patch is simple and it is very unlikely that it will introduce a regression.
* As usual, it is always risky to rebuild a package that hasn't been touched for more than 1 year, albeit in this case the risk is very low because the package is not very complex.
[ Original Description ]
I have apache configured to perform a kerberized NFS4 mount using
rpc.gssd and gssproxy.
If I request a web page that requires NFS4 access, then gssproxy
crashes, reporting a segfault in libselinux.so.1 and the web request
generates a 403 error.
gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150
error 4 in libselinux.so.1[7f2f5bb0d000+25000]
If I run gssproxy at debug level = 3, and then load a web page, I can
see the uid/principal request for www-data come in from rpc.gssd:
# gssproxy -d --debug-level=3 -i -C /etc/gssproxy
[2018/08/22 17:51:40]: Debug Enabled (level: 3)
[2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped)
Since gssproxy is required to initiate kerberos principals for any
local application services - Ubuntu 18.04 does not currently support
running application services with NFS4 kerberos dependencies. This
has a fairly significant impact on anyone attempting to implement
kerberos on Ubuntu 18.04
Ubuntu 18.04.1 LTS
gssproxy 0.8.0-1
libselinux1:amd64 2.7-2build2
libgssrpc4:amd64 1.16-2build1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions
More information about the foundations-bugs
mailing list