[Bug 1905261] Re: Openssl ignores order from /etc/nsswitch.conf

Dan Bungert 1905261 at bugs.launchpad.net
Mon Oct 24 17:06:38 UTC 2022 

Looks like the linux-meta task was added recently, was that intended?
I'm not certain that this would be a kernel bug.   Marking that part
incomplete - additional info would help.

** Changed in: linux-meta (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1905261

Title:
  Openssl ignores order from /etc/nsswitch.conf

Status in linux-meta package in Ubuntu:
  Incomplete
Status in openssl package in Ubuntu:
  New

Bug description:
  
  I'm issuing command like below:
  openssl s_client -connect subdomain.domain.example.com

  I have following nsswitch.confg defined:
  '''
  $ cat /etc/nsswitch.conf 
  # /etc/nsswitch.conf
  #
  # Example configuration of GNU Name Service Switch functionality.
  # If you have the `glibc-doc-reference' and `info' packages installed, try:
  # `info libc "Name Service Switch"' for information about this file.

  passwd:         compat systemd
  group:          compat systemd
  shadow:         compat

  hosts:          files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns myhostname
  networks:       files

  protocols:      db files
  services:       db files
  ethers:         db files
  rpc:            db files

  netgroup:       nis
  '''

  
  For host resolution /etc/hosts file should take precedence. But it doesn't work that way and when I have some unresolvable name it tries to connect to DNS ignoring local hosts file. The order can be clearly visible in strace:

  
  '''openat(AT_FDCWD, "/usr/lib/ssl/ct_log_list.cnf", O_RDONLY) = -1 ENOENT (No such file or directory)
  openat(AT_FDCWD, "/usr/lib/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
  socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
  connect(5, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
  close(5)                                = 0
  socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
  connect(5, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
  close(5)                                = 0
  openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 5
  fstat(5, {st_mode=S_IFREG|0644, st_size=560, ...}) = 0
  read(5, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 560
  read(5, "", 4096)                       = 0
  close(5)                                = 0
  stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=64, ...}) = 0
  openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = 5
  fstat(5, {st_mode=S_IFREG|0644, st_size=93, ...}) = 0
  read(5, "# The \"order\" line is only used "..., 4096) = 93
  read(5, "", 4096)                       = 0
  close(5)                                = 0
  futex(0x7f3d2d2b5ba4, FUTEX_WAKE_PRIVATE, 2147483647) = 0
  openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 5
  fstat(5, {st_mode=S_IFREG|0644, st_size=64, ...}) = 0
  read(5, "# Generated by NetworkManager\nse"..., 4096) = 64
  read(5, "", 4096)                       = 0
  close(5)                                = 0
  openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5
  fstat(5, {st_mode=S_IFREG|0644, st_size=335124, ...}) = 0
  mmap(NULL, 335124, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7f3d2de05000
  close(5)                                = 0
  access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
  openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 5
  read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P#\0\0\0\0\0\0"..., 832) = 832
  fstat(5, {st_mode=S_IFREG|0644, st_size=47568, ...}) = 0
  mmap(NULL, 2168632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7f3d2cab0000
  mprotect(0x7f3d2cabb000, 2093056, PROT_NONE) = 0
  mmap(0x7f3d2ccba000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0xa000) = 0x7f3d2ccba000
  mmap(0x7f3d2ccbc000, 22328, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3d2ccbc000
  close(5)                                = 0
  mprotect(0x7f3d2ccba000, 4096, PROT_READ) = 0
  munmap(0x7f3d2de05000, 335124)          = 0
  openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 5
  '''

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: openssl 1.1.1-1ubuntu2.1~18.04.6
  ProcVersionSignature: Ubuntu 4.15.0-124.127-generic 4.15.18
  Uname: Linux 4.15.0-124-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.20.9-0ubuntu7.20
  Architecture: amd64
  Date: Mon Nov 23 10:49:41 2020
  InstallationDate: Installed on 2015-05-08 (2026 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   LANG=pl_PL.UTF-8
   SHELL=/bin/bash
  SourcePackage: openssl
  UpgradeStatus: Upgraded to bionic on 2018-08-26 (819 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-meta/+bug/1905261/+subscriptions

More information about the foundations-bugs mailing list