Query about changes in 3.5.0-45 and related kernels

MR Mail mrmail at ratnet.org
Tue Jan 14 16:14:28 UTC 2014


Hi Andy and Tim

Thank-you very much for your prompt and helpful responses.

I've raised Bug #1269053 and attach the strace files in a Zip and put a little detail in the report about what I've done to get the files.

Kind Regards
Mark Rattray


-----Andy Whitcroft <apw at canonical.com> wrote: -----
To: MR Mail <mrmail at ratnet.org>
From: Andy Whitcroft <apw at canonical.com>
Date: 14/01/2014 12:58
Cc: kernel-team at lists.ubuntu.com
Subject: Re: Query about changes in 3.5.0-45 and related kernels

On Tue, Jan 14, 2014 at 01:07:24AM +0000, MR Mail wrote:

> Just a query about what might have changed in Ubuntu's Kernel 3.5.0-45 
> that would kill IBM Domino's /opt/ibm/domino/notes/latest/linux/bindsock 
> binary that runs as root (setuid) to get ports lower than 1024 (SMTP IMAP 
> POP3 and HTTP) for the service account that runs the main application 
> server?
> 
> A number of us have to hold back the kernel now and there's lots of 
> scratching going on.
> http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=485F5F092833BCBE85257C33006AC7A3 
> 
> Another thing in the server console spits out which is unusual is 
> "Error_CmdToDo_INVAL"... might be an IBM thang.
> 
> Don't know if this is something that's been deprecated or a bug in the 
> latest kernel versions. It does seem limited to IBM Domino. 

To precee the thread above.  Various people on various releases are
reporting that a kernel update is preventing domino server starting.
Specifically they are all reporting that the setuid bindsock helper is
failing to bind port 25:

    SMTP Server: Listener failure: 'bindsock' is missing, not executable,
    not owned by root, not setuid root or user needs net_privaddr privilege

As an aside, the above thread suggest that setuid is not working.
I cannot see any commits which could cause such a behavioural change,
and if there was such an issue sudo et al would also stop working,
I think this would have been noticed.

Various reporters note kernel version on various releases:

    GOOD	 BAD
    3.5.0-43-generic	3.5.0-44-generic 
    3.11.0-13	 3.11.0-14
    3.2.0-56	 3.2.0-58

I have briefly reviewed the changes in these pairs which all include the
application of an upstream stable update, looking for those relating to
sockets in general of which there are a couple in common on all three of
these updates:

    net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race
    net: heap overflow in __audit_sockaddr()

The latter of these I do see a further upstream fix for which will
appear in the next 3.2.0 kernel, which _might_ be relevant.

As for the next steps:

1) lets get a bug filed against the linux package containing the data
   above, by someone who is able to run some test kernels to debug
   the issue (run 'ubuntu-bug linux' to get such a bug filed),
2) could someone who has this issue attempt to get an strace from this
   helper as it tries to make these sockets so we can try and identify
   what is failing.

Once we have a bug filed we can try and bisect between say
3.5.0-43-generic and 3.5.0-44-generic to find the patch which triggers
the behaviour.

Please reply to this email with the bug number once it is filed.

-apw

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20140114/82b4eeca/attachment.html>


More information about the kernel-team mailing list