[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
Rafael David Tinoco
rafael.tinoco at canonical.com
Tue Jun 21 15:54:39 UTC 2016
[12:50] <infinity> tinoco: The "disable in samba-libs preinst, reenable in samba-libs postinst" approach would also work, but it's (a) potentially very brittle, and (b) likely next to impossible to do for pam-winbind (which probably suffers the same issue as nss-winbind).
[12:51] <tinoco> infinity: my hope was that pam-auth-update (or any other mean) could remove/re-add winbind to nsswitch
[12:51] <tinoco> but then.. if customer had a taylor made change of nsswitch.conf.. it would be no good
[12:51] <tinoco> other choice would be to remove.. but then, if user doing the installation was coming from NSS
[12:51] <tinoco> things would go bad also
[12:52] <infinity> tinoco: Right, nsswitch isn't too hard, but /etc/pam.d/* is an order of magnitude worse.
[12:52] <tinoco> just like you said before
[12:52] <tinoco> infinity: definitely
[12:52] <tinoco> i think statically compiling it for now is the best approach
[12:52] <tinoco> only way without dealing with infinitive possibilities coming from pam.d/nss
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest security fixes together with winbind in
nsswitch.conf can harm entire OS
Status in samba package in Ubuntu:
In Progress
Bug description:
[Impact]
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
[Test Case]
* Comment #1 (to upgrade samba)
[Regression Potential]
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
[Other Info]
* Original Bug Description:
It was brought to my attention that, because of latest security fixes
for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire
Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
(specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used
before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do
a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d
with "pam-auth-update") before ANY attempt of upgrading samba to
latest version.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions
More information about the Ubuntu-sponsors
mailing list