Ubuntu
nfs-utils package

rpc.gssd truncates 32-bit UIDs/GIDs to 16 bits, leading to "Key has expired" errors when using kerberos

Bug #1779962 reported by Sree on 2018-07-03

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	nfs-utils (Ubuntu)	Fix Released	Undecided	Adam Conrad
	Bionic	Confirmed	Undecided	Unassigned

Bug Description

utils/gssd_proc.c uses SYS_setresuid and SYS_setresgid in change_identity when it should use SYS_setresuid32 and SYS_setresgid32 instead. This causes it to truncate UIDs/GIDs > 65536.

Symptoms: rpc.gssd is unable to read kerberos credentials files after changing identity, failing with a cryptic error message:

CC 'FILE:/tmp/krb5cc_100001_J5kIrv' is expired or corrupt

(note the UID 100001 here, rpc.gssd was actually using UID 34465 to access this file, and failing in krb5_util.c when calling krb5_cc_get_principal)

The attached patch fixes the bug.

I'm using Ubuntu 18.04 LTS on an Odroid XU4 (armhf). This bug does not exist in Ubuntu 16.04 LTS.

Tags:

Revision history for this message

Sree (sree314) wrote on 2018-07-03:

Changes the syscalls to use the 32-bit variants. Edit (727 bytes, text/plain)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2018-07-04:

The attachment "Changes the syscalls to use the 32-bit variants." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

James (drmhv) wrote on 2018-07-17:

Thanks for tracking this down Sree - I've been hitting this for quite some time but only on ARM for some reason. Your patch also works for me on nfs-utils 2.3.2.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-07-17:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nfs-utils (Ubuntu):
status:	New → Confirmed

Revision history for this message

Sree (sree314) wrote on 2018-07-17:

Glad to know that helped. I was using the Odroid kernel (not the Ubuntu one), so I was not sure the problem manifests elsewhere. It doesn't on Debian (on the aarch64 kernel), for example.

I think it surfaces only on architectures that have the 16-bit UID syscalls enabled (or on multiarch).

Revision history for this message

Steve Dickson (steved-redhat) wrote on 2018-07-17:

0001-rpc.gssd-truncates-32-bit-UIDs-GIDs-to-16-bits-archi.patch Edit (1.9 KiB, text/plain)

Here is the patch I'm about to propose to upstream.

Sree, if possible, could please test this patch?

Also I would like to give you the "Author" credit
but I don't see a public email address.

Revision history for this message

Sree (sree314) wrote on 2018-07-17:

Steve, I tested that patch on 1.3.4 and it works for me. Thanks!

I'm <launchpad-username>@gmail.com, thank you!

Revision history for this message

Steve Dickson (steved-redhat) wrote on 2018-07-18:

Sree, Thank you!

Revision history for this message

Steve Dickson (steved-redhat) wrote on 2018-07-18:

The upstream patch

commit 2a6b8307fa4243a7921270aedf8ce6506e31569a (HEAD -> master, origin/master, origin/HEAD)
Author: Steve Dickson <email address hidden>
Date: Tue Jul 17 15:09:37 2018 -0400

rpc.gssd: truncates 32-bit UIDs/GIDs to 16 bits architectures.

    utils/gssd_proc.c uses SYS_setresuid and SYS_setresgid in
    change_identity when it should use SYS_setresuid32 and
    SYS_setresgid32 instead. This causes it to truncate
    UIDs/GIDs > 65536.

Fixes: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1779962
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1595927

    Tested-by: James Ettle <email address hidden>
    Tested-by: Sree <email address hidden>
    Signed-off-by: Steve Dickson <email address hidden>

Francis Ginther (fginther) on 2018-10-10

tags:

added: id-5bbd0cbaade2f22d9608ca95

Adam Conrad (adconrad) on 2018-10-16

Changed in nfs-utils (Ubuntu):
status:	Confirmed → Fix Committed
assignee:	nobody → Adam Conrad (adconrad)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-10-16:

#10

This bug was fixed in the package nfs-utils - 1:1.3.4-2.2ubuntu3

---------------
nfs-utils (1:1.3.4-2.2ubuntu3) cosmic; urgency=medium

* truncate_gid*.patch: Backports from upstream to prevent truncating
UIDs and GIDs over 65536 on certain architectures (LP: #1779962)

-- Adam Conrad <email address hidden> Tue, 16 Oct 2018 06:06:43 -0600

Changed in nfs-utils (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-07-09:

#11

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nfs-utils (Ubuntu Bionic):
status:	New → Confirmed

Revision history for this message

Johannes Midgren (m-johannes-6) wrote on 2019-07-10:

#12

I assume I spotted the exact same error as the reporter using Ubuntu 18.04 on Odroid XU4. For me it fails when using FreeIPA (with high UIDs/GIDs) and Kerberized NFS4. When applying the patch the problem goes away, but so far I have not give it more testing than that. Considering the nature of the patch the risk of side effects seem small though :-)

Does anyone know if there is a chance for this fix to be released in Bionic as well?