traceback when running apport as non-root user

Bug #1906565 reported by Brian Murray on 2020-12-02
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apport (Ubuntu)
High
Brian Murray
Xenial
High
Brian Murray
Bionic
High
Brian Murray
Focal
High
Brian Murray
Groovy
High
Brian Murray

Bug Description

[Impact]
The apport-test-crashes package, which is used to test the Error Tracker deployments, fails produce crash files for binary applications since "various security hardening fixes" were included in apport. The problematic change is the dropping of supplemental groups in data/apport. This results in a PermissionError as it is not the root user who is calling /usr/share/apport/apport.

[Test Case]
The least convulted test case involves using the generate-sigsegv-crash.py script from apport-test-crashes. This ends up using a command similar to '/usr/share/apport/apport -p 4077 -s 11 -E /usr/bin/gnome-calculator < /tmp/20.10-gnome-calculator.core' which then will encounter the Traceback.

1) Comment out "check_lock()" in /usr/share/apport/apport (This is necessary as we are not running as root)
2) Put a copy of generate-sigsegv-crash.py on disk.
3) Run 'python3 /tmp/generate-sigsegv-crash.py cat'
4) Observe the following Traceback:

Traceback (most recent call last):
  File "/tmp/tmpvkt5d266/apport", line 599, in <module>
    drop_privileges(True)
  File "/tmp/tmpvkt5d266/apport", line 125, in drop_privileges
    os.setgroups([])
PermissionError: [Errno 1] Operation not permitted

With the version of apport from -proposed you'll receive no such Traceback.

[Regression Potential]
If there is an error in the python code we code see a new traceback for any and all crashes being generated, so ensure regular crash generation works too.

apport-test-crashes code is here:
https://code.launchpad.net/~daisy-pluckers/error-tracker-deployment/test-crashes/

tags: added: fr-978
Changed in apport (Ubuntu):
assignee: nobody → Brian Murray (brian-murray)
status: New → In Progress
importance: Undecided → High
Changed in apport (Ubuntu Bionic):
importance: Undecided → High
Changed in apport (Ubuntu Xenial):
importance: Undecided → High
Changed in apport (Ubuntu Focal):
importance: Undecided → High
Changed in apport (Ubuntu Bionic):
assignee: nobody → Brian Murray (brian-murray)
Changed in apport (Ubuntu Focal):
assignee: nobody → Brian Murray (brian-murray)
Changed in apport (Ubuntu Groovy):
assignee: nobody → Brian Murray (brian-murray)
Changed in apport (Ubuntu Xenial):
assignee: nobody → Brian Murray (brian-murray)
Changed in apport (Ubuntu Groovy):
importance: Undecided → High
description: updated
Brian Murray (brian-murray) wrote :

apport (2.20.11-0ubuntu55) hirsute; urgency=medium

  * data/apport: only drop supplemental groups if the user is root.

 -- Brian Murray <email address hidden> Wed, 02 Dec 2020 14:40:29 -0800

Changed in apport (Ubuntu):
status: In Progress → Fix Released
Changed in apport (Ubuntu Xenial):
status: New → In Progress
Changed in apport (Ubuntu Bionic):
status: New → In Progress
Changed in apport (Ubuntu Focal):
status: New → In Progress
Changed in apport (Ubuntu Groovy):
status: New → Incomplete

Hello Brian, or anyone else affected,

Accepted apport into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apport/2.20.11-0ubuntu27.14 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apport (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
Changed in apport (Ubuntu Groovy):
status: Incomplete → Fix Committed
tags: added: verification-needed-groovy
Steve Langasek (vorlon) wrote :

Hello Brian, or anyone else affected,

Accepted apport into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apport/2.20.11-0ubuntu50.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apport (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Steve Langasek (vorlon) wrote :

Hello Brian, or anyone else affected,

Accepted apport into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apport/2.20.9-0ubuntu7.21 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apport (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Steve Langasek (vorlon) wrote :

Hello Brian, or anyone else affected,

Accepted apport into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apport/2.20.1-0ubuntu2.28 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted apport (2.20.9-0ubuntu7.21) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

apport/2.20.9-0ubuntu7.21 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#apport

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted apport (2.20.1-0ubuntu2.28) for xenial have finished running.
The following regressions have been reported in tests triggered by the package:

apport/2.20.1-0ubuntu2.28 (i386, amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/xenial/update_excuses.html#apport

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Brian Murray (brian-murray) wrote :

I installed the version of apport from groovy-proposed and there is no longer a Traceback when running the test case.

Setting up python3-apport (2.20.11-0ubuntu50.3) ...
Setting up apport (2.20.11-0ubuntu50.3) ...
apport-autoreport.service is a disabled or a static unit, not starting it.
Processing triggers for systemd (246.6-1ubuntu1) ...
Processing triggers for man-db (2.9.3-2) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
bdmurray@clean-groovy-amd64:~$ python3 generate-sigsegv-crash.py cat
GNU gdb (Ubuntu 9.2-0ubuntu2) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from cat...
(No debugging symbols found in cat)
(gdb) Starting program: /usr/bin/cat

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ed3cb2 in __GI___libc_read (fd=0, buf=0x7ffff7837000, nbytes=131072) at ../sysdeps/unix/sysv/linux/read.c:26
26 ../sysdeps/unix/sysv/linux/read.c: No such file or directory.
(gdb) warning: Memory read failed for corefile section, 4096 bytes at 0xffffffffff600000.
Saved corefile /tmp/tmpehzet8ma/my.core
(gdb) ERROR: apport (pid 3639) Fri Dec 4 15:25:32 2020: called for pid 3631, signal 11, core limit 0, dump mode 1
ERROR: apport (pid 3639) Fri Dec 4 15:25:32 2020: executable: /usr/bin/cat (command line "/usr/bin/cat")
ERROR: apport (pid 3639) Fri Dec 4 15:25:32 2020: gdbus call error: Error: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name o
rg.gnome.SessionManager was not provided by any .service files

ERROR: apport (pid 3639) Fri Dec 4 15:25:32 2020: debug: session gdbus call:
ERROR: apport (pid 3639) Fri Dec 4 15:25:32 2020: wrote report /tmp/tmpehzet8ma/_usr_bin_cat.1000.crash
(gdb) Kill the program being debugged? (y or n) [answered Y; input not from terminal]
[Inferior 1 (process 3631) killed]
(gdb) --- post-processing /tmp/tmpehzet8ma/_usr_bin_cat.1000.crash

tags: added: verification-done-groovy
removed: verification-needed-groovy
Brian Murray (brian-murray) wrote :

I installed the version of apport from focal-proposed and no longer received a Traceback when running the traceback.

Unpacking apport (2.20.11-0ubuntu27.14) over (2.20.11-0ubuntu27.12) ...
Setting up python3-apport (2.20.11-0ubuntu27.14) ...
Setting up apport (2.20.11-0ubuntu27.14) ...
apport-autoreport.service is a disabled or a static unit, not starting it.
Processing triggers for systemd (245.4-4ubuntu3.3) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
bdmurray@clean-focal-amd64:~$ python3 generate-sigsegv-crash.py cat
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from cat...
(No debugging symbols found in cat)
(gdb) Starting program: /usr/bin/cat

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ed7142 in __GI___libc_read (fd=0, buf=0x7ffff7835000, nbytes=131072) at ../sysdeps/unix/sysv/linux/read.c:26
26 ../sysdeps/unix/sysv/linux/read.c: No such file or directory.
(gdb) warning: Memory read failed for corefile section, 4096 bytes at 0xffffffffff600000.
Saved corefile /tmp/tmp3m7fnzeq/my.core
(gdb) ERROR: apport (pid 3180) Fri Dec 4 15:33:28 2020: called for pid 3172, signal 11, core limit 0, dump mode 1
ERROR: apport (pid 3180) Fri Dec 4 15:33:28 2020: executable: /usr/bin/cat (command line "/usr/bin/cat")
ERROR: apport (pid 3180) Fri Dec 4 15:33:28 2020: gdbus call error: Error: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name o
rg.gnome.SessionManager was not provided by any .service files

ERROR: apport (pid 3180) Fri Dec 4 15:33:28 2020: debug: session gdbus call:
ERROR: apport (pid 3180) Fri Dec 4 15:33:28 2020: wrote report /tmp/tmp3m7fnzeq/_usr_bin_cat.1000.crash
(gdb) Kill the program being debugged? (y or n) [answered Y; input not from terminal]
[Inferior 1 (process 3172) killed]
(gdb) --- post-processing /tmp/tmp3m7fnzeq/_usr_bin_cat.1000.crash

tags: added: verification-done-focal
removed: verification-needed-focal
Brian Murray (brian-murray) wrote :

I installed the version of apport from bionic-proposed and no longer received a Traceback when following the test case.

Setting up python3-apport (2.20.9-0ubuntu7.21) ...
Setting up apport (2.20.9-0ubuntu7.21) ...
apport-autoreport.service is a disabled or a static unit, not starting it.
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for systemd (237-3ubuntu10.43) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
bdmurray@clean-bionic-amd64:~$ python3 generate-sigsegv-crash.py cat
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from cat...(no debugging symbols found)...done.
(gdb) Starting program: /bin/cat

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7af2151 in __GI___libc_read (fd=0, buf=0x7ffff7fc2000, nbytes=131072) at ../sysdeps/unix/sysv/linux/read.c:27
27 ../sysdeps/unix/sysv/linux/read.c: No such file or directory.
(gdb) warning: Memory read failed for corefile section, 4096 bytes at 0xffffffffff600000.
Saved corefile /tmp/tmp1o0onv61/my.core
(gdb) ERROR: apport (pid 2623) Fri Dec 4 15:42:10 2020: called for pid 2615, signal 11, core limit 0, dump mode 1
ERROR: apport (pid 2623) Fri Dec 4 15:42:10 2020: executable: /bin/cat (command line "/bin/cat")
ERROR: apport (pid 2623) Fri Dec 4 15:42:10 2020: gdbus call error: Error: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name o
rg.gnome.SessionManager was not provided by any .service files

ERROR: apport (pid 2623) Fri Dec 4 15:42:10 2020: debug: session gdbus call:
ERROR: apport (pid 2623) Fri Dec 4 15:42:11 2020: wrote report /tmp/tmp1o0onv61/_bin_cat.1000.crash
(gdb) Kill the program being debugged? (y or n) [answered Y; input not from terminal]
(gdb) --- post-processing /tmp/tmp1o0onv61/_bin_cat.1000.crash

tags: added: verification-done-bionic
removed: verification-needed-bionic
Brian Murray (brian-murray) wrote :

I installed the version of apport from xenial-proposed and no longer received a Traceback when running the test case.

Preparing to unpack .../python3-apport_2.20.1-0ubuntu2.28_all.deb ...
Unpacking python3-apport (2.20.1-0ubuntu2.28) over (2.20.1-0ubuntu2.27) ...
Preparing to unpack .../apport_2.20.1-0ubuntu2.28_all.deb ...
Unpacking apport (2.20.1-0ubuntu2.28) over (2.20.1-0ubuntu2.27) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for hicolor-icon-theme (0.15-0ubuntu1.1) ...
Processing triggers for systemd (229-4ubuntu21.29) ...
Processing triggers for ureadahead (0.100.0-19.1) ...
Setting up python3-apport (2.20.1-0ubuntu2.28) ...
Setting up apport (2.20.1-0ubuntu2.28) ...
bdmurray@clean-xenial-amd64:~$ python3 generate-sigsegv-crash.py cat
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from cat...(no debugging symbols found)...done.
(gdb) Starting program: /bin/cat

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b04320 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:84
84 ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) Saved corefile /tmp/tmplo7od5en/my.core
(gdb) ERROR: apport (pid 2923) Fri Dec 4 15:48:31 2020: called for pid 2915, signal 11, core limit 0, dump mode 1
ERROR: apport (pid 2923) Fri Dec 4 15:48:31 2020: executable: /bin/cat (command line "/bin/cat")
ERROR: apport (pid 2923) Fri Dec 4 15:48:31 2020: is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment
ERROR: apport (pid 2923) Fri Dec 4 15:48:31 2020: wrote report /tmp/tmplo7od5en/_bin_cat.1000.crash
(gdb) Kill the program being debugged? (y or n) [answered Y; input not from terminal]
(gdb) --- post-processing /tmp/tmplo7od5en/_bin_cat.1000.crash

tags: added: verification-done-xenial
removed: verification-needed-xenial
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.11-0ubuntu50.3

---------------
apport (2.20.11-0ubuntu50.3) groovy; urgency=medium

  * data/apport: only drop supplemental groups if we are root. (LP: #1906565)

 -- Brian Murray <email address hidden> Wed, 02 Dec 2020 12:51:33 -0800

Changed in apport (Ubuntu Groovy):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for apport has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.11-0ubuntu27.14

---------------
apport (2.20.11-0ubuntu27.14) focal; urgency=medium

  * data/apport: only drop supplemental groups if the user is root. (LP: #1906565)

 -- Brian Murray <email address hidden> Thu, 03 Dec 2020 09:26:27 -0800

Changed in apport (Ubuntu Focal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.9-0ubuntu7.21

---------------
apport (2.20.9-0ubuntu7.21) bionic; urgency=medium

  * data/apport: only drop supplemental groups if the user is root. (LP: #1906565)

 -- Brian Murray <email address hidden> Thu, 03 Dec 2020 09:39:34 -0800

Changed in apport (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.20.1-0ubuntu2.28

---------------
apport (2.20.1-0ubuntu2.28) xenial; urgency=medium

  * data/apport: only drop supplemental groups if the user is root. (LP: #1906565)

 -- Brian Murray <email address hidden> Thu, 03 Dec 2020 10:33:00 -0800

Changed in apport (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers