freeradius with freeradius-python3 fails to start out of the box
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
freeradius (Ubuntu) |
Fix Released
|
Medium
|
Andreas Hasenack | ||
Focal |
Fix Released
|
Medium
|
Andreas Hasenack |
Bug Description
[Impact]
The python3 rlm module cannot be loaded.
[Test Plan]
# pull the necessary attachments
wget https:/
# install freeradius-python3
sudo apt update
sudo apt install freeradius-python3
# enable python3 for auth (this command is one line)
sudo sed -i -r '/^#[[:
# copy python example
sudo cp ubuntu_example.py /etc/freeradius
# copy python3 config
sudo cp python3 /etc/freeradius
# enable the python3 module
sudo ln -s /etc/freeradius
# restart freeradius. Restart will fail without the fixed package installed
sudo systemctl restart freeradius
Error in journal when the fix is not installed:
Apr 13 20:54:03 f-freeradius-
Apr 13 20:54:03 f-freeradius-
Apr 13 20:54:03 f-freeradius-
Apr 13 20:54:03 f-freeradius-
and
Apr 13 20:55:31 f-freeradius-
Apr 13 20:55:31 f-freeradius-
# Install the fixed packages from proposed
# Test authentication with the python3 script we installed.
# This script will accept the ubuntu user with any password, and reject
# any other user, regardless of the password
$ radtest ubuntu anypass 127.0.0.1 0 testing123
Sent Access-Request Id 59 from 0.0.0.0:33632 to 127.0.0.1:1812 length 76
User-Name = "ubuntu"
NAS-Port = 0
Received Access-Accept Id 59 from 127.0.0.1:1812 to 127.0.0.1:33632 length 35
$ radtest anotheruser neverworks 127.0.0.1 0 testing123
Sent Access-Request Id 14 from 0.0.0.0:34461 to 127.0.0.1:1812 length 81
User-Name = "anotheruser"
NAS-Port = 0
Received Access-Reject Id 14 from 127.0.0.1:1812 to 127.0.0.1:34461 length 41
(0) -: Expected Access-Accept got Access-Reject
[Where problems could occur]
I don't know how complex the python3 scripts run by rlm_python3 can be. Maybe if there are complex imports or other interactions, it could show this fix to be incomplete, as there were other upstream fixes for rlm_python3 that landed in 3.0.21 and later. I checked the 3.0.21 ones (https:/
That being said, freeradius is a gatekeeper. Authentication and authorization is a big deal, and if this update introduces a bug, it could manifest itself either by allowing something it shouldn't, or not allowing anything. Given the patches, this will be restricted to the python3 module, which couldn't be loaded anyway.
These modules deep inside src/modules have their own autoconf scripts, and they don't get regenerated by the build process from the respective source files (configure.ac and others). At this time I didn't have to patch them, but, as can be seen in the jammy upload, I had to patch configure directly (and not configure.ac) because of fear of introducing a regression, since those deep configure scripts are NOT regenerated by the debian packaging builds: just the top level one is regenerated, at the root of the source tree, and who knows when was the last time all those configure scripts were generated. And jammy has an updated autoconf (2.71), which broke other packages. In any case, this concern does not apply to this particular focal update, but might in the future.
[Other Info]
This SRU has two patches. One is the actual fix, which fixes the name of the python library that freeradius attempts to load. The other fix is to not try to instantiate the python3 module if the instantiate and detach methods are not defined, which would trigger a failure with the simple reproducer from comment #1.
I added a DEP8 test to the focal package that doesn't exist in any other release at this time. As soon as Ubuntu K opens up, I'll update the freeradius package there as well with this test (see https:/
UPDATE: PR to update the DEP8 test in kinetic's freeradius package: https:/
[Original Description]
I created a git repo with the reproduction: https:/
Package version:
Version: 3.0.20+dfsg-3build1
The error message:
-------
Mon Apr 20 17:12:57 2020 : Debug: rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
Mon Apr 20 17:12:57 2020 : Debug: # Instantiating module "python3" from file /etc/freeradius
Mon Apr 20 17:12:57 2020 : Info: Python version: 3.8.2 (default, Mar 13 2020, 10:14:16) [GCC 9.3.0]
Mon Apr 20 17:12:57 2020 : Warning: Libpython is not found among linked libraries
Mon Apr 20 17:12:57 2020 : Warning: Failed loading libpython symbols into global symbol table
Mon Apr 20 17:12:57 2020 : Error: do_python_
Mon Apr 20 17:12:57 2020 : Error: python_
Mon Apr 20 17:12:57 2020 : Error: do_python_
-------
Related branches
- Sergio Durigan Junior (community): Approve
- Canonical Server: Pending requested
-
Diff: 505 lines (+376/-20)12 files modifieddebian/changelog (+17/-0)
debian/control (+2/-1)
debian/patches/dont_call_undeclared.patch (+64/-0)
debian/patches/py3.8-libname-fix.patch (+30/-0)
debian/patches/series (+2/-0)
debian/tests/control (+4/-0)
debian/tests/freeradius (+1/-1)
debian/tests/rlm_python3-data/python3.mods-available (+66/-0)
debian/tests/rlm_python3-data/python3.sites-available (+85/-0)
debian/tests/rlm_python3-data/ubuntu_example.py.mods-config (+26/-0)
debian/tests/rlm_python3-test (+43/-0)
debian/tests/test-freeradius.py (+36/-18)
- Utkarsh Gupta (community): Approve
- Canonical Server: Pending requested
-
Diff: 56 lines (+34/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/fix-python-version-parsing.patch (+26/-0)
debian/patches/series (+1/-0)
Changed in freeradius (Ubuntu): | |
assignee: | nobody → Lena Voytek (lvoytek) |
Changed in freeradius (Ubuntu Focal): | |
status: | New → Confirmed |
assignee: | nobody → Lena Voytek (lvoytek) |
Changed in freeradius (Ubuntu Focal): | |
status: | Confirmed → In Progress |
Changed in freeradius (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in freeradius (Ubuntu): | |
status: | Triaged → In Progress |
Changed in freeradius (Ubuntu Focal): | |
assignee: | Lena Voytek (lvoytek) → Andreas Hasenack (ahasenack) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Thanks for the bug report! I have tried to reproduce this issue in a LXD Focal container and it fails while loading the python3 module as mentioned above:
$ apt-get install -y freeradius freeradius-python3 /3.0/mods- available/ python3 /etc/freeradius /3.0/mods- enabled/ /3.0/mods- enabled/ python3 single: 568, instantiate - pRet is NULL error_log: 200, Exception type: <class 'SystemError'>, Exception value: null argument to internal routine single: 676, instantiate - RLM_MODULE_FAIL
$ ln -s /etc/freeradius
$ systemctl stop freeradius
$ freeradius -Xx
...
Wed Apr 22 18:39:51 2020 : Debug: # Instantiating module "python3" from file /etc/freeradius
Wed Apr 22 18:39:51 2020 : Info: Python version: 3.8.2 (default, Mar 13 2020, 10:14:16) [GCC 9.3.0]
Wed Apr 22 18:39:51 2020 : Warning: Libpython is not found among linked libraries
Wed Apr 22 18:39:51 2020 : Warning: Failed loading libpython symbols into global symbol table
Wed Apr 22 18:39:52 2020 : Error: do_python_
Wed Apr 22 18:39:52 2020 : Error: python_
Wed Apr 22 18:39:52 2020 : Error: do_python_
...