gufw segfaults on Ubuntu 20.04 and 22.04

Bug #1988853 reported by ananke
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gufw (Ubuntu)
New
Undecided
Unassigned

Bug Description

This issue appears to affect both Ubuntu 20.04 and 22.04, while it didn't exist on Ubuntu 18.04 (all with latest updates). XFCE was used as the desktop environment in every case, with connections via xrdp using xorg driver.

The same symptoms are present whether user starts `gufw` via terminal, or via the Firewall Configuration menu entry, as soon as user authenticates via the popup window.

The issue seems to involve pkexec, and one way to fix it seems to be by replacing the following entry in `/usr/bin/gufw`:

```
pkexec gufw-pkexec $c_user
```

with

```
pkexec /usr/bin/gufw-pkexec $c_user
```

Here's a sample error output:

```
student@desktop:~$ gufw
/bin/gufw: line 2: [: too many arguments
Unable to init server: Could not connect: Connection refused
Unable to init server: Could not connect: Connection refused

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.294: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.294: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.294: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.294: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.294: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.294: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.294: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.294: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.294: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gdk-CRITICAL **: 14:10:32.294: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.294: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.295: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.295: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed

(gufw.py:2076): Gtk-CRITICAL **: 14:10:32.295: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
/bin/gufw-pkexec: line 10: 2076 Segmentation fault (core dumped) python3 ${LOCATIONS[${i}]} $1
```

Thank you!

Tags: focal jammy
Jürgen Gmach (jugmac00)
affects: launchpad → ubuntu
Paul White (paulw2u)
affects: ubuntu → gufw (Ubuntu)
tags: added: focal jammy
Revision history for this message
Brian Foster (blfoster) wrote :

Running Kubuntu 22.04.1 LTS, I do *not* have this issue; gufw(8) v22.04.0 starts up properly.

I find the initial output line in the above odd:

    /bin/gufw: line 2: [: too many arguments

1st, gufw is in /usr/bin, not /bin (this *may* be a copy-paste mistake?).

2nd, Line 2 of /usr/bin/gufw does not (directly) contain any "["s:

   2.1$ $ nl -ba /usr/bin/gufw
     1 #!/bin/bash
     2 c_user=$(whoami)
     3 pkexec gufw-pkexec $c_user
   2.2$ file $(which whoami)
   /usr/bin/whoami: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=a18184f5d26fce82fe5ccf842d3cf7b9c729030f, for GNU/Linux 3.2.0, stripped

What happens if you run gufw using the bash(1) shell's -x option? I get:

   2.3$ $ bash -x $(which gufw)
   ++ whoami
   + c_user=USER
   + pkexec gufw-pkexec USER
   Error executing command as another user: Not authorized

   This incident has been reported.

where USER is my username. The "not authorized" is because I cancelled rather than enter my password (for this test, for other tests I entered the password and gufw itself started entirely as expected).

Revision history for this message
ananke (ananke) wrote : Re: [Bug 1988853] gufw segfaults on Ubuntu 20.04 and 22.04
Download full text (10.0 KiB)

> On Sep 14, 2022, at 9:20 AM, Brian Foster <email address hidden> wrote:
>
> Running Kubuntu 22.04.1 LTS, I do *not* have this issue; gufw(8)
> v22.04.0 starts up properly.
>
> I find the initial output line in the above odd:
>
> /bin/gufw: line 2: [: too many arguments
>
> 1st, gufw is in /usr/bin, not /bin (this *may* be a copy-paste
> mistake?).

It was a direct copy/paste. It appears that ‘gufw’ package installs /bin/gufw, which is identical to /usr/bin/gufw. Example from fresh ubuntu 20.04.04:

```
root@self:~# ls -l /bin/gufw
ls: cannot access '/bin/gufw': No such file or directory
root@self:~# apt-get -y install gufw
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  gufw
0 upgraded, 1 newly installed, 0 to remove and 26 not upgraded.
Need to get 860 kB of archives.
After this operation, 3539 kB of additional disk space will be used.
Get:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu focal-updates/universe amd64 gufw all 20.04.1-1ubuntu1 [860 kB]
Fetched 860 kB in 0s (23.2 MB/s)
Selecting previously unselected package gufw.
(Reading database ... 196134 files and directories currently installed.)
Preparing to unpack .../gufw_20.04.1-1ubuntu1_all.deb ...
Unpacking gufw (20.04.1-1ubuntu1) ...
Setting up gufw (20.04.1-1ubuntu1) ...
Processing triggers for desktop-file-utils (0.24-1ubuntu3) ...
Processing triggers for mime-support (3.64ubuntu1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for man-db (2.9.1-1) ...
root@self:~# ls -l /bin/gufw
-rwxr-xr-x 1 root root 196 Nov 7 2019 /bin/gufw
root@self:~# ls -l /usr/bin/gufw
-rwxr-xr-x 1 root root 196 Nov 7 2019 /usr/bin/gufw
root@self:~# dpkg -S bin/gufw
gufw: /usr/bin/gufw
gufw: /usr/bin/gufw-pkexec
```

> 2nd, Line 2 of /usr/bin/gufw does not (directly) contain any "["s:
>
> 2.1$ $ nl -ba /usr/bin/gufw
> 1 #!/bin/bash
> 2 c_user=$(whoami)
> 3 pkexec gufw-pkexec $c_user
> 2.2$ file $(which whoami)
> /usr/bin/whoami: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=a18184f5d26fce82fe5ccf842d3cf7b9c729030f, for GNU/Linux 3.2.0, stripped
>
> What happens if you run gufw using the bash(1) shell's -x option? I
> get:
>
> 2.3$ $ bash -x $(which gufw)
> ++ whoami
> + c_user=USER
> + pkexec gufw-pkexec USER
> Error executing command as another user: Not authorized

Thank you for the debugging hint. It appears the ’too many arguments’ error is caused by the startup script not being able to handle situation if loginctl reports more than one session matching the same username, which is virtually guaranteed when the X11 session is accessed via xrdp. Please see the following:

```
agent@self:~$ bash -x $(which gufw)
+++ loginctl
++++ whoami
+++ grep agent
+++ awk '{print $1}'
++ loginctl show-session c1 c2 -p Type
+ '[' Type=x11 Type=x11 = Type=wayland ']'
/bin/gufw: line 2: [: too many arguments
++ whoami
+ c_user=agent
+ pkexec gufw-pkexec agent
Unable to init server: Could not connect: Connection refused
Unable to init server: Could not co...

Revision history for this message
ananke (ananke) wrote :

It's worth pointing out that the issue stems from Ubuntu's symlinking /bin to /usr/bin. Because of that, 'gufw-pkexec' from /bin executes, and fails to meet the polkit policy provided by the package.

Presumably the solution would be for the package to match Ubuntu's approach, and ship a polkit policy that reflects the default path.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers