2018-08-22 18:12:13 |
Robert Taylor |
bug |
|
|
added bug |
2018-08-22 18:27:22 |
Robert Taylor |
bug task added |
|
krb5 (Ubuntu) |
|
2018-08-22 18:28:12 |
Robert Taylor |
bug task added |
|
libselinux (Ubuntu) |
|
2018-08-22 18:31:26 |
Robert Taylor |
summary |
gssproxy in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd |
gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd |
|
2018-09-06 18:52:03 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
2021-06-28 14:39:58 |
Launchpad Janitor |
gssproxy (Ubuntu): status |
New |
Confirmed |
|
2021-06-28 14:39:58 |
Launchpad Janitor |
krb5 (Ubuntu): status |
New |
Confirmed |
|
2021-06-28 14:39:58 |
Launchpad Janitor |
libselinux (Ubuntu): status |
New |
Confirmed |
|
2021-06-29 13:33:44 |
Koen Dierckx |
attachment added |
|
/var/crash/_usr_sbin_gssproxy.0.crash https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+attachment/5507903/+files/_usr_sbin_gssproxy.0.crash |
|
2021-06-30 18:19:06 |
Sergio Durigan Junior |
gssproxy (Ubuntu): status |
Confirmed |
In Progress |
|
2021-06-30 18:19:08 |
Sergio Durigan Junior |
gssproxy (Ubuntu): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
2021-06-30 18:19:13 |
Sergio Durigan Junior |
gssproxy (Ubuntu): importance |
Undecided |
Medium |
|
2021-06-30 18:19:42 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Focal |
|
2021-06-30 18:19:42 |
Sergio Durigan Junior |
bug task added |
|
krb5 (Ubuntu Focal) |
|
2021-06-30 18:19:42 |
Sergio Durigan Junior |
bug task added |
|
libselinux (Ubuntu Focal) |
|
2021-06-30 18:19:42 |
Sergio Durigan Junior |
bug task added |
|
gssproxy (Ubuntu Focal) |
|
2021-06-30 18:20:30 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Hirsute |
|
2021-06-30 18:20:30 |
Sergio Durigan Junior |
bug task added |
|
krb5 (Ubuntu Hirsute) |
|
2021-06-30 18:20:30 |
Sergio Durigan Junior |
bug task added |
|
libselinux (Ubuntu Hirsute) |
|
2021-06-30 18:20:30 |
Sergio Durigan Junior |
bug task added |
|
gssproxy (Ubuntu Hirsute) |
|
2021-06-30 18:20:39 |
Sergio Durigan Junior |
krb5 (Ubuntu): status |
Confirmed |
Invalid |
|
2021-06-30 18:20:51 |
Sergio Durigan Junior |
bug task deleted |
krb5 (Ubuntu) |
|
|
2021-06-30 18:21:02 |
Sergio Durigan Junior |
bug task deleted |
krb5 (Ubuntu Focal) |
|
|
2021-06-30 18:21:08 |
Sergio Durigan Junior |
bug task deleted |
krb5 (Ubuntu Hirsute) |
|
|
2021-06-30 18:21:25 |
Sergio Durigan Junior |
libselinux (Ubuntu): status |
Confirmed |
Invalid |
|
2021-06-30 18:21:28 |
Sergio Durigan Junior |
libselinux (Ubuntu Focal): status |
New |
Invalid |
|
2021-06-30 18:21:30 |
Sergio Durigan Junior |
libselinux (Ubuntu Hirsute): status |
New |
Invalid |
|
2021-06-30 18:21:40 |
Sergio Durigan Junior |
gssproxy (Ubuntu Focal): status |
New |
In Progress |
|
2021-06-30 18:21:43 |
Sergio Durigan Junior |
gssproxy (Ubuntu Hirsute): status |
New |
In Progress |
|
2021-06-30 18:21:46 |
Sergio Durigan Junior |
gssproxy (Ubuntu Focal): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
2021-06-30 18:21:48 |
Sergio Durigan Junior |
gssproxy (Ubuntu Hirsute): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
2021-06-30 18:32:23 |
Sergio Durigan Junior |
description |
I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy.
If I request a web page that requires NFS4 access, then gssproxy crashes, reporting a segfault in libselinux.so.1 and the web request generates a 403 error.
gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150 error 4 in libselinux.so.1[7f2f5bb0d000+25000]
If I run gssproxy at debug level = 3, and then load a web page, I can see the uid/principal request for www-data come in from rpc.gssd:
# gssproxy -d --debug-level=3 -i -C /etc/gssproxy
[2018/08/22 17:51:40]: Debug Enabled (level: 3)
[2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped)
Since gssproxy is required to initiate kerberos principals for any local application services - Ubuntu 18.04 does not currently support running application services with NFS4 kerberos dependencies. This has a fairly significant impact on anyone attempting to implement kerberos on Ubuntu 18.04
Ubuntu 18.04.1 LTS
gssproxy 0.8.0-1
libselinux1:amd64 2.7-2build2
libgssrpc4:amd64 1.16-2build1 |
[ Impact ]
gssproxy users on Focal and Hiruste who configure the package to handle NFS mountpoints using Kerberos authentication will experience a segmentation fault when invoking the service either through systemd or by hand.
[ Test Case]
Inside a Focal LXD container:
$ lxc launch images:ubuntu/focal gssproxy-bug1788459-focal
$ lxc shell gssproxy-bug1788459-focal
# apt update
# apt install -y gssproxy nfs-kernel-server
# cat > /etc/gssproxy/gssproxy.conf << __EOF__
[gssproxy]
debug = true
debug_level = 3
__EOF__
# cat >> /etc/gssproxy/25-nfs-server.conf << __EOF__
[service/nfs-server]
mechs = krb5
socket = /run/gssproxy.sock
cred_store = keytab:/etc/krb5.keytab
trusted = yes
kernel_nfsd = yes
euid = 0
__EOF__
# /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock
[2021/06/30 14:34:14]: Debug Enabled (level: 3)
[2021/06/30 14:34:14]: Keytab /etc/krb5.keytab has no content (-1765328203)
[2021/06/30 14:34:14]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18
[2021/06/30 14:34:14]: Client [2021/06/30 14:34:14]: (/usr/sbin/gssproxy) [2021/06/30 14:34:14]: connected (fd = 12)[2021/06/30 14:34:14]: (pid = 3428) (uid = 0) (gid = 0)Segmentation fau
lt (core dumped)
[ Where problems could occur ]
* The backported patch is simple and it is very unlikely that it will introduce a regression.
* As usual, it is always risky to rebuild a package that hasn't been touched for more than 1 year, albeit in this case the risk is very low because the package is not very complex.
[ Original Description ]
I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy.
If I request a web page that requires NFS4 access, then gssproxy crashes, reporting a segfault in libselinux.so.1 and the web request generates a 403 error.
gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150 error 4 in libselinux.so.1[7f2f5bb0d000+25000]
If I run gssproxy at debug level = 3, and then load a web page, I can see the uid/principal request for www-data come in from rpc.gssd:
# gssproxy -d --debug-level=3 -i -C /etc/gssproxy
[2018/08/22 17:51:40]: Debug Enabled (level: 3)
[2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped)
Since gssproxy is required to initiate kerberos principals for any local application services - Ubuntu 18.04 does not currently support running application services with NFS4 kerberos dependencies. This has a fairly significant impact on anyone attempting to implement kerberos on Ubuntu 18.04
Ubuntu 18.04.1 LTS
gssproxy 0.8.0-1
libselinux1:amd64 2.7-2build2
libgssrpc4:amd64 1.16-2build1 |
|
2021-06-30 18:53:00 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/gssproxy/+git/gssproxy/+merge/404982 |
|
2021-06-30 18:53:10 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/gssproxy/+git/gssproxy/+merge/404983 |
|
2021-07-02 13:37:14 |
Timo Aaltonen |
gssproxy (Ubuntu Hirsute): status |
In Progress |
Fix Committed |
|
2021-07-02 13:37:16 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2021-07-02 13:37:19 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
2021-07-02 13:37:23 |
Timo Aaltonen |
tags |
kerberos nfs4 security |
kerberos nfs4 security verification-needed verification-needed-hirsute |
|
2021-07-02 13:40:56 |
Timo Aaltonen |
gssproxy (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2021-07-02 13:41:01 |
Timo Aaltonen |
tags |
kerberos nfs4 security verification-needed verification-needed-hirsute |
kerberos nfs4 security verification-needed verification-needed-focal verification-needed-hirsute |
|
2021-10-01 19:30:25 |
Brian Murray |
tags |
kerberos nfs4 security verification-needed verification-needed-focal verification-needed-hirsute |
kerberos nfs4 removal-candidate security verification-needed verification-needed-focal verification-needed-hirsute |
|
2021-10-04 18:35:57 |
Sergio Durigan Junior |
tags |
kerberos nfs4 removal-candidate security verification-needed verification-needed-focal verification-needed-hirsute |
kerberos nfs4 removal-candidate security verification-done-focal verification-done-hirsute |
|
2021-10-04 18:36:15 |
Sergio Durigan Junior |
tags |
kerberos nfs4 removal-candidate security verification-done-focal verification-done-hirsute |
kerberos nfs4 security verification-done-focal verification-done-hirsute |
|
2021-10-05 16:16:17 |
Launchpad Janitor |
gssproxy (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
2021-10-05 16:16:21 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2021-10-05 16:16:44 |
Launchpad Janitor |
gssproxy (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2021-10-06 16:30:21 |
Sergio Durigan Junior |
gssproxy (Ubuntu): status |
In Progress |
Invalid |
|