memcached looks for SASL configuration at wrong path /etc/sasl2/memcached.conf/memcached.conf (18.04→20.04 regression)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
memcached (Ubuntu) |
Fix Released
|
High
|
Sergio Durigan Junior | ||
Eoan |
Fix Released
|
High
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
memcached 1.5.22 in focal has a bug where it looks for its SASL configuration at /etc/sasl2/
The bug was introduced upstream in 1.5.7~3:
https:/
https:/
https:/
and fixed upstream in 1.6.0~15:
https:/
The reason this bug happens is because sasl works with paths (i.e., directories) when determining which configuration files it should load, whereas, after the two commits mentioned above (version 1.5.7~3), memcached started to pass a full pathname (including the filename) of the configuration file.
So, while in a "normal" setup memcached's configuration file would live at /etc/sasl2/
Users could workaroud this bug by creating a directory named "/etc/sasl2/
[Test Case]
To test the fix, one can do:
$ lxc launch ubuntu-daily:focal memcached-bug1878721
$ lxc shell memcached-bug1878721
# apt update && apt upgrade -y
# apt install -y memcached libmemcached-tools libsasl2-modules sasl2-bin
# mkdir -p /etc/sasl2
# cat > /etc/sasl2/
mech_list: plain
sasldb_path: /etc/sasl2/
__EOF__
# echo bar | saslpasswd2 -p -f /etc/sasl2/
# chown memcache: /etc/sasl2/
# echo '-S' >> /etc/memcached.conf
# systemctl restart memcached.service
# memcping --servers=127.0.0.1 --binary --username=foo --password=bar
With the last command, you should see an error like:
Failed to ping 127.0.0.1:11211 WRITE FAILURE
or:
Failed to ping 127.0.0.1:11211 READ FAILURE
You can also check its exit status:
# echo $?
1
It is possible to test the workaround workaround mentioned in the previous section by doing:
# mv /etc/sasl2/
# mkdir /etc/sasl2/
# mv /tmp/memcached.conf /etc/sasl2/
# systemctl restart memcached.service
# memcping --servers=127.0.0.1 --binary --username=foo --password=bar
# echo $?
0
Using the fix provided, one can verify that both tests above will work.
Here are all four locations that will now work by default:
• /etc/sasl/
• /etc/sasl/
• /etc/sasl2/
• /etc/sasl2/
[Regression Potential]
Low risk. The upstream patch is targeted and applies cleanly to 1.5.22. It looks for the SASL configuration at both the incorrect and correct paths, so even in the (unlikely) event that someone worked around this bug by manually creating a configuration file at the incorrect path /etc/sasl2/
If there were to be a regression, it would likely manifest as an authentication failure, which clients may display as a read or write failure, like the failure mode of the regression being fixed here.
Related branches
- Bryce Harrington (community): Approve
- Anders Kaseorg (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 144 lines (+122/-0)3 files modifieddebian/changelog (+18/-0)
debian/patches/fix-bug-where-sasl-will-load-config-the-wrong-path.patch (+103/-0)
debian/patches/series (+1/-0)
- Bryce Harrington (community): Approve
- Anders Kaseorg (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 158 lines (+124/-1)4 files modifieddebian/changelog (+18/-0)
debian/control (+2/-1)
debian/patches/fix-bug-where-sasl-will-load-config-the-wrong-path.patch (+103/-0)
debian/patches/series (+1/-0)
Changed in memcached (Ubuntu Eoan): | |
status: | New → Triaged |
tags: | added: block-proposed-eoan block-proposed-focal block-proposed-groovy |
Changed in memcached (Ubuntu Focal): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in memcached (Ubuntu): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in memcached (Ubuntu Focal): | |
assignee: | Sergio Durigan Junior (sergiodj) → nobody |
no longer affects: | memcached (Ubuntu Bionic) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | removed: block-proposed-eoan block-proposed-focal block-proposed-groovy |
Here’s a debdiff with the upstream patch. I built this in https:/ /launchpad. net/~andersk/ +archive/ ubuntu/ ppa and verified it against the test case.