[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
Andreas Hasenack
andreas at canonical.com
Fri Jun 16 15:14:40 UTC 2017
I can confirm the problem reported originally in this bug (all those
segfaults after the upgrade) only happen if you have winbind listed
first, ahead of files or compat.
Any particular reason why that order was chosen? There will for sure be
a "blip" in the winbind service during the upgrade, and having the
system users fail to be resolved is bound to be catastrophic.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest security fixes together with winbind in
nsswitch.conf can harm entire OS
Status in samba package in Ubuntu:
Fix Released
Status in samba source package in Trusty:
Fix Released
Status in samba source package in Xenial:
Fix Committed
Status in samba source package in Yakkety:
Fix Committed
Status in samba package in Debian:
New
Bug description:
[Impact]
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
[Test Case 1]
Verify that the regression reported in bug 1644428 has not recurred.
[Test Case 2]
1) Start an ubuntu Trusty container
2) cp /etc/apt/sources.list /etc/apt/sources.list.back
3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list
4) sudo apt-get update
5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
6) Set /etc/nsswitch.conf to : passwd: winbind compat
7) Restart the services
7.1) sudo restart smbd
7.2) sudo restart nmbd
7.3) sudo restart winbind
8) cp /etc/apt/sources.list.back /etc/apt/sources.list
9) sudo apt-get update
7) sudo apt-get install samba winbind libnss-winbind libpam-winbind
While installing, you will see things similar to this :
> Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ...
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
> dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (-
> -unpack):
> subprocess dpkg-deb --control returned error exit status 2
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
[Regression Potential]
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
[Other Info]
* Original Bug Description:
It was brought to my attention that, because of latest security fixes
for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire
Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
(specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used
before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do
a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d
with "pam-auth-update") before ANY attempt of upgrading samba to
latest version.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions
More information about the foundations-bugs
mailing list