[Bug 1788459] Re: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd

Sergio Durigan Junior 1788459 at bugs.launchpad.net
Wed Jun 30 18:33:54 UTC 2021 

I am taking care of this one.

It is important to mention that this could arguably be considered to be
a bug on libselinux, given that it shouldn't dereference pointers
without checking first (especially pointers that were passed to the
library by its clients).  However, in this case it makes sense to fix
this in gssproxy as well.

** Description changed:

+ [ Impact ]
  
- I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy.   
+ gssproxy users on Focal and Hiruste who configure the package to handle
+ NFS mountpoints using Kerberos authentication will experience a
+ segmentation fault when invoking the service either through systemd or
+ by hand.
+ 
+ [ Test Case]
+ 
+ Inside a Focal LXD container:
+ 
+ $ lxc launch images:ubuntu/focal gssproxy-bug1788459-focal
+ $ lxc shell gssproxy-bug1788459-focal
+ # apt update
+ # apt install -y gssproxy nfs-kernel-server
+ # cat > /etc/gssproxy/gssproxy.conf << __EOF__
+ [gssproxy]
+ debug = true
+ debug_level = 3
+ __EOF__
+ # cat >> /etc/gssproxy/25-nfs-server.conf << __EOF__
+ [service/nfs-server]
+ mechs = krb5
+ socket = /run/gssproxy.sock
+ cred_store = keytab:/etc/krb5.keytab
+ trusted = yes
+ kernel_nfsd = yes
+ euid = 0
+ __EOF__
+ # /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock
+ [2021/06/30 14:34:14]: Debug Enabled (level: 3) 
+ [2021/06/30 14:34:14]: Keytab /etc/krb5.keytab has no content (-1765328203)
+ [2021/06/30 14:34:14]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18
+ [2021/06/30 14:34:14]: Client [2021/06/30 14:34:14]: (/usr/sbin/gssproxy) [2021/06/30 14:34:14]:  connected (fd = 12)[2021/06/30 14:34:14]:  (pid = 3428) (uid = 0) (gid = 0)Segmentation fau
+ lt (core dumped)
+ 
+ [ Where problems could occur ]
+ 
+ * The backported patch is simple and it is very unlikely that it will introduce a regression.
+ * As usual, it is always risky to rebuild a package that hasn't been touched for more than 1 year, albeit in this case the risk is very low because the package is not very complex.
+ 
+ [ Original Description ]
+ 
+ I have apache configured to perform a kerberized NFS4 mount using
+ rpc.gssd and gssproxy.
  
  If I request a web page that requires NFS4 access, then gssproxy
  crashes, reporting a segfault in libselinux.so.1 and the web request
  generates a 403 error.
  
  gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150
  error 4 in libselinux.so.1[7f2f5bb0d000+25000]
  
  If I run gssproxy at debug level = 3, and then load a web page, I can
  see the uid/principal request for www-data come in from rpc.gssd:
  
  # gssproxy -d --debug-level=3 -i -C /etc/gssproxy
  
  [2018/08/22 17:51:40]: Debug Enabled (level: 3)
  [2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]:  connected (fd = 10)[2018/08/22 17:52:06]:  (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped)
  
  Since gssproxy is required to initiate kerberos principals for any local
  application services - Ubuntu 18.04 does not currently support running
  application services with NFS4 kerberos dependencies.  This has a fairly
  significant impact on anyone attempting to implement kerberos on Ubuntu
  18.04
  
- 
  Ubuntu 18.04.1 LTS
  gssproxy 0.8.0-1
  libselinux1:amd64 2.7-2build2
  libgssrpc4:amd64 1.16-2build1

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libselinux in Ubuntu.
https://bugs.launchpad.net/bugs/1788459

Title:
  gssproxy  crashes in libselinux.so.1 on Ubuntu 18.04 when called by
  rpc.gssd

Status in gssproxy package in Ubuntu:
  In Progress
Status in libselinux package in Ubuntu:
  Invalid
Status in gssproxy source package in Focal:
  In Progress
Status in libselinux source package in Focal:
  Invalid
Status in gssproxy source package in Hirsute:
  In Progress
Status in libselinux source package in Hirsute:
  Invalid

Bug description:
  [ Impact ]

  gssproxy users on Focal and Hiruste who configure the package to
  handle NFS mountpoints using Kerberos authentication will experience a
  segmentation fault when invoking the service either through systemd or
  by hand.

  [ Test Case]

  Inside a Focal LXD container:

  $ lxc launch images:ubuntu/focal gssproxy-bug1788459-focal
  $ lxc shell gssproxy-bug1788459-focal
  # apt update
  # apt install -y gssproxy nfs-kernel-server
  # cat > /etc/gssproxy/gssproxy.conf << __EOF__
  [gssproxy]
  debug = true
  debug_level = 3
  __EOF__
  # cat >> /etc/gssproxy/25-nfs-server.conf << __EOF__
  [service/nfs-server]
  mechs = krb5
  socket = /run/gssproxy.sock
  cred_store = keytab:/etc/krb5.keytab
  trusted = yes
  kernel_nfsd = yes
  euid = 0
  __EOF__
  # /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock
  [2021/06/30 14:34:14]: Debug Enabled (level: 3) 
  [2021/06/30 14:34:14]: Keytab /etc/krb5.keytab has no content (-1765328203)
  [2021/06/30 14:34:14]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18
  [2021/06/30 14:34:14]: Client [2021/06/30 14:34:14]: (/usr/sbin/gssproxy) [2021/06/30 14:34:14]:  connected (fd = 12)[2021/06/30 14:34:14]:  (pid = 3428) (uid = 0) (gid = 0)Segmentation fau
  lt (core dumped)

  [ Where problems could occur ]

  * The backported patch is simple and it is very unlikely that it will introduce a regression.
  * As usual, it is always risky to rebuild a package that hasn't been touched for more than 1 year, albeit in this case the risk is very low because the package is not very complex.

  [ Original Description ]

  I have apache configured to perform a kerberized NFS4 mount using
  rpc.gssd and gssproxy.

  If I request a web page that requires NFS4 access, then gssproxy
  crashes, reporting a segfault in libselinux.so.1 and the web request
  generates a 403 error.

  gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150
  error 4 in libselinux.so.1[7f2f5bb0d000+25000]

  If I run gssproxy at debug level = 3, and then load a web page, I can
  see the uid/principal request for www-data come in from rpc.gssd:

  # gssproxy -d --debug-level=3 -i -C /etc/gssproxy

  [2018/08/22 17:51:40]: Debug Enabled (level: 3)
  [2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]:  connected (fd = 10)[2018/08/22 17:52:06]:  (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped)

  Since gssproxy is required to initiate kerberos principals for any
  local application services - Ubuntu 18.04 does not currently support
  running application services with NFS4 kerberos dependencies.  This
  has a fairly significant impact on anyone attempting to implement
  kerberos on Ubuntu 18.04

  Ubuntu 18.04.1 LTS
  gssproxy 0.8.0-1
  libselinux1:amd64 2.7-2build2
  libgssrpc4:amd64 1.16-2build1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions

More information about the foundations-bugs mailing list