[Bug 1980095] Re: libnfsidmap built without hardening flags
Steve Langasek
1980095 at bugs.launchpad.net
Fri Aug 19 23:44:51 UTC 2022
hardening-no-bindnow is not super critical for a library such as this;
the risk of a security vulnerability as a result of symbols being
overridden from the outside, for a library with constrained applications
such as libnfsidmap, is not great. I would like to see a test case here
that addresses the greater issue of hardening-no-fortify-functions.
** Changed in: nfs-utils (Ubuntu Jammy)
Status: In Progress => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nfs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1980095
Title:
libnfsidmap built without hardening flags
Status in nfs-utils package in Ubuntu:
Fix Released
Status in nfs-utils source package in Jammy:
Incomplete
Bug description:
[Impact]
Hardening build flags are an integral part of Ubuntu security[1], and
were accidentally dropped from nfs-utils when the merge for version
2.6.x happened during the jammy development cycle.
Check that link[1] for "Built with BIND_NOW".
[Test Plan]
The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular:
- verify that -Wl,-z,now is being used now, and it wasn't before (linker stage)
Another way to check is to run hardening-check, from the ubuntu-dev-
tools package, on each binary object from the package, and verify that
"Immediate binding" changed from "no" (previous package) to "yes":
$ for n in $(dpkg -L libnfsidmap1 | grep \\.so); do hardening-check $n > $(basename $n).txt; done
$ for n in $(dpkg -L nfs-common|grep bin/); do hardening-check $n > $(basename $n).txt; done
$ for n in $(dpkg -L nfs-kernel-server|grep bin/); do hardening-check $n > $(basename $n).txt; done
$ grep Immediate *.txt
blkmapd.txt: Immediate binding: yes
exportfs.txt: Immediate binding: yes
libnfsidmap.so.1.0.0.txt: Immediate binding: yes
libnfsidmap.so.1.txt: Immediate binding: yes
mount.nfs.txt: Immediate binding: yes
mount.nfs4.txt: Immediate binding: yes
nfsconf.txt: Immediate binding: yes
nfsdcld.txt: Immediate binding: yes
nfsdcltrack.txt: Immediate binding: yes
nfsidmap.txt: Immediate binding: yes
nfsstat.txt: Immediate binding: yes
nsswitch.so.txt: Immediate binding: yes
rpc.gssd.txt: Immediate binding: yes
rpc.idmapd.txt: Immediate binding: yes
rpc.mountd.txt: Immediate binding: yes
rpc.nfsd.txt: Immediate binding: yes
rpc.statd.txt: Immediate binding: yes
rpc.svcgssd.txt: Immediate binding: yes
rpcdebug.txt: Immediate binding: yes
showmount.txt: Immediate binding: yes
sm-notify.txt: Immediate binding: yes
static.so.txt: Immediate binding: yes
umich_ldap.so.txt: Immediate binding: yes
umount.nfs.txt: Immediate binding: yes
umount.nfs4.txt: Immediate binding: yes
[Where problems could occur]
This is rebuilding a package with new compiler flags, even though they
were there before. Regressions for such cases are either very quickly
caught, or only when a bigger user base tries the changes out. In the
case of nfs, it seems worth the risk, since it's a privileged service
that deals with network data.
[Other Info]
I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745.
1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening
https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868
3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39
[Original Description]
$ grep hardening ../lintian.log
I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so]
I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so]
I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so]
It was there before when we had src:libnfsidmap:
https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10
But we lost it when src:nfs-utils incorporated the libnfsidmap code.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1980095/+subscriptions
More information about the foundations-bugs
mailing list