Ubuntu
squid package

squid crash basic auth used delay_pools

Bug #2018472 reported by Vladimir
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Squid
Unknown
Unknown
squid (Ubuntu)
Status tracked in Mantic
Jammy
Triaged
Undecided
Sergio Durigan Junior
Kinetic
Triaged
Undecided
Sergio Durigan Junior
Lunar
Triaged
Undecided
Sergio Durigan Junior
Mantic
Triaged
Undecided
Sergio Durigan Junior

Bug Description

Basic authentication is defined in squid.conf (users are defined in the file "USERS.internet_plain"). A separate acl and delay_pools were defined for one of the users "luproxy"
-------------------------------------------
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/private/USERS.internet_plain
acl users_unlim proxy_auth luproxy
delay_pools 1
delay_class 1 1
delay_parameters 1 1024/1024
delay_access 1 allow users_unlim
delay_access 1 deny all
-------------------------------------------
#cat USERS.internet_plain
#
luproxy:$apr1$UpiMZE3o$n507RnSuOOIUzLBMVZ6Ea/
-------------------------------------------

if you run the request under the user "luproxy" - squid will crash

--- stack trace ---
#0 0x000055ab70417679 in Auth::SchemeConfig::CreateAuthUser (proxy_auth=proxy_auth@entry=0x55ab75beff70 "Basic bHVwcm94eTpuY2k4dUZ1aW4=", al=...) at auth/SchemeConfig.cc:55
        config = 0x55ab721763f0
        rmb = {<Packable> = {_vptr.Packable = 0x55ab707aab28 <vtable for MemBuf+16>}, static CBDATA_MemBuf = 10, buf = 0x55ab728fa210 "", size = 0, max_capacity = 2097152000, capacity = 2048, stolen = 0}
        __FUNCTION__ = <optimized out>
#1 0x000055ab7041be5d in Auth::UserRequest::authenticate (auth_user_request=0x7ffc17e859f8, headertype=Http::PROXY_AUTHORIZATION, request=0x55ab7498d9b0, conn=0x55ab74a7ec08, src_addr=..., al=...) at auth/UserRequest.cc:354
        proxy_auth = 0x55ab75beff70 "Basic bHVwcm94eTpuY2k4dUZ1aW4="
        __FUNCTION__ = <optimized out>
#2 0x000055ab7041c5bc in Auth::UserRequest::tryToAuthenticateAndSetAuthUser (aUR=0x7ffc17e859f8, headertype=Http::PROXY_AUTHORIZATION, request=0x55ab7498d9b0, conn=0x55ab74a7ec08, src_addr=..., al=...) at auth/UserRequest.cc:453
        t = {p_ = 0x0}

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: squid 5.2-1ubuntu4.3
ProcVersionSignature: Ubuntu 5.15.0-71.78-generic 5.15.92
Uname: Linux 5.15.0-71-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.4
Architecture: amd64
CasperMD5CheckResult: pass
Date: Thu May 4 15:46:00 2023
InstallationDate: Installed on 2023-05-03 (0 days ago)
InstallationMedia: Ubuntu-Server 22.04.2 LTS "Jammy Jellyfish" - Release amd64 (20230217.1)
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=ru_RU.UTF-8
 SHELL=/bin/bash
SourcePackage: squid
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.squid.squid.conf: 2023-05-04T09:14:56.250378

See original description
Revision history for this message
Vladimir (pvb2023) wrote :
Vladimir (pvb2023)
description: updated
Vladimir (pvb2023)
summary: - squid crash basic auth
+ squid crash basic auth used delay_pools
Vladimir (pvb2023)
description: updated
description: updated
Revision history for this message
Vladimir (pvb2023) wrote :
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for reporting a bug and helping make Ubuntu better.

I tried to reproduce the problem here, but I think I'm missing something. Maybe you could help me figure it out.

First, I set up squid inside a Jammy container and added the following lines to /etc/squid/squid.conf:

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/private/USERS.internet_plain
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
http_access deny all
acl users_unlim proxy_auth test
delay_pools 1
delay_class 1 1
delay_parameters 1 1024/1024
delay_access 1 allow users_unlim
delay_access 1 deny all

Then, I created the file /etc/squid/private/USERS.internet_plain and added the "test" user to it:

# htpasswd -b /etc/squid/private/USERS.internet_plain test test

I restarted the service, then created another container and tried to use curl with the proxy. Here's what I'm getting:

# curl -vvvv -x test:test@10.96.142.20:3128 example.com
* Trying 10.96.142.20:3128...
* Connected to (nil) (10.96.142.20) port 3128 (#0)
* Proxy auth using Basic with user 'test'
> GET http://example.com/ HTTP/1.1
> Host: example.com
> Proxy-Authorization: Basic dGVzdDp0ZXN0
> User-Agent: curl/7.81.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
 * Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server

When I look at the squid logs, I see that apparently the basic_ncsa_auth script wasn't invoked:

2023/05/09 15:44:41 kid1| Set Current Directory to /var/spool/squid
2023/05/09 15:44:41 kid1| Starting Squid Cache version 5.2 for x86_64-pc-linux-gnu...
2023/05/09 15:44:41 kid1| Service Name: squid
2023/05/09 15:44:41 kid1| Process ID 2515
2023/05/09 15:44:41 kid1| Process Roles: worker
2023/05/09 15:44:41 kid1| With 1024 file descriptors available
2023/05/09 15:44:41 kid1| Initializing IP Cache...
2023/05/09 15:44:41 kid1| DNS Socket created at [::], FD 8
2023/05/09 15:44:41 kid1| DNS Socket created at 0.0.0.0, FD 9
2023/05/09 15:44:41 kid1| Adding nameserver 127.0.0.53 from /etc/resolv.conf
2023/05/09 15:44:41 kid1| Adding domain lxd from /etc/resolv.conf
2023/05/09 15:44:41 kid1| helperOpenServers: Starting 0/20 'basic_ncsa_auth' processes
2023/05/09 15:44:41 kid1| helperOpenServers: No 'basic_ncsa_auth' processes needed.
2023/05/09 15:44:41 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2023/05/09 15:44:41 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2023/05/09 15:44:41 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2023/05/09 15:44:41 kid1| Store logging disabled
2023/05/09 15:44:41 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2023/05/09 15:44:41 kid1| Target number of buckets: 1008
2023/05/09 15:44:41 kid1| Using 8192 Store buckets
2023/05/09 15:44:41 kid1| Max Mem size: 262144 KB
2023/05/09 15:44:41 kid1| Max Swap size: 0 KB

Could you please take a look at what I did and let me know if there's anything missing?

I will mark this bug as Incomplete in order to make it clear that we're still missing some reproduction steps. Please mark it back to New once you provide the require info. Thanks.

Changed in squid (Ubuntu):
status: New → Incomplete
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

BTW, I forgot to mention that I'm also analysing the stack trace and trying to check if there's anything that could trigger the segfault.

Revision history for this message
Vladimir (pvb2023) wrote :

- my network in which squid 192.168.0.0/16 is located
- squid address 192.168.55.35
- luproxy - test user
My minimal squid.conf to reproduce the problem. ACL my_localnet is clearly NOT my network.
--- squid.conf ---
acl my_localnet src 10.1.0.0/16
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/private/USERS.internet_plain
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow my_localnet AuthorizedUsers
http_access deny all
acl users_unlim proxy_auth luproxy
# Delay pools
delay_pools 1
delay_class 1 1
delay_parameters 1 1024/1024
delay_access 1 allow users_unlim
delay_access 1 deny all

Eexecuting curl from a neighboring machine will return
$ curl -vvvv -x luproxy:nci8uFuin@192.168.55.35:3128 example.com
* Rebuilt URL to: example.com/
* Trying 192.168.55.35...
* TCP_NODELAY set
* Connected to 192.168.55.35 (192.168.55.35) port 3128 (#0)
* Proxy auth using Basic with user 'luproxy'
> GET http://example.com/ HTTP/1.1
> Host: example.com
> Proxy-Authorization: Basic bHVwcm94eTpuY2k4dUZ1aW4=
> User-Agent: curl/7.58.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
 * Empty reply from server
* Connection #0 to host 192.168.55.35 left intact
curl: (52) Empty reply from server

On the squid machine, we observe a crash
# tail /var/log/apport.log
ERROR: apport (pid 2511534) Sat May 13 20:10:04 2023: called for pid 2511531, signal 11, core limit 0, dump mode 1
ERROR: apport (pid 2511534) Sat May 13 20:10:04 2023: executable: /usr/sbin/squid (command line "(squid-1) --kid squid-1 --foreground -sYC")
ERROR: apport (pid 2511534) Sat May 13 20:10:04 2023: is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment
ERROR: apport (pid 2511534) Sat May 13 20:10:04 2023: wrote report /var/crash/_usr_sbin_squid.13.crash

If you specify my network in squid.conf ACL my_localnet or comment out the line "delay_access 1 allow users_unlim", squid executes the request successfully.

#acl my_localnet src 10.1.0.0/16
acl my_localnet src 192.168.0.0/16
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/private/USERS.internet_plain
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow my_localnet AuthorizedUsers
http_access deny all
acl users_unlim proxy_auth luproxy
# Delay pools
delay_pools 1
delay_class 1 1
delay_parameters 1 1024/1024
#delay_access 1 allow users_unlim
delay_access 1 deny all

Changed in squid (Ubuntu):
status: Incomplete → New
Athos Ribeiro (athos-ribeiro)
Changed in squid (Ubuntu):
status: New → Triaged
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Reproducer:

## From the host
$ lxc launch ubuntu-daily:jammy squid-jj
$ lxc exec squid-jj bash

## From the container
# apt update && apt install -y squid
# apt install apache2-utils --no-install-recommends
# mkdir -p /etc/squid/private
# htpasswd -bpc /etc/squid/private/USERS.internet_plain luproxy nci8uFuin
# cat <<EOF >> /etc/squid/squid.conf
acl my_localnet src all
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/private/USERS.internet_plain
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow my_localnet AuthorizedUsers
http_access deny all
acl users_unlim proxy_auth luproxy
# Delay pools
delay_pools 1
delay_class 1 1
delay_parameters 1 1024/1024
delay_access 1 allow users_unlim
delay_access 1 deny all
EOF
# systemctl restart squid

## From the host
$ curl -vvvv -x luproxy:nci8uFuin@CONTAINER_IP_ADDRESS:3128 SOME_URL

This should return an error and you should now be able to see the error in /var/log/apport.log in the container.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the reproducer, Athos. I could verify that the problem happens as expected here. I also noticed that my previous attempt at reproducing the failure was successful, but I failed to notice the segfault being reported by apport.

I did a cursory investigation but couldn't find anything strange. I filed an upstream bug and linked it here; meanwhile, I'll see if I can look deeper into the issue.

tags: added: server-todo
Changed in squid (Ubuntu Jammy):
status: New → Triaged
Changed in squid (Ubuntu Kinetic):
status: New → Triaged
Changed in squid (Ubuntu Lunar):
status: New → Triaged
Changed in squid (Ubuntu Jammy):
assignee: nobody → Sergio Durigan Junior (sergiodj)
Changed in squid (Ubuntu Kinetic):
assignee: nobody → Sergio Durigan Junior (sergiodj)
Changed in squid (Ubuntu Lunar):
assignee: nobody → Sergio Durigan Junior (sergiodj)
Changed in squid (Ubuntu Mantic):
assignee: nobody → Sergio Durigan Junior (sergiodj)
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

After discussing this bug briefly during our last housekeeping call, I decided to remove the server-todo tag from it in order to reflect the fact that we're pretty much waiting on upstream to fix the problem. When there's a movement in the upstream bug, I will update this one accordingly.

tags: removed: server-todo
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.