gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gssproxy (Ubuntu) |
Invalid
|
Medium
|
Sergio Durigan Junior | ||
Focal |
Fix Released
|
Undecided
|
Sergio Durigan Junior | ||
Hirsute |
Fix Released
|
Undecided
|
Sergio Durigan Junior | ||
libselinux (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Invalid
|
Undecided
|
Unassigned | ||
Hirsute |
Invalid
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
gssproxy users on Focal and Hiruste who configure the package to handle NFS mountpoints using Kerberos authentication will experience a segmentation fault when invoking the service either through systemd or by hand.
[ Test Case]
Inside a Focal LXD container:
$ lxc launch images:ubuntu/focal gssproxy-bug1788459-focal
$ lxc shell gssproxy-bug1788459-focal
# apt update
# apt install -y gssproxy nfs-kernel-server
# cat > /etc/gssproxy/
[gssproxy]
debug = true
debug_level = 3
__EOF__
# cat >> /etc/gssproxy/
[service/
mechs = krb5
socket = /run/gssproxy.sock
cred_store = keytab:
trusted = yes
kernel_nfsd = yes
euid = 0
__EOF__
# /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=
[2021/06/30 14:34:14]: Debug Enabled (level: 3)
[2021/06/30 14:34:14]: Keytab /etc/krb5.keytab has no content (-1765328203)
[2021/06/30 14:34:14]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18
[2021/06/30 14:34:14]: Client [2021/06/30 14:34:14]: (/usr/sbin/
lt (core dumped)
[ Where problems could occur ]
* The backported patch is simple and it is very unlikely that it will introduce a regression.
* As usual, it is always risky to rebuild a package that hasn't been touched for more than 1 year, albeit in this case the risk is very low because the package is not very complex.
[ Original Description ]
I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy.
If I request a web page that requires NFS4 access, then gssproxy crashes, reporting a segfault in libselinux.so.1 and the web request generates a 403 error.
gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150 error 4 in libselinux.
If I run gssproxy at debug level = 3, and then load a web page, I can see the uid/principal request for www-data come in from rpc.gssd:
# gssproxy -d --debug-level=3 -i -C /etc/gssproxy
[2018/08/22 17:51:40]: Debug Enabled (level: 3)
[2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/
Since gssproxy is required to initiate kerberos principals for any local application services - Ubuntu 18.04 does not currently support running application services with NFS4 kerberos dependencies. This has a fairly significant impact on anyone attempting to implement kerberos on Ubuntu 18.04
Ubuntu 18.04.1 LTS
gssproxy 0.8.0-1
libselinux1:amd64 2.7-2build2
libgssrpc4:amd64 1.16-2build1
Related branches
- Bryce Harrington (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 85 lines (+53/-1)4 files modifieddebian/changelog (+8/-0)
debian/control (+2/-1)
debian/patches/0001-Fix-handling-of-selinux-context-when-NULL.patch (+42/-0)
debian/patches/series (+1/-0)
- Bryce Harrington (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 85 lines (+53/-1)4 files modifieddebian/changelog (+8/-0)
debian/control (+2/-1)
debian/patches/0001-Fix-handling-of-selinux-context-when-NULL.patch (+42/-0)
debian/patches/series (+1/-0)
summary: |
- gssproxy in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd + gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by + rpc.gssd |
Changed in gssproxy (Ubuntu): | |
status: | Confirmed → In Progress |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
importance: | Undecided → Medium |
Changed in krb5 (Ubuntu): | |
status: | Confirmed → Invalid |
no longer affects: | krb5 (Ubuntu) |
no longer affects: | krb5 (Ubuntu Focal) |
no longer affects: | krb5 (Ubuntu Hirsute) |
Changed in libselinux (Ubuntu): | |
status: | Confirmed → Invalid |
Changed in libselinux (Ubuntu Focal): | |
status: | New → Invalid |
Changed in libselinux (Ubuntu Hirsute): | |
status: | New → Invalid |
Changed in gssproxy (Ubuntu Focal): | |
status: | New → In Progress |
Changed in gssproxy (Ubuntu Hirsute): | |
status: | New → In Progress |
Changed in gssproxy (Ubuntu Focal): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in gssproxy (Ubuntu Hirsute): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Can you simplify the configuration needed to reproduce this bug? For example, does it happen when using gssapi authentication with apache, without the NFSv4 bit?