I am taking care of this one. It is important to mention that this could arguably be considered to be a bug on libselinux, given that it shouldn't dereference pointers without checking first (especially pointers that were passed to the library by its clients). However, in this case it makes sense to fix this in gssproxy as well.
** Description changed: + [ Impact ] - I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy. + gssproxy users on Focal and Hiruste who configure the package to handle + NFS mountpoints using Kerberos authentication will experience a + segmentation fault when invoking the service either through systemd or + by hand. + + [ Test Case] + + Inside a Focal LXD container: + + $ lxc launch images:ubuntu/focal gssproxy-bug1788459-focal + $ lxc shell gssproxy-bug1788459-focal + # apt update + # apt install -y gssproxy nfs-kernel-server + # cat > /etc/gssproxy/gssproxy.conf << __EOF__ + [gssproxy] + debug = true + debug_level = 3 + __EOF__ + # cat >> /etc/gssproxy/25-nfs-server.conf << __EOF__ + [service/nfs-server] + mechs = krb5 + socket = /run/gssproxy.sock + cred_store = keytab:/etc/krb5.keytab + trusted = yes + kernel_nfsd = yes + euid = 0 + __EOF__ + # /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock + [2021/06/30 14:34:14]: Debug Enabled (level: 3) + [2021/06/30 14:34:14]: Keytab /etc/krb5.keytab has no content (-1765328203) + [2021/06/30 14:34:14]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18 + [2021/06/30 14:34:14]: Client [2021/06/30 14:34:14]: (/usr/sbin/gssproxy) [2021/06/30 14:34:14]: connected (fd = 12)[2021/06/30 14:34:14]: (pid = 3428) (uid = 0) (gid = 0)Segmentation fau + lt (core dumped) + + [ Where problems could occur ] + + * The backported patch is simple and it is very unlikely that it will introduce a regression. + * As usual, it is always risky to rebuild a package that hasn't been touched for more than 1 year, albeit in this case the risk is very low because the package is not very complex. + + [ Original Description ] + + I have apache configured to perform a kerberized NFS4 mount using + rpc.gssd and gssproxy. If I request a web page that requires NFS4 access, then gssproxy crashes, reporting a segfault in libselinux.so.1 and the web request generates a 403 error. gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150 error 4 in libselinux.so.1[7f2f5bb0d000+25000] If I run gssproxy at debug level = 3, and then load a web page, I can see the uid/principal request for www-data come in from rpc.gssd: # gssproxy -d --debug-level=3 -i -C /etc/gssproxy [2018/08/22 17:51:40]: Debug Enabled (level: 3) [2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped) Since gssproxy is required to initiate kerberos principals for any local application services - Ubuntu 18.04 does not currently support running application services with NFS4 kerberos dependencies. This has a fairly significant impact on anyone attempting to implement kerberos on Ubuntu 18.04 - Ubuntu 18.04.1 LTS gssproxy 0.8.0-1 libselinux1:amd64 2.7-2build2 libgssrpc4:amd64 1.16-2build1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1788459 Title: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
