public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block
@ 2021-02-10 8:19 sjon at hortensius dot net
2021-02-10 8:41 ` [Bug network/27389] " sjon at hortensius dot net
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: sjon at hortensius dot net @ 2021-02-10 8:19 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27389
Bug ID: 27389
Summary: getaddrinfo in chroot broken by added dlopen block
Product: glibc
Version: 2.33
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: network
Assignee: unassigned at sourceware dot org
Reporter: sjon at hortensius dot net
Target Milestone: ---
I have an issue that I suspect is caused by a recent glibc change, but I
haven't 100% ruled out another cause, so this report might be bogus.
I use PHP-FPM [1] with chroots enabled. Since upgrading glibc, name resolving
(via DNS) fails with "getaddrinfo failed: System error" in my chroot and I'm
pretty sure it is caused by the recently added "Block attempts to dlopen any
module we haven't already opened" [2]
What seems to happen is that the PHP-FPM master process only loads
libnss_files.so.2 and libnss_systemd.so.2 because it uses that to resolve the
username (it matches nsswitch which contains: "passwd: files systemd")
If any of the FPM workers then attempts to perform dns resolving, that fails
because libnss_dns.so.2 has not been loaded yet (even though I made it
available in the chroot), and due to the recent change, it won't be loaded
either.
I have confirmed I can "fix" it by forcing the fpm master to load the dns
module by modifying nsswitch.conf outside of the chroot to contains "passwd:
dns files systemd", this fixes it
1. https://www.php.net/manual/en/install.fpm.php
2.
https://github.com/bminor/glibc/commit/429029a73ec2dba7f808f69ec8b9e3d84e13e804#diff-9305f1992144bc8c923a840d44827642f1c3f57e3df85a69357fff2fe7370fb8R352
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug network/27389] getaddrinfo in chroot broken by added dlopen block
2021-02-10 8:19 [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block sjon at hortensius dot net
@ 2021-02-10 8:41 ` sjon at hortensius dot net
2021-02-16 12:45 ` fweimer at redhat dot com
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: sjon at hortensius dot net @ 2021-02-10 8:41 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27389
--- Comment #1 from sjon at hortensius dot net ---
Some more information for clarification:
# grep dns /etc/nsswitch
hosts: files dns
# strace -eopenat -f /usr/bin/php-fpm --nodaemonize --fpm-config
/etc/php/php-fpm.conf 2>&1|grep nss
openat(AT_FDCWD, "/etc/ssl/openssl.cnf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 22
openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 22
openat(AT_FDCWD, "/usr/lib/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = 22
# curl https://localhost/test.php
getaddrinfo failed: System error
--
# grep dns /etc/nsswitch
passwd: dns files systemd
hosts: files dns
# strace -eopenat -f /usr/bin/php-fpm --nodaemonize --fpm-config
/etc/php/php-fpm.conf 2>&1|grep nss
openat(AT_FDCWD, "/etc/ssl/openssl.cnf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 22
openat(AT_FDCWD, "/usr/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 22
openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 22
openat(AT_FDCWD, "/usr/lib/libnss_systemd.so.2", O_RDONLY|O_CLOEXEC) = 22
# curl https://localhost/test.php
works
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug network/27389] getaddrinfo in chroot broken by added dlopen block
2021-02-10 8:19 [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block sjon at hortensius dot net
2021-02-10 8:41 ` [Bug network/27389] " sjon at hortensius dot net
@ 2021-02-16 12:45 ` fweimer at redhat dot com
2021-02-16 14:47 ` hyc at symas dot com
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: fweimer at redhat dot com @ 2021-02-16 12:45 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27389
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security-
--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
I've started a discussion on libc-alpha:
NSS chroot protection
https://sourceware.org/pipermail/libc-alpha/2021-February/122714.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug network/27389] getaddrinfo in chroot broken by added dlopen block
2021-02-10 8:19 [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block sjon at hortensius dot net
2021-02-10 8:41 ` [Bug network/27389] " sjon at hortensius dot net
2021-02-16 12:45 ` fweimer at redhat dot com
@ 2021-02-16 14:47 ` hyc at symas dot com
2021-02-16 14:50 ` fweimer at redhat dot com
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: hyc at symas dot com @ 2021-02-16 14:47 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27389
Howard Chu <hyc at symas dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hyc at symas dot com
--- Comment #3 from Howard Chu <hyc at symas dot com> ---
(In reply to Florian Weimer from comment #2)
> I've started a discussion on libc-alpha:
>
> NSS chroot protection
> https://sourceware.org/pipermail/libc-alpha/2021-February/122714.html
Can you link to more context on what security regressions this change was meant
to address? chrooted servers have been running for decades using the NSS
databases of the chroot jail, and this change breaks all of them.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug network/27389] getaddrinfo in chroot broken by added dlopen block
2021-02-10 8:19 [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block sjon at hortensius dot net
` (2 preceding siblings ...)
2021-02-16 14:47 ` hyc at symas dot com
@ 2021-02-16 14:50 ` fweimer at redhat dot com
2021-02-17 13:37 ` [Bug network/27389] NSS chroot hardening causes regressions in chroot deployments fweimer at redhat dot com
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: fweimer at redhat dot com @ 2021-02-16 14:50 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27389
--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
It's CVE-2019-14271:
https://nvd.nist.gov/vuln/detail/CVE-2019-14271
(The Docker fix is likely incomplete depending on nsswitch.conf contents.)
That issue is of no concern once the service is running, it applies to the
construction of the chroot contents from the outside.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug network/27389] NSS chroot hardening causes regressions in chroot deployments
2021-02-10 8:19 [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block sjon at hortensius dot net
` (3 preceding siblings ...)
2021-02-16 14:50 ` fweimer at redhat dot com
@ 2021-02-17 13:37 ` fweimer at redhat dot com
2021-02-17 13:37 ` fweimer at redhat dot com
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: fweimer at redhat dot com @ 2021-02-17 13:37 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27389
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|getaddrinfo in chroot |NSS chroot hardening causes
|broken by added dlopen |regressions in chroot
|block |deployments
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug network/27389] NSS chroot hardening causes regressions in chroot deployments
2021-02-10 8:19 [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block sjon at hortensius dot net
` (4 preceding siblings ...)
2021-02-17 13:37 ` [Bug network/27389] NSS chroot hardening causes regressions in chroot deployments fweimer at redhat dot com
@ 2021-02-17 13:37 ` fweimer at redhat dot com
2021-02-17 14:20 ` stli at linux dot ibm.com
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: fweimer at redhat dot com @ 2021-02-17 13:37 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27389
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://sourceware.org/bugz
| |illa/show_bug.cgi?id=27077
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug network/27389] NSS chroot hardening causes regressions in chroot deployments
2021-02-10 8:19 [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block sjon at hortensius dot net
` (5 preceding siblings ...)
2021-02-17 13:37 ` fweimer at redhat dot com
@ 2021-02-17 14:20 ` stli at linux dot ibm.com
2021-03-04 11:46 ` fweimer at redhat dot com
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: stli at linux dot ibm.com @ 2021-02-17 14:20 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27389
Stefan Liebler <stli at linux dot ibm.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |stli at linux dot ibm.com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug network/27389] NSS chroot hardening causes regressions in chroot deployments
2021-02-10 8:19 [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block sjon at hortensius dot net
` (6 preceding siblings ...)
2021-02-17 14:20 ` stli at linux dot ibm.com
@ 2021-03-04 11:46 ` fweimer at redhat dot com
2021-03-11 8:13 ` crosser at average dot org
2021-09-01 9:25 ` fweimer at redhat dot com
9 siblings, 0 replies; 11+ messages in thread
From: fweimer at redhat dot com @ 2021-03-04 11:46 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27389
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Target Milestone|--- |2.34
Resolution|--- |FIXED
--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for 2.34. Also backported to 2.33.
commit 58673149f37389495c098421085ffdb468b3f7ad
Author: DJ Delorie <dj@redhat.com>
Date: Thu Feb 18 15:26:30 2021 -0500
nss: Re-enable NSS module loading after chroot [BZ #27389]
The glibc 2.33 release enabled /etc/nsswitch.conf reloading,
and to prevent potential security issues like CVE-2019-14271
the re-loading of nsswitch.conf and all mdoules was disabled
when the root filesystem changes (see bug 27077).
Unfortunately php-lpfm and openldap both require the ability
to continue to load NSS modules after chroot. The packages
do not exec after the chroot, and so do not cause the
protections to be reset. The only solution is to re-enable
only NSS module loading (not nsswitch.conf reloading) and so
get back the previous glibc behaviour.
In the future we may introduce a way to harden applications
so they do not reload NSS modules once the root filesystem
changes, or that only files/dns are available pre-loaded
(or builtin).
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug network/27389] NSS chroot hardening causes regressions in chroot deployments
2021-02-10 8:19 [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block sjon at hortensius dot net
` (7 preceding siblings ...)
2021-03-04 11:46 ` fweimer at redhat dot com
@ 2021-03-11 8:13 ` crosser at average dot org
2021-09-01 9:25 ` fweimer at redhat dot com
9 siblings, 0 replies; 11+ messages in thread
From: crosser at average dot org @ 2021-03-11 8:13 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27389
Eugene Crosser <crosser at average dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |crosser at average dot org
--- Comment #6 from Eugene Crosser <crosser at average dot org> ---
Just as a note, the change has also broken postfix. Its smtp client enters
chroot after start, and then down the road calls `getservbyname()` which fails.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug network/27389] NSS chroot hardening causes regressions in chroot deployments
2021-02-10 8:19 [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block sjon at hortensius dot net
` (8 preceding siblings ...)
2021-03-11 8:13 ` crosser at average dot org
@ 2021-09-01 9:25 ` fweimer at redhat dot com
9 siblings, 0 replies; 11+ messages in thread
From: fweimer at redhat dot com @ 2021-09-01 9:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27389
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://sourceware.org/bugz
| |illa/show_bug.cgi?id=28297
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-09-01 9:25 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-10 8:19 [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block sjon at hortensius dot net
2021-02-10 8:41 ` [Bug network/27389] " sjon at hortensius dot net
2021-02-16 12:45 ` fweimer at redhat dot com
2021-02-16 14:47 ` hyc at symas dot com
2021-02-16 14:50 ` fweimer at redhat dot com
2021-02-17 13:37 ` [Bug network/27389] NSS chroot hardening causes regressions in chroot deployments fweimer at redhat dot com
2021-02-17 13:37 ` fweimer at redhat dot com
2021-02-17 14:20 ` stli at linux dot ibm.com
2021-03-04 11:46 ` fweimer at redhat dot com
2021-03-11 8:13 ` crosser at average dot org
2021-09-01 9:25 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).