13693 2007-12-13 20:49:20 +0300 Linking libgcrypt with libcap results in non-working vpnc 2008-07-21 12:37:33 +0400 1 1 4 Development Sisyphus libgcrypt unstable all Linux CLOSED FIXED P2 critical --- 1 nbr legion icesik ldv legion manowar vsu qa-sisyphus oldest_to_newest 59478 0 nbr 2007-12-13 20:49:21 +0300 When libgcrypt is linked with libcaps it uses capset(0x19980330, 0, {CAP_IPC_LOCK, CAP_IPC_LOCK, 0}) = 0 mlock(0xb7f44000, 16384) = 0 capset(0x19980330, 0, {0, CAP_IPC_LOCK, 0}) = 0 calls to drop privilegies to create secure storage. In vpnc it results to dropping CAP_NET_BIND privilege,thus vpnc cannot bind to privileged port 500, which it needs for normal operation. Strace is attached [root@ibmtest ~]# strace -ff vpnc execve("/usr/sbin/vpnc", ["vpnc"], [/* 42 vars */]) = 0 brk(0) = 0x9c64000 uname({sys="Linux", node="ibmtest", ...}) = 0 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/opt/oracle/product/10.2.0/db_1/lib/tls/i686/libgcrypt.so.11", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/opt/oracle/product/10.2.0/db_1/lib/tls/i686", 0xbf871800) = -1 ENOENT (No such file or directory) open("/opt/oracle/product/10.2.0/db_1/lib/tls/libgcrypt.so.11", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/opt/oracle/product/10.2.0/db_1/lib/tls", 0xbf871800) = -1 ENOENT (No such file or directory) open("/opt/oracle/product/10.2.0/db_1/lib/i686/libgcrypt.so.11", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/opt/oracle/product/10.2.0/db_1/lib/i686", 0xbf871800) = -1 ENOENT (No such file or directory) open("/opt/oracle/product/10.2.0/db_1/lib/libgcrypt.so.11", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/opt/oracle/product/10.2.0/db_1/lib", 0xbf871800) = -1 ENOENT (No such file or directory) open("tls/i686/libgcrypt.so.11", O_RDONLY) = -1 ENOENT (No such file or directory) open("tls/libgcrypt.so.11", O_RDONLY) = -1 ENOENT (No such file or directory) open("i686/libgcrypt.so.11", O_RDONLY) = -1 ENOENT (No such file or directory) open("libgcrypt.so.11", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=160068, ...}) = 0 mmap2(NULL, 160068, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f20000 close(3) = 0 open("/usr/lib/libgcrypt.so.11", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260I\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=458956, ...}) = 0 mmap2(NULL, 462656, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x8c3000 mmap2(0x931000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6d) = 0x931000 close(3) = 0 open("tls/i686/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) open("tls/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) open("i686/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) open("libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240a\1\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1192444, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f1f000 mmap2(NULL, 1198340, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x110000 mmap2(0x22f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11f) = 0x22f000 mmap2(0x232000, 10500, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x232000 close(3) = 0 open("tls/i686/libgpg-error.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) open("tls/libgpg-error.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) open("i686/libgpg-error.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) open("libgpg-error.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/libgpg-error.so.0", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\6\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=11356, ...}) = 0 mmap2(NULL, 14308, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x711000 mmap2(0x714000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0x714000 close(3) = 0 open("tls/i686/libcap.so.1", O_RDONLY) = -1 ENOENT (No such file or directory) open("tls/libcap.so.1", O_RDONLY) = -1 ENOENT (No such file or directory) open("i686/libcap.so.1", O_RDONLY) = -1 ENOENT (No such file or directory) open("libcap.so.1", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/libcap.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\10\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=9816, ...}) = 0 mmap2(NULL, 9424, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x235000 mmap2(0x237000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0x237000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f1e000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f1e6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0x22f000, 4096, PROT_READ) = 0 munmap(0xb7f20000, 160068) = 0 brk(0) = 0x9c64000 brk(0x9c85000) = 0x9c85000 mmap2(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f44000 capset(0x19980330, 0, {CAP_IPC_LOCK, CAP_IPC_LOCK, 0}) = 0 mlock(0xb7f44000, 16384) = 0 capset(0x19980330, 0, {0, CAP_IPC_LOCK, 0}) = 0 open("/etc/vpnc/default.conf", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0600, st_size=86, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f43000 read(3, "IPSec gateway 131.246.118.240\nIP"..., 4096) = 86 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7f43000, 4096) = 0 open("/etc/vpnc.conf", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/vpnc.conf.conf", O_RDONLY) = -1 ENOENT (No such file or directory) uname({sys="Linux", node="ibmtest", ...}) = 0 fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 2), ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f43000 write(1, "Enter password for abcdef@131.24"..., 43Enter password for abcdef@131.246.118.240: ) = 43 open("/dev/tty", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3 ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(3, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost -isig icanon -echo ...}) = 0 fstat64(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(5, 0), ...}) = 0 ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig icanon -echo ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f42000 read(3, "\n", 4096) = 1 write(3, "\n", 1 ) = 1 ioctl(3, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon echo ...}) = 0 close(3) = 0 munmap(0xb7f42000, 4096) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(500), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) write(2, "vpnc: ", 6vpnc: ) = 6 write(2, "binding to 0.0.0.0:62465", 24binding to 0.0.0.0:62465) = 24 write(2, ": Permission denied", 19: Permission denied) = 19 write(2, "\n", 1 ) = 1 exit_group(1) = ? Process 14452 detached Steps to Reproduce: 1.vpnc 2.Enter 3. Actual Results: [root@ibmtest ~]# vpnc Enter password for abcdef@131.246.118.240: vpnc: binding to 0.0.0.0:62465: Permission denied Expected Results: Attempt to connect 59541 1 zerg 2007-12-14 16:32:51 +0300 2 icesik Возможно ли забиндиться до дропа? 59543 2 vsu 2007-12-14 16:54:17 +0300 Кстати, ещё в libgcrypt, собранной с libcap, не выполняется setuid(getuid()) при инициализации, как это происходит при сборке без libcap. Вообще в каких-то дистрибутивах libgcrypt собирают таким образом? Создаётся впечатление, что этот вариант никем не тестировался. 59549 3 zerg 2007-12-14 17:09:33 +0300 А какой libgcrypt вообще? 59553 4 zerg 2007-12-14 17:46:24 +0300 (In reply to comment #2) > Создаётся впечатление, что этот вариант никем не тестировался. Да, в MDK и FC не собирают с libcap Ок, соберу без libcap, но тогда disable_secmem = 1; 59554 5 vsu 2007-12-14 17:57:22 +0300 Почему сразу disable? Уже довольно давно по умолчанию у обычных пользователей max locked memory (kbytes, -l) 32 59561 6 zerg 2007-12-14 18:50:05 +0300 2 ldv Как смортишь на перекладывание libgcrypt-1.4.0 ? До этого в сизифе лежал 1.3 нестабильный, в бранче сейчас 1.2 59570 7 nbr 2007-12-14 20:48:46 +0300 (In reply to comment #6) > 2 ldv > Как смортишь на перекладывание libgcrypt-1.4.0 ? > До этого в сизифе лежал 1.3 нестабильный, в бранче сейчас 1.2 Этот баг как раз в libgcrypt-1.4.0 c libcap. Вы его собираетесь закрывать? 59620 8 icesik 2007-12-16 04:03:13 +0300 (In reply to comment #1) > 2 icesik > Возможно ли забиндиться до дропа? Понятия не имею. И у меня сейчас нет доступа к cisco что бы тестировать. Хотя, я попробую достать кошку на пару дней и попробовать потестировать. 59647 9 zerg 2007-12-17 14:17:34 +0300 (In reply to comment #7) > Этот баг как раз в libgcrypt-1.4.0 c libcap. А чего молчали? Я ж спрашивал. > Вы его собираетесь закрывать? Да, libgcrypt-1.4.0-alt2