Bug 13693 - Linking libgcrypt with libcap results in non-working vpnc
: Linking libgcrypt with libcap results in non-working vpnc
Status: CLOSED FIXED
: Sisyphus
(All bugs in Sisyphus/libgcrypt)
: unstable
: all Linux
: P2 critical
Assigned To:
:
:
:
:
:
  Show dependency tree
 
Reported: 2007-12-13 20:49 by
Modified: 2008-07-21 12:37 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2007-12-13 20:49:21
When libgcrypt is linked with libcaps it uses
 capset(0x19980330, 0, {CAP_IPC_LOCK, CAP_IPC_LOCK, 0}) = 0
mlock(0xb7f44000, 16384)                = 0
capset(0x19980330, 0, {0, CAP_IPC_LOCK, 0}) = 0
calls to drop privilegies to create secure storage.
In vpnc it results to dropping CAP_NET_BIND privilege,thus
vpnc cannot bind to privileged port 500, which it needs for normal operation.
Strace is attached


[root@ibmtest ~]# strace -ff vpnc
execve("/usr/sbin/vpnc", ["vpnc"], [/* 42 vars */]) = 0
brk(0)                                  = 0x9c64000
uname({sys="Linux", node="ibmtest", ...}) = 0
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/opt/oracle/product/10.2.0/db_1/lib/tls/i686/libgcrypt.so.11", O_RDONLY) =
-1 ENOENT (No such file or directory)
stat64("/opt/oracle/product/10.2.0/db_1/lib/tls/i686", 0xbf871800) = -1 ENOENT
(No such file or directory)
open("/opt/oracle/product/10.2.0/db_1/lib/tls/libgcrypt.so.11", O_RDONLY) = -1
ENOENT (No such file or directory)
stat64("/opt/oracle/product/10.2.0/db_1/lib/tls", 0xbf871800) = -1 ENOENT (No
such file or directory)
open("/opt/oracle/product/10.2.0/db_1/lib/i686/libgcrypt.so.11", O_RDONLY) = -1
ENOENT (No such file or directory)
stat64("/opt/oracle/product/10.2.0/db_1/lib/i686", 0xbf871800) = -1 ENOENT (No
such file or directory)
open("/opt/oracle/product/10.2.0/db_1/lib/libgcrypt.so.11", O_RDONLY) = -1
ENOENT (No such file or directory)
stat64("/opt/oracle/product/10.2.0/db_1/lib", 0xbf871800) = -1 ENOENT (No such
file or directory)
open("tls/i686/libgcrypt.so.11", O_RDONLY) = -1 ENOENT (No such file or directory)
open("tls/libgcrypt.so.11", O_RDONLY)   = -1 ENOENT (No such file or directory)
open("i686/libgcrypt.so.11", O_RDONLY)  = -1 ENOENT (No such file or directory)
open("libgcrypt.so.11", O_RDONLY)       = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=160068, ...}) = 0
mmap2(NULL, 160068, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f20000
close(3)                                = 0
open("/usr/lib/libgcrypt.so.11", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260I\0\0004\0\0\0"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=458956, ...}) = 0
mmap2(NULL, 462656, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x8c3000
mmap2(0x931000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6d) = 0x931000
close(3)                                = 0
open("tls/i686/libc.so.6", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("tls/libc.so.6", O_RDONLY)         = -1 ENOENT (No such file or directory)
open("i686/libc.so.6", O_RDONLY)        = -1 ENOENT (No such file or directory)
open("libc.so.6", O_RDONLY)             = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240a\1\0004\0\0\0"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1192444, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7f1f000
mmap2(NULL, 1198340, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x110000
mmap2(0x22f000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11f) = 0x22f000
mmap2(0x232000, 10500, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x232000
close(3)                                = 0
open("tls/i686/libgpg-error.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
open("tls/libgpg-error.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
open("i686/libgpg-error.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
open("libgpg-error.so.0", O_RDONLY)     = -1 ENOENT (No such file or directory)
open("/usr/lib/libgpg-error.so.0", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\6\0\0004\0\0\0"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=11356, ...}) = 0
mmap2(NULL, 14308, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x711000
mmap2(0x714000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE,
3, 0x2) = 0x714000
close(3)                                = 0
open("tls/i686/libcap.so.1", O_RDONLY)  = -1 ENOENT (No such file or directory)
open("tls/libcap.so.1", O_RDONLY)       = -1 ENOENT (No such file or directory)
open("i686/libcap.so.1", O_RDONLY)      = -1 ENOENT (No such file or directory)
open("libcap.so.1", O_RDONLY)           = -1 ENOENT (No such file or directory)
open("/lib/libcap.so.1", O_RDONLY)      = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\10\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=9816, ...}) = 0
mmap2(NULL, 9424, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x235000
mmap2(0x237000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE,
3, 0x2) = 0x237000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7f1e000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f1e6c0, limit:1048575,
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0,
useable:1}) = 0
mprotect(0x22f000, 4096, PROT_READ)     = 0
munmap(0xb7f20000, 160068)              = 0
brk(0)                                  = 0x9c64000
brk(0x9c85000)                          = 0x9c85000
mmap2(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7f44000
capset(0x19980330, 0, {CAP_IPC_LOCK, CAP_IPC_LOCK, 0}) = 0
mlock(0xb7f44000, 16384)                = 0
capset(0x19980330, 0, {0, CAP_IPC_LOCK, 0}) = 0
open("/etc/vpnc/default.conf", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0600, st_size=86, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7f43000
read(3, "IPSec gateway 131.246.118.240\nIP"..., 4096) = 86
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb7f43000, 4096)                = 0
open("/etc/vpnc.conf", O_RDONLY)        = -1 ENOENT (No such file or directory)
open("/etc/vpnc.conf.conf", O_RDONLY)   = -1 ENOENT (No such file or directory)
uname({sys="Linux", node="ibmtest", ...}) = 0
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 2), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7f43000
write(1, "Enter password for abcdef@131.24"..., 43Enter password for
abcdef@131.246.118.240: ) = 43
open("/dev/tty", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost -isig icanon -echo ...}) = 0
fstat64(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(5, 0), ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig icanon -echo ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7f42000
read(3, "\n", 4096)                     = 1
write(3, "\n", 1
)                       = 1
ioctl(3, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon echo ...}) = 0
close(3)                                = 0
munmap(0xb7f42000, 4096)                = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(500), sin_addr=inet_addr("0.0.0.0")},
16) = -1 EACCES (Permission denied)
write(2, "vpnc: ", 6vpnc: )                   = 6
write(2, "binding to 0.0.0.0:62465", 24binding to 0.0.0.0:62465) = 24
write(2, ": Permission denied", 19: Permission denied)     = 19
write(2, "\n", 1
)                       = 1
exit_group(1)                           = ?
Process 14452 detached

Steps to Reproduce:
1.vpnc
2.Enter
3.
Actual Results:  
[root@ibmtest ~]# vpnc
Enter password for abcdef@131.246.118.240:
vpnc: binding to 0.0.0.0:62465: Permission denied


Expected Results:  
Attempt to connect
------- Comment #1 From 2007-12-14 16:32:51 -------
2 icesik
Возможно ли забиндиться до дропа?
------- Comment #2 From 2007-12-14 16:54:17 -------
Кстати, ещё в libgcrypt, собранной с libcap, не выполняется setuid(getuid())
при
инициализации, как это происходит при сборке без libcap.

Вообще в каких-то дистрибутивах libgcrypt собирают таким образом?  Создаётся
впечатление, что этот вариант никем не тестировался.
------- Comment #3 From 2007-12-14 17:09:33 -------
А какой libgcrypt вообще?
------- Comment #4 From 2007-12-14 17:46:24 -------
(In reply to comment #2)
> Создаётся впечатление, что этот вариант никем не тестировался.
Да, в MDK и FC не собирают с libcap
Ок, соберу без libcap, но тогда disable_secmem = 1;
------- Comment #5 From 2007-12-14 17:57:22 -------
Почему сразу disable? Уже довольно давно по умолчанию у обычных пользователей

max locked memory       (kbytes, -l) 32
------- Comment #6 From 2007-12-14 18:50:05 -------
2 ldv
Как смортишь на перекладывание libgcrypt-1.4.0 ?
До этого в сизифе лежал 1.3 нестабильный, в бранче сейчас 1.2
------- Comment #7 From 2007-12-14 20:48:46 -------
(In reply to comment #6)
> 2 ldv
> Как смортишь на перекладывание libgcrypt-1.4.0 ?
> До этого в сизифе лежал 1.3 нестабильный, в бранче сейчас 1.2

Этот баг как раз в libgcrypt-1.4.0 c libcap.
Вы его собираетесь закрывать?
------- Comment #8 From 2007-12-16 04:03:13 -------
(In reply to comment #1)
> 2 icesik
> Возможно ли забиндиться до дропа?

Понятия не имею. И у меня сейчас нет доступа к cisco что бы тестировать. Хотя, я
попробую достать кошку на пару дней и попробовать потестировать.
------- Comment #9 From 2007-12-17 14:17:34 -------
(In reply to comment #7)
> Этот баг как раз в libgcrypt-1.4.0 c libcap.
А чего молчали? Я ж спрашивал.

> Вы его собираетесь закрывать?
Да, libgcrypt-1.4.0-alt2