group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #08385
[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
** Also affects: samba (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: samba (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: samba (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: samba (Ubuntu Yakkety)
Importance: High
Assignee: Jorge Niedbalski (niedbalski)
Status: In Progress
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest security fixes together with winbind in
nsswitch.conf can harm entire OS
Status in samba package in Ubuntu:
In Progress
Status in samba source package in Precise:
New
Status in samba source package in Trusty:
New
Status in samba source package in Xenial:
New
Status in samba source package in Yakkety:
In Progress
Bug description:
[Impact]
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
[Test Case]
1) Start an ubuntu Trusty container
2) cp /etc/apt/sources.list /etc/apt/sources.list.back
3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list
4) sudo apt-get update
5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
6) Set /etc/nsswitch.conf to : passwd: winbind compat
7) Restart the services
7.1) sudo restart smbd
7.2) sudo restart nmbd
7.3) sudo restart winbind
8) cp /etc/apt/sources.list.back /etc/apt/sources.list
9) sudo apt-get update
7) sudo apt-get install samba winbind libnss-winbind libpam-winbind
While installing, you will see things similar to this :
> Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ...
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
> dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (-
> -unpack):
> subprocess dpkg-deb --control returned error exit status 2
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
[Regression Potential]
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
[Other Info]
* Original Bug Description:
It was brought to my attention that, because of latest security fixes
for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire
Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
(specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used
before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do
a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d
with "pam-auth-update") before ANY attempt of upgrading samba to
latest version.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions
