1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
samba-mirror/lib
Stefan Metzmacher 66e90b7391 nsswitch: reduce dependecies to private libraries and link static/builtin if possible
Over the last month I got more and more reports,
that it's not possible to use a custom Samba version
on systems with sssd being installed, which depends on some
specific samba libraries installed in the system.

One major problem is that the custom libnss_winbind.so.2
depends on the libreplace-samba4.so of the custom build
and also injects an RPATH into the running process.
When sssd uses any nss library call it will get this,
when it then tries to load some of its plugins via dlopen(),
e.g.

ldd /usr/lib64/sssd/libsss_ad.so| grep samba

   libsamba-util.so.0 => /lib64/libsamba-util.so.0
   libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so
   libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so
   libsamba-errors.so.1 => /lib64/libsamba-errors.so.1
   libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so
   libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so
   libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so
   libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so
   libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so
   libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so

When that loads dlopen() will fail as a soname libreplace-samba4.so is
already loaded, but the symbol version within the other one don't match, as the
contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3.

This is just an example and similar things can happen in all situations
where we provide libraries, which are potentially injected into every
process of the running system. These should only depend on libc.so and
related basic system libraries in order to avoid the problem.

We have the following libraries, which are in the that category:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so
- async_dns_krb5_locator.so

The rules of library loading are really complex and symbol versioning
is not enough to solve it, only the combination of unique soname and
unique symbol version suffix seem to solve the problem, but injecting
an RPATH is still a problem.

In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM()
definitions with 'hide_symbols=True' in order to do some static linking
of selected components, e.g.

   bld.SAMBA_SUBSYSTEM('replace-hidden',
                       source=REPLACE_SOURCE,
                       group='base_libraries',
                       hide_symbols=True,
                       deps='dl attr' + extra_libs)

It's relatively simple to get to the point where the following are
completely static:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so

But 'async_dns_krb5_locator.so' links in almost everything!
It seems we install the krb5 plugins into our own $MODULESDIR/krb5/,
so it may not be so critical, as long it's the admin who created
the desired symlinks into the location the kerberos libraries search
for plugins. Note the at least the locator plugins are always loaded
without any configuration, every .so in a special path are loaded with dlopen().
This is done by every application using kerberos, so we load a lot of samba libraries
into them.

Packagers should not put async_dns_krb5_locator.so (nor a symlink) into
the path that's reachable by libkrb5.so.

As a longterm solution we may want to change async_dns_krb5_locator.so
to use a helper process with posix_spawn() instead of doing everything
within the process.

Note I added hiden_symbols=True to the nss modules for Linux and
FreeBSD only, because these are the only platforms I'm able to test
on. We most likely should do the same on other platforms, but some
with access to the platform should provide a tested patch.

In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with
'-hidden', I added the 'provide_builtin_linking=True' option,
as the logic is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.

SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.

While being there it was easy enough to make libwbclient.so
also standalone without dependecies to other samba libraries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
..
addns build: Consolidate --with-dnsupdate with --with-ads (which implied HAVE_KRB5) 2021-03-26 04:06:41 +00:00
afs s3:param: make "servicename" a substituted option 2019-11-27 10:25:37 +00:00
async_req lib: Use FIONREAD in wait_for_read_send/recv 2021-03-16 17:09:31 +00:00
audit_logging audit_logging.c: fix compilation on macOS 2021-10-13 01:42:35 +00:00
cmdline cmdline: Make -P work in clustered mode 2021-11-17 18:29:09 +00:00
compression lzxpress: avoid technically undefined shift 2020-08-31 22:31:13 +00:00
crypto lib:crypto: Add py binding for set_relax/strict fips mode 2020-10-29 14:19:36 +00:00
dbwrap lib/dbwrap: reset deleted record to tdb_null 2021-11-04 19:49:47 +00:00
fuzzing lib:fuzzing: Fix quoting of --fuzz-target-ldflags 2021-10-04 11:36:06 +00:00
krb5_wrap lib/krb5_wrap: Fix missing error check in new salt code 2021-10-23 08:07:13 +00:00
ldb CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing 2021-11-25 01:41:30 +00:00
ldb-samba ldb-samba: dns tombstone matching: constrict value length 2021-07-05 04:16:34 +00:00
messaging messaging: Fix receiving file descriptors 2021-03-19 08:18:26 +00:00
mscat lib;smbd: Fix the -Os build by initializing variables 2021-08-06 17:22:30 +00:00
param CVE-2020-25717: Add FreeIPA domain controller role 2021-11-09 19:45:33 +00:00
printer_driver printing: Align integer types 2021-04-01 19:32:36 +00:00
pthreadpool build: Do not build selftest binaries for builds without --enable-selftest 2019-11-22 11:48:59 +00:00
replace nsswitch: reduce dependecies to private libraries and link static/builtin if possible 2021-11-30 15:53:34 +00:00
smbconf waf: add library dependency for sendfile on Solaris 2019-02-17 13:33:15 +01:00
socket lib/socket: autodetect RSS using ETHTOOL_GRXRINGS 2020-05-07 14:44:40 +00:00
talloc nsswitch: reduce dependecies to private libraries and link static/builtin if possible 2021-11-30 15:53:34 +00:00
tdb Fix Python docstrings 2021-09-04 00:55:32 +00:00
tdb_wrap lib: Open tdb files with O_CLOEXEC 2021-06-04 16:47:34 +00:00
tdr lib: Fix 1354521 Unchecked return value 2016-03-01 21:49:44 +01:00
tevent Fix Python docstrings 2021-09-04 00:55:32 +00:00
texpect texpect: don't ignore unknown options 2021-09-10 15:10:30 +00:00
torture lib/torture: fix subunit names of nested suites 2020-07-07 10:30:40 +00:00
tsocket selftest: test tsocket_address_inet_from_hostport_strings 2021-09-28 10:34:12 +00:00
util nsswitch: reduce dependecies to private libraries and link static/builtin if possible 2021-11-30 15:53:34 +00:00
README various: Remove references to about to be deleted thirdparty/dnspython 2018-12-11 20:07:18 +01:00
wscript_build Remove 'external' python module support code - use the third_party directory instead. 2015-03-06 04:41:48 +01:00

compression - Various compression algorithms (MSZIP, lzxpress)
popt - Command-line option parsing library
replace - Provides replacements for standard (POSIX, C99) functions 
          not provided by the host platform.
subunit - Utilities and bindings for working with the Subunit test result 
          reporting protocol.
talloc - Hierarchical pool based memory allocator 
tdb - Simple but fast key/value database library, supporting multiple writers
torture - Simple unit testing helper library