** Description changed: [Impact] The python3 rlm module cannot be loaded. [Test Plan] # pull the necessary attachments wget https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1873923/+attachment/5580525/+files/ubuntu_example.py https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1873923/+attachment/5580526/+files/python3 # install freeradius-python3 sudo apt update sudo apt install freeradius-python3 # enable python3 for auth (this command is one line) sudo sed -i -r '/^#[[:blank:]]*auth_log/a python3' /etc/freeradius/3.0/sites-available/default # copy python example sudo cp ubuntu_example.py /etc/freeradius/3.0/mods-config/python3/ # copy python3 config sudo cp python3 /etc/freeradius/3.0/mods-available/python3 # enable the python3 module sudo ln -s /etc/freeradius/3.0/mods-available/python3 /etc/freeradius/3.0/mods-enabled/ # restart freeradius. Restart will fail without the fixed package installed sudo systemctl restart freeradius Error in journal when the fix is not installed: Apr 13 20:54:03 f-freeradius-1873923 freeradius[5998]: Python version: 3.8.10 (default, Mar 15 2022, 12:22:08) [GCC 9.4.0] Apr 13 20:54:03 f-freeradius-1873923 freeradius[5998]: Libpython is not found among linked libraries Apr 13 20:54:03 f-freeradius-1873923 freeradius[5998]: Failed loading libpython symbols into global symbol table Apr 13 20:54:03 f-freeradius-1873923 freeradius[5998]: *** example.py instantiate *** and Apr 13 20:55:31 f-freeradius-1873923 freeradius[6165]: *** example.py detach *** Apr 13 20:55:31 f-freeradius-1873923 systemd[1]: freeradius.service: Control process exited, code=dumped, status=11/SEGV # Install the fixed packages from proposed # Test authentication with the python3 script we installed. # This script will accept the ubuntu user with any password, and reject # any other user, regardless of the password $ radtest ubuntu anypass 127.0.0.1 0 testing123 Sent Access-Request Id 59 from 0.0.0.0:33632 to 127.0.0.1:1812 length 76 User-Name = "ubuntu" User-Password = "anypass" NAS-IP-Address = 10.0.100.53 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "anypass" Received Access-Accept Id 59 from 127.0.0.1:1812 to 127.0.0.1:33632 length 35 Reply-Message = "Hello ubuntu!" $ radtest anotheruser neverworks 127.0.0.1 0 testing123 Sent Access-Request Id 14 from 0.0.0.0:34461 to 127.0.0.1:1812 length 81 User-Name = "anotheruser" User-Password = "neverworks" NAS-IP-Address = 10.0.100.53 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "neverworks" Received Access-Reject Id 14 from 127.0.0.1:1812 to 127.0.0.1:34461 length 41 Reply-Message = "You are not ubuntu!" (0) -: Expected Access-Accept got Access-Reject [Where problems could occur] + I don't know how complex the python3 scripts run by rlm_python3 can be. Maybe if there are complex imports or other interactions, it could show this fix to be incomplete, as there were other upstream fixes for rlm_python3 that landed in 3.0.21 and later. I checked the 3.0.21 ones (https://github.com/FreeRADIUS/freeradius-server/issues/3193#issuecomment-564142712), and believe I have the correct set of minimal fixes. In any case, this upload is an improvement already, because before one could not even load rlm_python3. And if you tried to use it really, it would segfault. - * Think about what the upload changes in the software. Imagine the change is - wrong or breaks something else: how would this show up? + That being said, freeradius is a gatekeeper. Authentication and + authorization is a big deal, and if this update introduces a bug, it + could manifest itself either by allowing something it shouldn't, or not + allowing anything. - * It is assumed that any SRU candidate patch is well-tested before - upload and has a low overall risk of regression, but it's important - to make the effort to think about what ''could'' happen in the - event of a regression. + These modules deep inside src/modules have their own autoconf scripts, + and they don't get regenerated by the build process from the respective + source files (configure.ac and others). At this time I didn't have to + patch them, but, as can be seen in the jammy upload, I had to patch + configure directly (and not configure.ac) because of fear of introducing + a regression, since those deep configure scripts are NOT regenerated by + the debian packaging builds: just the top level one is regenerated, at + the root of the source tree, and who knows when was the last time all + those configure scripts were generated. And jammy has an updated + autoconf (2.71), which broke other packages. In any case, this concern + does not apply to this particular focal update, but might in the future. - * This must '''never''' be "None" or "Low", or entirely an argument as to why - your upload is low risk. - - * This both shows the SRU team that the risks have been considered, - and provides guidance to testers in regression-testing the SRU. [Other Info] This SRU has two patches. One is the actual fix, which fixes the name of the python library that freeradius attempts to load. The other fix is to not try to instantiate the python3 module if the instantiate and detach methods are not defined, which would trigger a failure with the simple reproducer from comment #1. I added a DEP8 test to the focal package that doesn't exist in any other release at this time. As soon as Ubuntu K opens up, I'll update the freeradius package there as well with this test. [Original Description] I created a git repo with the reproduction: https://github.com/gergelykalman/freeradius-python3-bug Package version: Version: 3.0.20+dfsg-3build1 The error message: ----------------------- Mon Apr 20 17:12:57 2020 : Debug: rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no Mon Apr 20 17:12:57 2020 : Debug: # Instantiating module "python3" from file /etc/freeradius/3.0/mods-enabled/python3 Mon Apr 20 17:12:57 2020 : Info: Python version: 3.8.2 (default, Mar 13 2020, 10:14:16) [GCC 9.3.0] Mon Apr 20 17:12:57 2020 : Warning: Libpython is not found among linked libraries Mon Apr 20 17:12:57 2020 : Warning: Failed loading libpython symbols into global symbol table Mon Apr 20 17:12:57 2020 : Error: do_python_single:568, instantiate - pRet is NULL Mon Apr 20 17:12:57 2020 : Error: python_error_log:200, Exception type: <class 'SystemError'>, Exception value: null argument to internal routine Mon Apr 20 17:12:57 2020 : Error: do_python_single:676, instantiate - RLM_MODULE_FAIL -----------------------
** Description changed: [Impact] The python3 rlm module cannot be loaded. [Test Plan] # pull the necessary attachments wget https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1873923/+attachment/5580525/+files/ubuntu_example.py https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1873923/+attachment/5580526/+files/python3 # install freeradius-python3 sudo apt update sudo apt install freeradius-python3 # enable python3 for auth (this command is one line) sudo sed -i -r '/^#[[:blank:]]*auth_log/a python3' /etc/freeradius/3.0/sites-available/default # copy python example sudo cp ubuntu_example.py /etc/freeradius/3.0/mods-config/python3/ # copy python3 config sudo cp python3 /etc/freeradius/3.0/mods-available/python3 # enable the python3 module sudo ln -s /etc/freeradius/3.0/mods-available/python3 /etc/freeradius/3.0/mods-enabled/ # restart freeradius. Restart will fail without the fixed package installed sudo systemctl restart freeradius Error in journal when the fix is not installed: Apr 13 20:54:03 f-freeradius-1873923 freeradius[5998]: Python version: 3.8.10 (default, Mar 15 2022, 12:22:08) [GCC 9.4.0] Apr 13 20:54:03 f-freeradius-1873923 freeradius[5998]: Libpython is not found among linked libraries Apr 13 20:54:03 f-freeradius-1873923 freeradius[5998]: Failed loading libpython symbols into global symbol table Apr 13 20:54:03 f-freeradius-1873923 freeradius[5998]: *** example.py instantiate *** and Apr 13 20:55:31 f-freeradius-1873923 freeradius[6165]: *** example.py detach *** Apr 13 20:55:31 f-freeradius-1873923 systemd[1]: freeradius.service: Control process exited, code=dumped, status=11/SEGV # Install the fixed packages from proposed # Test authentication with the python3 script we installed. # This script will accept the ubuntu user with any password, and reject # any other user, regardless of the password $ radtest ubuntu anypass 127.0.0.1 0 testing123 Sent Access-Request Id 59 from 0.0.0.0:33632 to 127.0.0.1:1812 length 76 User-Name = "ubuntu" User-Password = "anypass" NAS-IP-Address = 10.0.100.53 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "anypass" Received Access-Accept Id 59 from 127.0.0.1:1812 to 127.0.0.1:33632 length 35 Reply-Message = "Hello ubuntu!" $ radtest anotheruser neverworks 127.0.0.1 0 testing123 Sent Access-Request Id 14 from 0.0.0.0:34461 to 127.0.0.1:1812 length 81 User-Name = "anotheruser" User-Password = "neverworks" NAS-IP-Address = 10.0.100.53 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "neverworks" Received Access-Reject Id 14 from 127.0.0.1:1812 to 127.0.0.1:34461 length 41 Reply-Message = "You are not ubuntu!" (0) -: Expected Access-Accept got Access-Reject [Where problems could occur] I don't know how complex the python3 scripts run by rlm_python3 can be. Maybe if there are complex imports or other interactions, it could show this fix to be incomplete, as there were other upstream fixes for rlm_python3 that landed in 3.0.21 and later. I checked the 3.0.21 ones (https://github.com/FreeRADIUS/freeradius-server/issues/3193#issuecomment-564142712), and believe I have the correct set of minimal fixes. In any case, this upload is an improvement already, because before one could not even load rlm_python3. And if you tried to use it really, it would segfault. That being said, freeradius is a gatekeeper. Authentication and authorization is a big deal, and if this update introduces a bug, it could manifest itself either by allowing something it shouldn't, or not - allowing anything. + allowing anything. Given the patches, this will be restricted to the + python3 module, which couldn't be loaded anyway. These modules deep inside src/modules have their own autoconf scripts, and they don't get regenerated by the build process from the respective source files (configure.ac and others). At this time I didn't have to patch them, but, as can be seen in the jammy upload, I had to patch configure directly (and not configure.ac) because of fear of introducing a regression, since those deep configure scripts are NOT regenerated by the debian packaging builds: just the top level one is regenerated, at the root of the source tree, and who knows when was the last time all those configure scripts were generated. And jammy has an updated autoconf (2.71), which broke other packages. In any case, this concern does not apply to this particular focal update, but might in the future. - [Other Info] This SRU has two patches. One is the actual fix, which fixes the name of the python library that freeradius attempts to load. The other fix is to not try to instantiate the python3 module if the instantiate and detach methods are not defined, which would trigger a failure with the simple reproducer from comment #1. I added a DEP8 test to the focal package that doesn't exist in any other release at this time. As soon as Ubuntu K opens up, I'll update the freeradius package there as well with this test. [Original Description] I created a git repo with the reproduction: https://github.com/gergelykalman/freeradius-python3-bug Package version: Version: 3.0.20+dfsg-3build1 The error message: ----------------------- Mon Apr 20 17:12:57 2020 : Debug: rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no Mon Apr 20 17:12:57 2020 : Debug: # Instantiating module "python3" from file /etc/freeradius/3.0/mods-enabled/python3 Mon Apr 20 17:12:57 2020 : Info: Python version: 3.8.2 (default, Mar 13 2020, 10:14:16) [GCC 9.3.0] Mon Apr 20 17:12:57 2020 : Warning: Libpython is not found among linked libraries Mon Apr 20 17:12:57 2020 : Warning: Failed loading libpython symbols into global symbol table Mon Apr 20 17:12:57 2020 : Error: do_python_single:568, instantiate - pRet is NULL Mon Apr 20 17:12:57 2020 : Error: python_error_log:200, Exception type: <class 'SystemError'>, Exception value: null argument to internal routine Mon Apr 20 17:12:57 2020 : Error: do_python_single:676, instantiate - RLM_MODULE_FAIL ----------------------- -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873923 Title: freeradius with freeradius-python3 fails to start out of the box To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1873923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
