Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide NSS modules globally, make nscd unnecessary (v2) #1

Closed
wants to merge 5 commits into from

Conversation

erikarvstedt
Copy link
Owner

@erikarvstedt erikarvstedt commented Jan 15, 2022

This is a follow-up to NixOS#138178 which fixes the binary incompatibilities of the original PR.

This PR allows glibc client binaries to access NSS modules configured via system.nssModules without nscd.
nscd has significant caching bugs and causes friction in general (NixOS#95107, NixOS#154928).
For details about nscd bugs, see issue DNS responses are cached and the Fedora nscd deprecation notes.

Some services set LD_LIBRARY_PATH to allow running them without nscd. These workarounds are now obsolete and are removed by this PR.

Implementation

Provide global NSS modules at /run/nss-modules-${word_size}-${glibc_version}/lib (e.g. /run/nss-modules-64-2.34/lib) and patch glibc to use this path.
The versioning suffix ensures that only binary compatible glibc client binaries will use this path.

Repo erikarvstedt/check-glibc-compatibilities shows that different NSS modules and glibc clients are compatible with each other, as long as they share the same minor glibc release (e.g. 2.34).

Because the patched code region is never inlined, the patch affects all binaries that dynamically link glibc. This includes binaries prebuilt with a non-nixpkgs libc that are processed with patchelf (like slack).

Todo

  • nscd is still enabled to provide backwards compatibility for older binaries and 32-bit binaries on 64-bit hosts.
    In light of its defects and lack of maintenance, it might be sensible to disable nscd by default.
    Note: unscd is no replacement for nscd because it doesn't implement all nsswitch functions (src thread).
  • We'll add release notes for this PR as soon as it reaches community consensus.
  • To support 32-bit binaries on 64-bit hosts without nscd, we could add options analogous to opengl.driSupport32Bit and opengl.extraPackages32. As a minimum, systemd NSS modules should be provided. This can be addressed in another PR.

Appendix

Fixes: NixOS#135888
Fixes: NixOS#105353
Cc: #52411 (comment)

This was long suggested in NixOS#55276.

@erikarvstedt erikarvstedt changed the base branch from staging to master January 18, 2022 02:25
@erikarvstedt erikarvstedt changed the base branch from master to staging January 18, 2022 02:25
flokli and others added 2 commits January 19, 2022 13:05
…stem.nssModules.path

This makes this point to a single folder, not a colon-separated list of
directories, which makes it much easier to symlink to it (what the
next commit does).

This makes overriding *already existing* NSS modules harder, as we can't
just pretend to the list, but it's probably a good idea to explicitly
handle this, instead of silently shadowing - plus, I'm not aware of
anything in nixpkgs actually overwriting existing NSS modules.
@erikarvstedt erikarvstedt changed the base branch from staging to master January 19, 2022 12:51
@erikarvstedt erikarvstedt changed the base branch from master to staging January 19, 2022 12:51
NSS modules are now globally provided by a symlink in `/run`.

See the description in `add-extra-module-load-path.patch` for further details.

Fixes: NixOS#55276
Fixes: NixOS#135888
Fixes: NixOS#105353
Cc:    NixOS#52411 (comment)

Co-authored-by: Erik Arvstedt <[email protected]>
@erikarvstedt erikarvstedt force-pushed the nss-modules-path branch 3 times, most recently from fedf72c to c6e5c0a Compare January 19, 2022 14:19
erikarvstedt pushed a commit that referenced this pull request Feb 4, 2022
The test failed with

> Test "test5 user should not be able to run commands under root" failed with
> error: "invalid literal for int() with base 10: ''"

since 2492da8.

The reason for this is that `sudo(8)` writes the lecture to the
tty[1] and only as a fallback to stdout[2]. This means that the
`base64 --wrap 0` executed by `machine.execute()` doesn't affect the
text written to the terminal, however the lecture is part of the string
that's read from the VM via `shell.recv()`.

I confirmed the problem in an interactive test session[3]:

    >>> command = "sudo -u test5 sudo -n -u root true"
    >>> out_command = f"( set -euo pipefail; {command} ) | (base64 --wrap 0; echo)\n"
    >>> machine.shell.send(out_command.encode())
    84

    >>> machine # [   99.015512] sudo[877]:     root : TTY=hvc0 ; PWD=/tmp ; USER=test5 ; COMMAND=/run/wrappers/bin/sudo -n -u root true
    machine # [   99.019373] sudo[877]: pam_unix(sudo:session): session opened for user test5(uid=1005) by (uid=0)
    machine # [   99.038692] sudo[879]: pam_unix(sudo:auth): conversation failed
    machine # sudo: a password is required
    machine # [   99.041860] sudo[879]: pam_unix(sudo:auth): auth could not identify password for [test5]
    machine # [   99.046901] sudo[877]: pam_unix(sudo:session): session closed for user test5
    >>>
    >>> x=machine._next_newline_closed_block_from_shell()
    >>> print(x)
    <newline>
    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:
    <newline>
        #1) Respect the privacy of others.
        NixOS#2) Think before you type.
        NixOS#3) With great power comes great responsibility.
    <newline>
    <newline>
    <newline>
    >>>

Since the lecture isn't strictly necessary to confirm that
`security.sudo` works as expected, I decided to disable lecturing
inside the test, however we may want to fix the underlying problem in
the test-driver at some point.

[1] https://github.com/sudo-project/sudo/blob/SUDO_1_9_9/plugins/sudoers/check.c#L275-L283
[2] https://github.com/sudo-project/sudo/blob/SUDO_1_9_9/src/conversation.c#L95-L120
[3] I replaced each empty line with `<newline>` to make sure these
    aren't swallowed by git.
erikarvstedt pushed a commit that referenced this pull request Jan 5, 2023
Without this change it segfaults when trying to play any media:

  $ jellyfinmediaplayer
  Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
  libpng warning: iCCP: known incorrect sRGB profile
  Logging to /home/bf/.local/share/jellyfinmediaplayer/logs/jellyfinmediaplayer.log
  Cannot load libcuda.so.1
  Segmentation fault (core dumped)

The backtrace shows pipewire being at fault:

  $ coredumpctl debug
  [...]
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x00007f711428c9bb in core_event_demarshal_remove_id () from /nix/store/nhffrd7f15dhfbkwzgayq7hhzmdvdy19-pipewire-0.3.63-lib/lib/pipewire-0.3/libpipewire-module-protocol-native.so
  [Current thread is 1 (Thread 0x7f6ffdc87640 (LWP 1360949))]
  (gdb) bt
  #0  0x00007f711428c9bb in core_event_demarshal_remove_id () from /nix/store/nhffrd7f15dhfbkwzgayq7hhzmdvdy19-pipewire-0.3.63-lib/lib/pipewire-0.3/libpipewire-module-protocol-native.so
  #1  0x00007f711428886c in process_remote () from /nix/store/nhffrd7f15dhfbkwzgayq7hhzmdvdy19-pipewire-0.3.63-lib/lib/pipewire-0.3/libpipewire-module-protocol-native.so
  NixOS#2  0x00007f7114288e68 in on_remote_data () from /nix/store/nhffrd7f15dhfbkwzgayq7hhzmdvdy19-pipewire-0.3.63-lib/lib/pipewire-0.3/libpipewire-module-protocol-native.so
  NixOS#3  0x00007f7114310efe in loop_iterate () from /nix/store/nhffrd7f15dhfbkwzgayq7hhzmdvdy19-pipewire-0.3.63-lib/lib/spa-0.2/support/libspa-support.so
  NixOS#4  0x00007f71266fe7f2 in do_loop () from /nix/store/nhffrd7f15dhfbkwzgayq7hhzmdvdy19-pipewire-0.3.63-lib/lib/libpipewire-0.3.so.0
  NixOS#5  0x00007f7128b08e86 in start_thread () from /nix/store/ayfr5l52xkqqjn3n4h9jfacgnchz1z7s-glibc-2.35-224/lib/libc.so.6
  NixOS#6  0x00007f7128b8fce0 in clone3 () from /nix/store/ayfr5l52xkqqjn3n4h9jfacgnchz1z7s-glibc-2.35-224/lib/libc.so.6
  (gdb)

Standalone mpv doesn't segfault (when directly playing the underlying
media files). I don't know why.

Fixes: b97cda7 ("mpv-unwrapped: 0.34.1 -> 0.35.0")

Fixes NixOS#205141

Ref jellyfin/jellyfin-media-player#341
erikarvstedt pushed a commit that referenced this pull request Oct 5, 2023
duckdb 0.9.0 without git deepcopy and hash version.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants