Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#73578 - [glibc] Re-enable NSS module loading for Postfix DNS lookups

Attached to Project: Arch Linux
Opened by Harry Youd (harryyoud) - Monday, 31 January 2022, 18:36 GMT
Last edited by freswa (frederik) - Thursday, 10 February 2022, 21:45 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Giancarlo Razzolini (grazzolini)
freswa (frederik)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

CVE-2019-14271 detailed potential Docker attack by loading chroot libraries into host processes. This was fixed with:
- https://sourceware.org/bugzilla/show_bug.cgi?id=27077
- https://sourceware.org/git/?p=glibc.git;a=commit;h=429029a73ec2dba7f808f69ec8b9e3d84e13e804

This disallows any module loading after chroot. This is problematic for running Postfix daemon processes in chroot, since if libnss_* modules are not loaded before chroot (which is not done routinely), reverse DNS lookups will fail silently (presumably getnameinfo returning null). This results in lines such as "connect from unknown":

postfix/postscreen[130767]: CONNECT from [2a01:4f9:c010:9eb4::1]:33294 to [*************]:25
postfix/postscreen[130767]: PASS OLD [2a01:4f9:c010:9eb4::1]:33294
postfix/smtpd[290004]: connect from unknown[2a01:4f9:c010:9eb4::1]
postfix/smtpd[290004]: BEFF1424729: client=unknown[2a01:4f9:c010:9eb4::1]
postfix/cleanup[290006]: BEFF1424729: message-id=<mailman.3.1643544001.1267510.arch-dev-public@lists.archlinux.org>
postfix/qmgr[130754]: BEFF1424729: from=<arch-dev-public-bounces@lists.archlinux.org>, size=6050, nrcpt=1 (queue active)
postfix/smtpd[290004]: disconnect from unknown[2a01:4f9:c010:9eb4::1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
postfix/lmtp[290007]: BEFF1424729: to=<****@********>, relay=************[private/dovecot-lmtp], delay=1.1, delays=1/0.01/0.01/0.09, dsn=2.0.0, status=sent (250 2.0.0 <************> UwRnL8Z99mHYbAQAz8Fz3A Saved)
postfix/qmgr[130754]: BEFF1424729: removed


An strace reveals /etc/nsswitch.conf is read from the chroot, but no libnss_* modules are loaded. No errors are produced. I can provide the strace privately if required due to significant redactions needing to be made. I have not used a debugger to test.

This issue is resolved with this patch which can be easily backported to glibc 2.33:
https://sourceware.org/git/?p=glibc.git;a=commit;h=3e880d733753183696d1a81c34caef3a9add2b0c

This is rumoured to also fix php-lpfm and openldap, but I do not use these, so cannot provide feedback about this.

Steps to reproduce:
1. Configure Postfix smtpd to be chrooted in /etc/postfix/master.cf
2. Receive email
3. Observe no reverse DNS lookup

Steps to obtain strace/debug:
1. Configure smtpd to run with "-D" debug flags in /etc/postfix/master.cf
2. Configure debugger_command in /etc/postfix/main.cf, using $process_id for substitution

Mitigations:
- Configure smtpd to run outside chroot [tested by me]
- Rebuild glibc with above patch [tested by me]
- Wait for glibc 2.34 [untested]
This task depends upon

Closed by  freswa (frederik)
Thursday, 10 February 2022, 21:45 GMT
Reason for closing:  Fixed
Additional comments about closing:  glibc-2.35-2 in [testing]
Comment by Harry Youd (harryyoud) - Monday, 31 January 2022, 18:44 GMT
Apologies for not including the versions of packages:

glibc 2.33-5
postfix 3.6.4-1

Loading...