From nobody Sat Sep 09 16:23:32 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RjdZZ3Gw3z4t9LD for ; Sat, 9 Sep 2023 16:23:34 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RjdZZ2qrmz4Zy6 for ; Sat, 9 Sep 2023 16:23:34 +0000 (UTC) (envelope-from jhb@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694276614; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HskTewKEpgVJAd83EKowBUp73km+gNknS9vFHmJpu70=; b=ZFQfWcRtpE60WGuvLoT2Kn2DZc5TT1N89I8MEE2Z1GCXVS7v/sZuqnISWJ217SeqAPqLLn oG989x/AHSFzapJs7Gily12EVJKtC1G07ua4bETAV9zlQx1wgQ+mVDBoNOsZkMjXWRCbWc IifSsgUPbO5+mSjwJ/iqrep6f7TteV6tKGazof3osrBtbj2yW1wKz4swfG72mcAV8hStz/ h0wKuH8pSzD4V0RMNXgWImRVvutMN6DjXN4LRkD+c9qhQp1DmvvkZygAaHl1Egy6hiPcd6 58BVeLqvhHz+bH41KQ2ncqt42PgrZJLUKBUeVH3+ZvCQNA+5OcrLvRH/5rueMw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694276614; a=rsa-sha256; cv=none; b=at95FZDxkNycgttHURS2/t2lr7dn+CX1kJ0PoAz8nm8tN1aDzaCqcDKLP+2rJn3HZd85yq 0PPGIcjIW/g0ouWLNkcN8BRaENHp1woZol90Jg/T0Q4rvmZFTCZsrWuDSknleYUjzKSVTx ZrmQ+GwptGYaQbkevwQz/yA/2mHT73OpWCE3Ily0Ho5bcAlQpKNsCT/jUs/nWvyBMDjQbO HXFpPk5Tv/4EBRxSAR3bxmkVA0BOfDVO/z0mTN9KGPuCUAD9kE5nWjepSuu5/CvFmZNMQm SAWSS9SBYfv63024LXUfyjXXDsUJm7zWzhdaZiD7KfPh/QdVnbIY5C9oeL6sGQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694276614; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HskTewKEpgVJAd83EKowBUp73km+gNknS9vFHmJpu70=; b=u3oXzIt8eMBjoXtOfAUe593b/ytmyc8B80n11Eima6Y4PXTKY5SEpQc5Su+m8VZGwuG2Xt gu1iXz47f3BsCVU9h+KM8jUA55DyG28w8cr1jMeWH1KyS4zBWmy/G+tdPjQ3cxnT1nynOy 3rX+iuz0tPMsLf0HgMv1AjFYX0oRD3DE3PO3QHzucRft8xVhmoESTMDf01IlCcLDSGwQ3H qZLieXfZpEmlub0jJK2B0ikgTjkyMhufjgEU8LfVyJgn0fOKBFB83BUTYkfjn3bNHCoAUF BeIKz+7KgN1ViZp/ZdWjuMeg4sgFT1TQLS2BYnVHRnnGfte28RkApK1RBRcH+g== Received: from [IPV6:2601:648:8683:a9e0:346e:8e34:11f3:aeb0] (unknown [IPv6:2601:648:8683:a9e0:346e:8e34:11f3:aeb0]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 4RjdZZ0MqSz19xh for ; Sat, 9 Sep 2023 16:23:33 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Message-ID: <27c5905c-1917-2ad5-6171-9be40693105e@FreeBSD.org> Date: Sat, 9 Sep 2023 09:23:32 -0700 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 Content-Language: en-US From: John Baldwin To: "freebsd-current@freebsd.org" Subject: 15/14 upgrades break old sudo, maybe bump PAM's shlib? Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit I upgraded my laptop from a late June current to current from yesterday today, and after installworld sudo stopped working (dies with a SIGBUS). After some debugging, the issue ended up being OpenSSL library version mismatches as sudo uses PAM and PAM is linked agianst OpenSSL 3, but sudo is linked against OpenSSL 1.1.1. Both shlibs get mapped into the the process and at some point sudo crosses the streams and the crash occurs inside OpenSSL 3's libcrypto. I realize that we do have a generate note about needing to update third party packages after an upgrade, but I tend to use sudo as part of my workflow for doing that sort of thing. I generally build all my own packages via poudriere and use sudo at various points in that process, but even if I were using FreeBSD.org packages I would be using sudo to try to run 'pkg upgrade'. su(8) in base works fine, so that's my workaround for now on my laptop, but I wonder if we want to make this particular bump on the upgrade path a little less bumpy? Either by being clear in our release notes that tools like sudo (and I suspect any other third-party su wrappers that also use PAM, xscreensaver's screen lock doesn't seem to be affected since it probably doesn't use OpenSSL directly thankfully) can break, or another route we could take would be to bump the DSO versions of things that depend on libcrypto/libssl in base. We did not do this latter approach for the OpenSSL 1.0.2 -> 1.1.1 upgrade FWIW. If we wanted to do the shlib bump approach, Enji had a good list from a while back (though Enji wanted to make them all private rather than bumping): - kerberos - libarchive - libbsnmp - libfetch - libgeli - libldns - libmp - libradius - libunbound From my research it seems that PAM (library and modules), gssapi libraries, and libzfs would also need to be on the list. libldns is already private as is libunbound, though bumping them might be safter anyway. There is on libgeli, instead there is geli_eli.so which has no version, but hopefully is not widely used in ports the same as PAM. Note also that if we did this, we would want to do it for 14.0 as 13.x -> 14 upgrades are affected in the same way. -- John Baldwin