knight-of-ni
commented
2 years ago @mikaku checkout the conversation in #174 I've got experimental rpms, if you are willing to test and provide feedback.
Closed mikaku closed 2 years ago
knight-of-ni
commented
2 years ago @mikaku checkout the conversation in #174 I've got experimental rpms, if you are willing to test and provide feedback.
mikaku
commented
2 years ago I've got experimental rpms, if you are willing to test and provide feedback.
Sure, I've just upgraded the system with the package netatalk-3.1.13-2.el7.x86_64.rpm, which I hope is your newest build. I said "I hope" because the web says it was built 17 days ago!!. I expected to see 2 or 3 days ago, but not 17. Didn't know this problem was so "old".
Anyway, I'll come back here in a while once I can confirm the users can login and work as they did with 3.1.12. Thanks.
mikaku
commented
2 years ago Forgot to say that since version 3.1.12 is no longer available on EPEL, the only way, on CentOS 7, to downgrade is downloading it from Koji:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1403661
mikaku
commented
2 years ago With the package netatalk-3.1.13-2.el7.x86_64.rpm installed I see messages like these:
[...]
May 3 09:45:31 linux afpd[22083]: ad_header_read_ea("/u/applefas5/TA0600A000220508.jpg"): deleted invalid metadata EA
May 3 09:45:31 linux afpd[22083]: ad_header_read_ea("/u/applefas5/TA1003D000220477.jpg"): invalid metadata EA
May 3 09:45:31 linux afpd[22083]: ad_header_read_ea("/u/applefas5/TA1003D000220477.jpg"): deleted invalid metadata EA
May 3 09:45:31 linux afpd[22083]: ad_header_read_ea("/u/applefas5/TA1006PTD0220358.jpg"): invalid metadata EA
May 3 09:45:31 linux afpd[22083]: ad_header_read_ea("/u/applefas5/TA1006PTD0220358.jpg"): deleted invalid metadata EA
May 3 09:45:31 linux afpd[22083]: ad_header_read_ea("/u/applefas5/TA1003D000220439.jpg"): invalid metadata EA
May 3 09:45:31 linux afpd[22083]: ad_header_read_ea("/u/applefas5/TA1003D000220439.jpg"): deleted invalid metadata EA
May 3 09:45:31 linux afpd[22083]: ad_header_read_ea("/u/applefas5/TA0809PDT0220420.jpg"): invalid metadata EA
May 3 09:45:31 linux afpd[22083]: ad_header_read_ea("/u/applefas5/TA0809PDT0220420.jpg"): deleted invalid metadata EA
May 3 09:45:31 linux afpd[22083]: ad_header_read_ea("/u/applefas5/TA1004D000220382.jpg"): invalid metadata EA
May 3 09:45:31 linux afpd[22083]: ad_header_read_ea("/u/applefas5/TA1004D000220382.jpg"): deleted invalid metadata EA
May 3 09:45:31 linux afpd[22083]: ad_header_read_ea("/u/applefas5/TA1001PDT0220414.jpg"): invalid metadata EA
[...]May 3 09:45:41 linux afpd[22083]: PANIC: Can't seteuid back
May 3 09:45:41 linux afpd[22083]: BACKTRACE: 9 stack frames:
May 3 09:45:41 linux afpd[22083]: #0 /lib64/libatalk.so.18(netatalk_panic+0x37) [0x7f252dcc4087]
May 3 09:45:41 linux afpd[22083]: #1 /lib64/libatalk.so.18(unbecome_root+0x3c) [0x7f252dccd92c]
May 3 09:45:41 linux afpd[22083]: #2 /lib64/libatalk.so.18(ad_metadata+0x65) [0x7f252dca5bd5]
May 3 09:45:41 linux afpd[22083]: #3 /usr/sbin/afpd(getfilparams+0x9b) [0x5585cb11207b]
May 3 09:45:41 linux afpd[22083]: #4 /usr/sbin/afpd(afp_resolveid+0x30a) [0x5585cb11456a]
May 3 09:45:41 linux afpd[22083]: #5 /usr/sbin/afpd(afp_over_dsi+0x58e) [0x5585cb0fef7e]
May 3 09:45:41 linux afpd[22083]: #6 /usr/sbin/afpd(main+0xd29) [0x5585cb0fd1e9]
May 3 09:45:41 linux afpd[22083]: #7 /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f2529c1d555]
May 3 09:45:41 linux afpd[22083]: #8 /usr/sbin/afpd(+0xe250) [0x5585cb0fd250]Since these messages were not present with the previous version, I've downgraded to 3.1.12 again. Let me know if you want me to test a new version.
knight-of-ni
commented
2 years ago Thanks for the feedback. I'll ping the author of pr #174
I said "I hope" because the web says it was built 17 days ago!!. I expected to see 2 or 3 days ago, but not 17. Didn't know this problem was so "old".
PR #174, which is what my copr rpms use, was created 22 days ago.
knight-of-ni
commented
2 years ago I've gone ahead and built 3.1.12 in my copr repo, to make it a little easier to downgrade. I'll announce that in redhat bugzilla as well.
mikaku
commented
2 years ago I've just upgraded my server with the latest version: netatalk-3.1.13-3.el7. I'll be checking how is functioning within the next hours.
mikaku
commented
2 years ago No errors and no problems appeared using the latest version. You hit the nail on the head this time! :+1:
knight-of-ni
commented
2 years ago Great glad to hear! Thanks goes to @anodos325 for doing the hard part. I simply patched his PR against the 3.1.13 tarball.
anodos325
commented
2 years ago Okay. It's important to know that with this patchset the error handling for an AFP metadata xattr that fails to parse is different. Original code was to delete xattr and generate new one. Current behavior in this PR is to AFP_ASSERT(), which crashes netatalk and may generate corefile. The reason for this is so that we avoid removing xattr if people discover a new parsing bug (fail safe from user data standpoint), and give package maintainer the opportunity to see what went wrong.
I presume that eventually this (the AFP_ASSERT()) can be removed before final merge / new release to restore original behavior (deleting xattr and generating new one). This does expose ability for malicious local user to basically DOS a path on the netatalk server by writing junk data to an AFP metadata xattr. I think this is an acceptable risk for what is WIP / pending PR while it continues to be tested.
mikaku
commented
1 year ago Hello,
I'm not sure if this is still related to this issue, but I see those messages after upgrading to 3.1.13:
Dec 22 12:48:25 linux afpd[18995]: parse_entries: bogus eid: 9, off: 50, len: 3760
Dec 22 12:48:25 linux afpd[18995]: ad_header_read(/u/applepublic/XXX/D06037138/._pont-aven-9089-42_w400.jpg): malformed AppleDouble
Dec 22 12:48:25 linux afpd[18995]: ad_header_read_osx(rfpath, ad, &st) failed: Input/output error
Dec 22 12:48:25 linux afpd[18995]: afp_openfork(pont-aven-9089-42_w400.jpg): ad_open: Input/output errorAny idea?
OS: CentOS 7 Linux Uname: Linux linux.xxxxxxxxxx.lan 3.10.0-1160.80.1.el7.x86_64 #1 SMP Tue Nov 8 15:48:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux Netatalk: netatalk-3.1.13-3.el7.x86_64
rdmark
commented
1 year ago @mikaku Can you please upgrade to 3.1.14 and try to reproduce your issue there? If it still persists, please file a new issue ticket.
mikaku
commented
1 year ago @rdmark Sure, you mean that one still in testing right?
https://dl.fedoraproject.org/pub/epel/testing/7/x86_64/Packages/n/netatalk-3.1.14-3.el7.x86_64.rpm
knight-of-ni
commented
1 year ago @mikaku you can upgrade to 3.1.14 today with a simple yum/dnf upgrade. 3.1.14 has been in fedora & epel repos since Jan 12. https://src.fedoraproject.org/rpms/netatalk/c/484cef3c18595ba0c09776c42cb62508e65beced?branch=rawhide
The latest 3.1.14-3 was pushed yesterday, to fix a CVE. It is not related to the issue you experiencing.
mikaku
commented
1 year ago If 3.1.14-3 is not necessary then my server is already using the 3.1.14:
# rpm -q netatalk --last
netatalk-3.1.14-1.el7.x86_64 Sun 05 Feb 2023 09:13:10 AM CETSince this issue is still occurring with 3.1.14, you may want to create a new issue and identify it as such, to get the developers attention.
I just noticed release notes for 3.1.15 were just committed to master, so it looks like a new release is imminent. Don't know if that will help, but I'll build a new set of rpms once the release is made official.
rdmark
commented
1 year ago @mikaku Did the problematic volumes by any chance start out as netatalk2 volumes and then converted to netatalk3 at some point over the years?
mikaku
commented
1 year ago @rdmark, I've opened the new issue #270, I've answered your question there. Thanks.
Hello,
After upgrading from 3.1.12 to 3.1.13 I'm seeing segmentation fault messages every time a user logs in:
OS: CentOS Linux 7.9 Kernel: 3.10.0-1160.59.1.el7.x86_64 Package: netatalk-3.1.13-1.el7.x86_64
Let me know if you need more information. Thanks.