Bug #875
closedUninstalling packages can remove system libraries
0%
Description
If you install a package (like squid) which replaces a base system library (like LDAP), it will install its own copy on install and then remove it on uninstall, leaving the system without said library.
Depending on the package it can be a major issue, especially if a package installs and subsequently removes XML libraries.
We may need to register the base system packages and/or somehow prevent a package from removing them. (Perhaps add dummy "pfSense" package entry that would list all of the packages we need as a dependency?)
Updated by Ermal Luçi over 14 years ago
I think just installing all necessary package binaries in a specific folder with pkg_add will solve the issue.
It just needs to install them in a specific folder and needs to teach ldconfig where to find the libraries.
Kind of chroot'ing packages.
Updated by Jim Pingle over 14 years ago
- Subject changed from Uninstalling packages ran remove system libraries to Uninstalling packages can remove system libraries
Updated by Ermal Luçi about 14 years ago
I added some protection between packages but it is still not enough
Updated by Scott Ullrich about 14 years ago
- Target version changed from 2.0 to 2.1
This ticket will require us moving to a PBI style package system where the libraries are self contained in the programs folder. IE: /usr/local/squid/bin /usr/local/squid/lib/
This will not happen in 2.0. Moving to 2.1.
Updated by Ermal Luçi about 14 years ago
Well i did a lot of testing today on this.
The only plausible option is to hardlink /usr/local/lib files that ship with base pfsense to /usr/$somedir and provide this path to ldconfig so programs find the libraries even in this folder or during package removal we check if the library is present in this folder and get done with it.
The other options are quite intrusive since involve makeing $PREFIX changed in package builds pfSense pacakages code and putting $PREFIX to some other dir. This is quite safer and works but too much work for 2.0 and to support later on.
Updated by Chris Buechler almost 14 years ago
- Priority changed from Normal to High
- Target version changed from 2.1 to 2.0
there are still possibilities here to destroy the system by uninstalling packages.
Updated by Chris Buechler almost 14 years ago
for instance:
removing squid is breaking several part of the box. At least, racoon does not work anymore, because of "missing" (????) shared library: # ldd /usr/local/sbin/racoon /usr/local/sbin/racoon: libipsec.so.0 => /usr/local/lib/libipsec.so.0 (0x28108000) libutil.so.8 => /lib/libutil.so.8 (0x28115000) libreadline.so.6 => /usr/local/lib/libreadline.so.6 (0x28124000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x28158000) libradius.so.4 => /usr/lib/libradius.so.4 (0x28171000) libldap-2.4.so.7 => /usr/local/lib/libldap-2.4.so.7 (0x28177000) liblber-2.4.so.7 => /usr/local/lib/liblber-2.4.so.7 (0x281b4000) libssl.so.6 => /usr/lib/libssl.so.6 (0x281c0000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x28208000) libc.so.7 => /lib/libc.so.7 (0x28363000) libncurses.so.8 => /lib/libncurses.so.8 (0x2847d000) libsasl2.so.2 => not found (0x0) libssl.so.7 => not found (0x0) libcrypto.so.7 => not found (0x0) However, before installing squid : # ldd /usr/local/sbin/racoon /usr/local/sbin/racoon: libipsec.so.0 => /usr/local/lib/libipsec.so.0 (0x28108000) libutil.so.8 => /lib/libutil.so.8 (0x28115000) libreadline.so.6 => /usr/local/lib/libreadline.so.6 (0x28124000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x28158000) libradius.so.4 => /usr/lib/libradius.so.4 (0x28171000) libldap-2.4.so.7 => /usr/local/lib/libldap-2.4.so.7 (0x28177000) liblber-2.4.so.7 => /usr/local/lib/liblber-2.4.so.7 (0x281b2000) libssl.so.6 => /usr/lib/libssl.so.6 (0x281be000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x28206000) libc.so.7 => /lib/libc.so.7 (0x28361000) libncurses.so.8 => /lib/libncurses.so.8 (0x2847b000) Installing squid installs an extra openssl packages, and racoon starts to link with libraries inside this package. When removing squid, this openssl packages is removed and racoon becomes broken. I do not know how the dynamic linker is working with freebsd. I suspect something is missing (linux equivalent to ldconfig -a) during the removal, to reconfigure the dynamic linker. If you have any pointers, I will try to fix it. This also apply to some php modules : PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20060613/ldap.so' - Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.7" in Unknown on line 0 *** Welcome to pfSense 2.0-BETA5-pfSense (i386) on fwyul ***
Updated by Ermal Luçi almost 14 years ago
I added a ldconfig call to rebuilt the lib caches 'just in case'.
Updated by David Miller over 13 years ago
Uninstalling the ntop package results in the removal of rrdtool, possibly others as it does have a long list of dependencies. After removing the ntop package you'll see the following messages in your system logs when you attempt to view your rrdgraphs. I was able to get the rrdgraphs to work again by reinstalling the ntop package.
php: /status_rrd_graph_img.php: Failed to create graph with error code 127, the error is: nice: /usr/local/bin/rrdtool: No such file or directory/usr/bin/nice -n20 /usr/local/bin/rrdtool graph ...
Updated by Scott Ullrich over 13 years ago
I just committed a change that should hopefully preserve rrdtool. Please test the next snapshot run.
Updated by David Miller over 13 years ago
I finally had a opportunity to update my pfSense install at work. And the rrdtool issue with uninstalling the ntop package is fixed.
Thanks
Updated by Jim Pingle over 13 years ago
I've installed/uninstalled quite a few packages and the only way I have managed to break the system is if I use pkg_delete by hand from the command prompt, which is something we can't really protect against (without relocating where all the packages install to...)
I think what we have here now is likely good enough for 2.0, and we could revisit the relocation/PBI methods for 2.1+.
Updated by Chris Buechler over 13 years ago
- Status changed from New to Resolved
yeah i think this is good
Updated by Joao Assad over 12 years ago
I belive this bug still exist.
I've recently installed and subsequently removed a few packages for testing purposes. After a reboot I was no longer able to login on the WebConsole with any user besides admin. That happened because after reboot the php ldap module failed to load.
Here is the error taken from /tmp/PHP_errors.log:
[12-Jul-2012 21:40:50] PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20060613/ldap.so' - Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8" in Unknown on line 0
As you can see libsasl2 is missing.
And without the ldap module loaded the getAllowedPages function in /etc/inc/priv.inc will return prematurely. Here is a code excerpt of the function:
249 function getAllowedPages($username) {
250 global $config, $_SESSION;
251
252 if (!function_exists("ldap_connect"))
253 return;
I've installed and removed many packages and don't know which one exactly caused the problem. I think it was squid but Im not 100% sure.
Updated by Joao Assad over 12 years ago
Im sorry, I didn't mention that it happened on 2.0.1-RELEASE (amd64)
Updated by Jim Pingle over 12 years ago
The real fix here is already in 2.1 -- we've moved to PBI based packages that are completely self-contained/isolated, and cannot harm system libraries.