Project

General

Profile

Bug #875

Uninstalling packages can remove system libraries

Added by Jim Pingle over 8 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Package System
Target version:
Start date:
09/04/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

If you install a package (like squid) which replaces a base system library (like LDAP), it will install its own copy on install and then remove it on uninstall, leaving the system without said library.

Depending on the package it can be a major issue, especially if a package installs and subsequently removes XML libraries.

We may need to register the base system packages and/or somehow prevent a package from removing them. (Perhaps add dummy "pfSense" package entry that would list all of the packages we need as a dependency?)

Associated revisions

Revision b7ff3186 (diff)
Added by Ermal Luçi over 8 years ago

Ticket #875. While ldconfig should be called by pkg code itself do it explicitly to have the cache file rebuilt with correct list.

History

#1 Updated by Ermal Luçi over 8 years ago

I think just installing all necessary package binaries in a specific folder with pkg_add will solve the issue.
It just needs to install them in a specific folder and needs to teach ldconfig where to find the libraries.

Kind of chroot'ing packages.

#2 Updated by Jim Pingle over 8 years ago

  • Subject changed from Uninstalling packages ran remove system libraries to Uninstalling packages can remove system libraries

#3 Updated by Ermal Luçi over 8 years ago

I added some protection between packages but it is still not enough

#4 Updated by Scott Ullrich over 8 years ago

  • Target version changed from 2.0 to 2.1

This ticket will require us moving to a PBI style package system where the libraries are self contained in the programs folder. IE: /usr/local/squid/bin /usr/local/squid/lib/

This will not happen in 2.0. Moving to 2.1.

#5 Updated by Ermal Luçi over 8 years ago

Well i did a lot of testing today on this.
The only plausible option is to hardlink /usr/local/lib files that ship with base pfsense to /usr/$somedir and provide this path to ldconfig so programs find the libraries even in this folder or during package removal we check if the library is present in this folder and get done with it.

The other options are quite intrusive since involve makeing $PREFIX changed in package builds pfSense pacakages code and putting $PREFIX to some other dir. This is quite safer and works but too much work for 2.0 and to support later on.

#6 Updated by Chris Buechler over 8 years ago

  • Priority changed from Normal to High
  • Target version changed from 2.1 to 2.0

there are still possibilities here to destroy the system by uninstalling packages.

#7 Updated by Chris Buechler over 8 years ago

for instance:

removing squid is breaking several part of the box. At least, racoon does not work anymore, because of "missing" (????) shared library:

# ldd /usr/local/sbin/racoon
/usr/local/sbin/racoon:
       libipsec.so.0 => /usr/local/lib/libipsec.so.0 (0x28108000)
       libutil.so.8 => /lib/libutil.so.8 (0x28115000)
       libreadline.so.6 => /usr/local/lib/libreadline.so.6 (0x28124000)
       libcrypt.so.5 => /lib/libcrypt.so.5 (0x28158000)
       libradius.so.4 => /usr/lib/libradius.so.4 (0x28171000)
       libldap-2.4.so.7 => /usr/local/lib/libldap-2.4.so.7 (0x28177000)
       liblber-2.4.so.7 => /usr/local/lib/liblber-2.4.so.7 (0x281b4000)
       libssl.so.6 => /usr/lib/libssl.so.6 (0x281c0000)
       libcrypto.so.6 => /lib/libcrypto.so.6 (0x28208000)
       libc.so.7 => /lib/libc.so.7 (0x28363000)
       libncurses.so.8 => /lib/libncurses.so.8 (0x2847d000)
       libsasl2.so.2 => not found (0x0)
       libssl.so.7 => not found (0x0)
       libcrypto.so.7 => not found (0x0)

However, before installing squid :

# ldd /usr/local/sbin/racoon
/usr/local/sbin/racoon:
       libipsec.so.0 => /usr/local/lib/libipsec.so.0 (0x28108000)
       libutil.so.8 => /lib/libutil.so.8 (0x28115000)
       libreadline.so.6 => /usr/local/lib/libreadline.so.6 (0x28124000)
       libcrypt.so.5 => /lib/libcrypt.so.5 (0x28158000)
       libradius.so.4 => /usr/lib/libradius.so.4 (0x28171000)
       libldap-2.4.so.7 => /usr/local/lib/libldap-2.4.so.7 (0x28177000)
       liblber-2.4.so.7 => /usr/local/lib/liblber-2.4.so.7 (0x281b2000)
       libssl.so.6 => /usr/lib/libssl.so.6 (0x281be000)
       libcrypto.so.6 => /lib/libcrypto.so.6 (0x28206000)
       libc.so.7 => /lib/libc.so.7 (0x28361000)
       libncurses.so.8 => /lib/libncurses.so.8 (0x2847b000)

Installing squid installs an extra openssl packages, and racoon starts to link with libraries inside this package. When removing squid, this openssl packages is removed and racoon becomes broken.

I do not know how the dynamic linker is working with freebsd. I suspect something is missing (linux equivalent to ldconfig -a) during the removal, to reconfigure the dynamic linker. If you have any pointers, I will try to fix it.

This also apply to some php modules :

PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20060613/ldap.so' - Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.7" in Unknown on line 0
*** Welcome to pfSense 2.0-BETA5-pfSense (i386) on fwyul ***

#8 Updated by Ermal Luçi over 8 years ago

I added a ldconfig call to rebuilt the lib caches 'just in case'.

#9 Updated by David Miller almost 8 years ago

Uninstalling the ntop package results in the removal of rrdtool, possibly others as it does have a long list of dependencies. After removing the ntop package you'll see the following messages in your system logs when you attempt to view your rrdgraphs. I was able to get the rrdgraphs to work again by reinstalling the ntop package.

php: /status_rrd_graph_img.php: 
   Failed to create graph with error code 127, the error is:   
   nice: /usr/local/bin/rrdtool: No such file or directory/usr/bin/nice -n20 /usr/local/bin/rrdtool graph ...

#10 Updated by Scott Ullrich almost 8 years ago

I just committed a change that should hopefully preserve rrdtool. Please test the next snapshot run.

#11 Updated by David Miller almost 8 years ago

I finally had a opportunity to update my pfSense install at work. And the rrdtool issue with uninstalling the ntop package is fixed.

Thanks

#12 Updated by Jim Pingle almost 8 years ago

I've installed/uninstalled quite a few packages and the only way I have managed to break the system is if I use pkg_delete by hand from the command prompt, which is something we can't really protect against (without relocating where all the packages install to...)

I think what we have here now is likely good enough for 2.0, and we could revisit the relocation/PBI methods for 2.1+.

#13 Updated by Chris Buechler almost 8 years ago

  • Status changed from New to Resolved

yeah i think this is good

#14 Updated by Joao Assad almost 7 years ago

I belive this bug still exist.

I've recently installed and subsequently removed a few packages for testing purposes. After a reboot I was no longer able to login on the WebConsole with any user besides admin. That happened because after reboot the php ldap module failed to load.

Here is the error taken from /tmp/PHP_errors.log:

[12-Jul-2012 21:40:50] PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20060613/ldap.so' - Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8" in Unknown on line 0

As you can see libsasl2 is missing.

And without the ldap module loaded the getAllowedPages function in /etc/inc/priv.inc will return prematurely. Here is a code excerpt of the function:

249 function getAllowedPages($username) {
250 global $config, $_SESSION;
251
252 if (!function_exists("ldap_connect"))
253 return;

I've installed and removed many packages and don't know which one exactly caused the problem. I think it was squid but Im not 100% sure.

#15 Updated by Joao Assad almost 7 years ago

Im sorry, I didn't mention that it happened on 2.0.1-RELEASE (amd64)

#16 Updated by Jim Pingle almost 7 years ago

The real fix here is already in 2.1 -- we've moved to PBI based packages that are completely self-contained/isolated, and cannot harm system libraries.

Also available in: Atom PDF