bug#48959: icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication

bug#48959: icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication

[Ignacio Coterillo]

[-- Attachment #1: Type: text/html, Size: 3395 bytes --]

[-- Attachment #2: Type: text/plain, Size: 869 bytes --]

Hello,

[Summary]
- The icecat package doesn't correctly set the LD_LIBRARY_PATH
variable during the wrap-program build stage to include mit-krb5 libraries
so kerberos authentication fails as the libraries are not found at runtime:

[Details]
Execution logs obtained by running icecat with the following setup:

$ export NSPR_LOG_FILE=icecat
$ export NSPR_LOG_MODULES=negotiateauth:5
$ icecat

icecat.moz_log:
------------------------------------------------------------------------
[Parent 30197: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::nsAuthGSSAPI()
[Parent 30197: Main Thread]: D/negotiateauth Fail to load gssapi library
[Parent 30197: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::Init()


Confirmed by running through strace:

$ strace -e "open,openat" icecat 2>&1 |grep -E "gssapi|krb5"

(See results in attachment)

Best regards,

Ignacio


[-- Attachment #3: icecat-strace.log --]
[-- Type: application/octet-stream, Size: 6856 bytes --]

❯ strace -e "open,openat" icecat 2>&1 |grep -E "gssapi|krb5"                                                                                                                                  
openat(AT_FDCWD, "/gnu/store/k4lccf55n3b43jfhf1rgivlmr5wbi52a-pulseaudio-14.0/lib/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/m59c9hj9d4n65maimbpmx2xq56d2mvqs-mesa-20.2.4/lib/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/5nwyg1wacrngnz9dynlx7wab733n3lz3-libxscrnsaver-1.2.3/lib/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/zyyiykxmm1bfz0as66avswwrzfxkh1x2-icecat-78.11.0-guix0-preview1/lib/icecat/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/k4lccf55n3b43jfhf1rgivlmr5wbi52a-pulseaudio-14.0/lib/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/m59c9hj9d4n65maimbpmx2xq56d2mvqs-mesa-20.2.4/lib/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/5nwyg1wacrngnz9dynlx7wab733n3lz3-libxscrnsaver-1.2.3/lib/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/zyyiykxmm1bfz0as66avswwrzfxkh1x2-icecat-78.11.0-guix0-preview1/lib/icecat/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/k4lccf55n3b43jfhf1rgivlmr5wbi52a-pulseaudio-14.0/lib/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/m59c9hj9d4n65maimbpmx2xq56d2mvqs-mesa-20.2.4/lib/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/5nwyg1wacrngnz9dynlx7wab733n3lz3-libxscrnsaver-1.2.3/lib/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/zyyiykxmm1bfz0as66avswwrzfxkh1x2-icecat-78.11.0-guix0-preview1/lib/icecat/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/k4lccf55n3b43jfhf1rgivlmr5wbi52a-pulseaudio-14.0/lib/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/m59c9hj9d4n65maimbpmx2xq56d2mvqs-mesa-20.2.4/lib/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/5nwyg1wacrngnz9dynlx7wab733n3lz3-libxscrnsaver-1.2.3/lib/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/zyyiykxmm1bfz0as66avswwrzfxkh1x2-icecat-78.11.0-guix0-preview1/lib/icecat/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/k4lccf55n3b43jfhf1rgivlmr5wbi52a-pulseaudio-14.0/lib/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/m59c9hj9d4n65maimbpmx2xq56d2mvqs-mesa-20.2.4/lib/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/5nwyg1wacrngnz9dynlx7wab733n3lz3-libxscrnsaver-1.2.3/lib/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/zyyiykxmm1bfz0as66avswwrzfxkh1x2-icecat-78.11.0-guix0-preview1/lib/icecat/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

bug#48959: icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication

[Mark H Weaver]

[-- Attachment #1: Type: text/plain, Size: 1073 bytes --]

Hi Ignacio,

Ignacio  Coterillo <ignacio.coterillo@gmail.com> writes:

> [Summary]
> - The icecat package doesn't correctly set the LD_LIBRARY_PATH
> variable during the wrap-program build stage to include mit-krb5 libraries
> so kerberos authentication fails as the libraries are not found at runtime:

Thanks for this report.  I've attached a proposed patch that might fix
the problem.  I've verified that the modified IceCat package builds and
runs successfully, but I'm unable to test it properly because I don't
have access to any system that uses Kerberos authentication.

Are you able to test this patch?  One way to do so is to clone the
master branch of our git repository, apply this patch to the Guix git
checkout and build it, and then run that modified copy of Guix (without
installing it) to build icecat.  See sections 16.1 (Building from Git)
and 16.2 (Running Guix Before It Is Installed) of our manual for details
of how to do this.

If you encounter difficulties or have additional questions, please do
not hesitate to ask.

      Regards,
        Mark


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: [PATCH] UNTESTED: gnu: icecat: Fix Kerberos support --]
[-- Type: text/x-patch, Size: 2081 bytes --]

From 857f829906e0f8d9583a32ad47c91149c7714171 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sun, 13 Jun 2021 19:11:15 -0400
Subject: [PATCH] UNTESTED: gnu: icecat: Fix Kerberos support.

Fixes <https://bugs.gnu.org/48959>.

* gnu/packages/gnuzilla.scm (icecat)[arguments]: In the 'wrap-program' phase,
add mit-krb5 to the LD_LIBRARY_PATH.
---
 gnu/packages/gnuzilla.scm | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index c63809c20c..a997fc1c73 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -1276,14 +1276,19 @@ from forcing GEXP-PROMISE."
                     (pulseaudio (assoc-ref inputs "pulseaudio"))
                     (pulseaudio-lib (string-append pulseaudio "/lib"))
                     (libxscrnsaver (assoc-ref inputs "libxscrnsaver"))
-                    (libxscrnsaver-lib (string-append libxscrnsaver "/lib")))
+                    (libxscrnsaver-lib (string-append libxscrnsaver "/lib"))
+                    (mit-krb5 (assoc-ref inputs "mit-krb5"))
+                    (mit-krb5-lib (string-append mit-krb5 "/lib")))
                (wrap-program (car (find-files lib "^icecat$"))
                  `("XDG_DATA_DIRS" prefix (,gtk-share))
                  ;; The following line is commented out because the icecat
                  ;; package on guix has been observed to be unstable when
                  ;; using wayland, and the bundled extensions stop working.
                  ;;   `("MOZ_ENABLE_WAYLAND" = ("1"))
-                 `("LD_LIBRARY_PATH" prefix (,pulseaudio-lib ,mesa-lib ,libxscrnsaver-lib)))
+                 `("LD_LIBRARY_PATH" prefix (,pulseaudio-lib
+                                             ,mesa-lib
+                                             ,libxscrnsaver-lib
+                                             ,mit-krb5-lib)))
                #t))))))
     (home-page "https://www.gnu.org/software/gnuzilla/")
     (synopsis "Entirely free browser derived from Mozilla Firefox")
-- 
2.31.1


[-- Attachment #3: Type: text/plain, Size: 154 bytes --]


-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

bug#48959: icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication

[Mark H Weaver]

Hello again,

Earlier, I wrote:
> Are you able to test this patch?  One way to do so is to clone the
> master branch of our git repository, apply this patch to the Guix git
> checkout and build it, and then run that modified copy of Guix (without
> installing it) to build icecat.

On second thought, it would be sufficient and *much* easier to simply
verify that Kerberos authentication works in IceCat if you launch it
with the following Bash shell command:

LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat

Would you like to try it and report back?

     Thanks,
       Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

bug#48959: icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication

[Ignacio Coterillo]

Hi Mark,

Thank you for looking at his.

First, I confirm that Kerberos authentication works when running 
icecat as:

  LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat

Regarding the patch, I actually tried to build the package with 
those
exact changes myself before submitting the bug for further testing
but didn't manage to complete the build.
The build process would go on for over a day (most of the time 
spent in
bootstrapping the rust inputs) until failing because of lack of 
disk space.

I've been reading through the different mailing list archives and 
the rust
bootstrapping process seems to be a known problem.
Is there a way of improve the behaviour to work on these kind of 
big packages?
Is it possible to estimate a priori the amount of space a build 
would
require to prevent failures?

Best regards,

Ignacio


Mark H Weaver <mhw@netris.org> writes:

> Hello again,
>
> Earlier, I wrote:
>> Are you able to test this patch?  One way to do so is to clone 
>> the
>> master branch of our git repository, apply this patch to the 
>> Guix git
>> checkout and build it, and then run that modified copy of Guix 
>> (without
>> installing it) to build icecat.
>
> On second thought, it would be sufficient and *much* easier to 
> simply
> verify that Kerberos authentication works in IceCat if you 
> launch it
> with the following Bash shell command:
>
> LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat
>
> Would you like to try it and report back?
>
>      Thanks,
>        Mark

bug#48959: icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication

[Mark H Weaver]

Hi Ignacio,

Ignacio  Coterillo <ignacio.coterillo@gmail.com> writes:

> First, I confirm that Kerberos authentication works when running 
> icecat as:
>
>   LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat

Thanks.  I just pushed my proposed patch to the master branch, commit
61b904b744c1f16084c79e526837cc7fe73f9b92.  I'm also closing this bug
now, but feel free to reopen it if there are remaining problems.

> Regarding the patch, I actually tried to build the package with those
> exact changes myself before submitting the bug for further testing but
> didn't manage to complete the build.  The build process would go on
> for over a day (most of the time spent in bootstrapping the rust
> inputs) until failing because of lack of disk space.

Hmm.  If you built a recent commit from the 'master' branch of Guix, and
had substitutes enabled, then it should _not_ have tried to build Rust
locally.

My guess is that you didn't pass "--sysconfdir=/etc" to ./configure.
Consequently, the locally-built Guix is looking in /usr/local/etc/guix
for its authorized signing keys, whereas the default configuration of
Guix (as self-built by Guix itself and as installed by our distributed
installers) looks in /etc/guix.  That would explain why the
locally-built Guix is not using substitutes.

I suggest passing "--sysconfdir=/etc" (and "--localstatedir=/var") to
./configure, re-running "make" in your Git checkout, and trying again.
Alternatively, you could copy (using "cp -a") /etc/guix to
/usr/local/etc/guix.

> Is it possible to estimate a priori the amount of space a build would
> require to prevent failures?

No.  However, 80 GB is more than sufficient to build an entire
GNOME-based Guix system plus Rust and IceCat from source code.  I know
this because for several years I've been building my GNOME-based Guix
system locally (with substitutes disabled) on a Thinkpad X200 with 4 GB
of RAM, 8 GB of Swap, and only ~75 GB of disk available for Guix.

If you have a separate /tmp partition, perhaps it is too small.  When
building packages locally, the temporary build directories are put in
/tmp by default.  It's possible to configure 'guix-daemon' to put them
elsewhere, either by passing the TMPDIR environment variable to
'guix-daemon' (if running it by hand), or via the 'tmpdir' field of the
'guix-configuration' by putting something like the following code in the
'services' field of your OS configuration.

--8<---------------cut here---------------start------------->8---
_ (services (cons* …
__________________ (modify-services %desktop-services
____________________ (guix-service-type config =>
_______________________________________ (guix-configuration
_________________________________________ (inherit config)
_________________________________________ (tmpdir "/var/tmp"))))))
--8<---------------cut here---------------end--------------->8---

Please let us know if you continue to have difficulties.

     Regards,
       Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.