Bug 1739176 - The xrdp RPM `posttrans` scriptlet fails on FIPS-enabled systems
Summary: The xrdp RPM `posttrans` scriptlet fails on FIPS-enabled systems
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: xrdp
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Itamar Reis Peixoto
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-08 16:50 UTC by Thomas Jones
Modified: 2019-10-09 18:55 UTC (History)
2 users (show)

Fixed In Version: xrdp-0.9.11-5.fc31 xrdp-0.9.11-5.fc29 xrdp-0.9.11-5.fc30 xrdp-0.9.11-5.el7 xrdp-0.9.11-5.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-02 00:46:42 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github neutrinolabs xrdp issues 407 None None None 2019-08-08 23:26:14 UTC

Description Thomas Jones 2019-08-08 16:50:52 UTC
Description of problem:

The xrdp RPM includes a posttrans scriptlet that includes the line:

     (umask 377; /usr/bin/xrdp-keygen xrdp /etc/xrdp/rsakeys.ini >/dev/null)

This fails on FIPS-enabled systems due to xrdp-keygen only supporting use of MD5 keys. Per https://github.com/neutrinolabs/xrdp/issues/1032, the protocol uses TLS for transport and the inability to generate a key isn't specifically problematic: so long as *an* /etc/xrdp/rsakeys.ini file exists - even a null-file - the software should function as intended. That the above snippet results in no /etc/xrdp/rsakeys.ini file being created at all is problematic. Probably better to alter the above to something like:

     ( install -bDm 000400 /dev/null /etc/xrdp/rsakeys.ini && \
       /usr/bin/xrdp-keygen xrdp /etc/xrdp/rsakeys.ini >/dev/null )

This will still result in an error message being printed on FIPS-enabled systems. However, the proposed change should result in the needed /etc/xrdp/rsakeys.ini always being created.

Version-Release number of selected component (if applicable):

     $ rpm -qi xrdp
     Name        : xrdp
     Epoch       : 1
     Version     : 0.9.10
     Release     : 1.el7
     Architecture: x86_64
     Install Date: Thu 08 Aug 2019 03:51:21 PM UTC
     Group       : Unspecified
     Size        : 2191475
     License     : ASL 2.0
     Signature   : RSA/SHA256, Fri 03 May 2019 12:03:36 AM UTC, Key ID 6a2faea2352c64e5
     Source RPM  : xrdp-0.9.10-1.el7.src.rpm
     Build Date  : Thu 02 May 2019 11:38:00 PM UTC
     Build Host  : buildvm-10.phx2.fedoraproject.org
     Relocations : (not relocatable)
     Packager    : Fedora Project
     Vendor      : Fedora Project
     URL         : http://www.xrdp.org/
     Bug URL     : https://bugz.fedoraproject.org/xrdp
     Summary     : Open source remote desktop protocol (RDP) server
     Description :
     xrdp provides a fully functional RDP server compatible with a wide range
     of RDP clients, including FreeRDP and Microsoft RDP client.

How reproducible:


Steps to Reproduce:
1. Deploy a FIPS-enabled RHEL 7 system
2. Perform a `yum install xrdp`
3. Once RPM-installation reaches the %post script stage, it will:
    * Print out the error:

         md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
         /var/tmp/rpm-tmp.Ol7pFk: line 3: 17961 Aborted                 (core dumped) /usr/bin/xrdp-keygen xrdp /etc/xrdp/rsakeys.ini > /dev/null

    * Finish the installation having failed to create any /etc/xrdp/rsakeys.ini file

Actual results:

RPM installs without necessary /etc/xrdp/rsakeys.ini file being created

Expected results:

RPM installs with necessary /etc/xrdp/rsakeys.ini file being created


Additional info:

Comment 1 Bojan Smojver 2019-08-08 23:26:59 UTC
The issue has been reported upstream, so once the upstream fixes this, I will rebuild xrdp.

Comment 2 Thomas Jones 2019-08-09 12:10:05 UTC
Oh. I'd posted this bug here since the Fedora page directed issue-submissions here. Is there an associated GitHub (et. al.) project for the RPM-based packaging where one can submit PRs to? If so, I'd be happy to submit a PR to address the flaw in the RPM's %post scriptlet.

Comment 3 Bojan Smojver 2019-08-09 13:04:21 UTC
Judging by the discussion upstream, the tool only generates md5 keys. I'll reread that discussion again tomorrow, just to make sure I didn't misunderstand.

Comment 4 Thomas Jones 2019-08-09 13:31:51 UTC
Right, *Because* the effected protocol is effectively deprecated:
1) They're not going to try to fix the tool (original bug was opened in 2016)
2) The inability to generate the key isn't problematic, all you have to do is ensure a null-file of the expected name is present (i.e., don't worry about the tool, worry about how the RPM attempts to use the problematic tool - either wholly drop the keygen or include logic to ensure the presence of a null-file).

Which is to say, my original suggestion in this bug report is "don't try to fix the tool, fix the RPM's %post scriptlet" (and offered one such method for doing so).

Comment 5 Bojan Smojver 2019-08-09 14:04:35 UTC
Right. Sure, we can create an empty file, if that gets things over the hump.

Comment 6 Thomas Jones 2019-08-09 15:42:32 UTC
Yup. It does. I stood up an XRDP-enabled EC2, yesterday, and validated that everything functioned once the touch-file was in place.

Silly question: any chance the RPM could be updated to activate the ms-wbt firewalld service? If so, would that need to be requested by a separate BZ?

Comment 7 Bojan Smojver 2019-08-09 21:53:13 UTC
That sounds like a sysadmin task to me. Adding such firewall rules by an rpm is not something I would feel comfortable forcing on everyone that installs xrdp.

Comment 8 Thomas Jones 2019-08-09 21:54:59 UTC
No worries. Some RPM packagings are more (potentially) disruptive than others. For example, installing the graphical desktop RPM-group changes the default run level.

Comment 9 Bojan Smojver 2019-08-09 23:27:36 UTC
Please try: https://koji.fedoraproject.org/koji/taskinfo?taskID=36894809

Comment 10 Thomas Jones 2019-08-10 15:52:24 UTC
Awesome. I'll give that a look, Monday, when I get back to the office.

Comment 11 Fedora Update System 2019-09-23 11:48:51 UTC
FEDORA-2019-997c85bf31 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-997c85bf31

Comment 12 Fedora Update System 2019-09-23 11:48:59 UTC
FEDORA-EPEL-2019-6e641aad91 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-6e641aad91

Comment 13 Fedora Update System 2019-09-23 11:49:03 UTC
FEDORA-2019-602c4a53d2 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-602c4a53d2

Comment 14 Fedora Update System 2019-09-23 11:49:11 UTC
FEDORA-EPEL-2019-625e654909 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-625e654909

Comment 15 Fedora Update System 2019-09-24 00:49:38 UTC
xrdp-0.9.11-5.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-22adff3c39

Comment 16 Fedora Update System 2019-09-24 01:23:53 UTC
xrdp-0.9.11-5.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-997c85bf31

Comment 17 Fedora Update System 2019-09-24 01:45:33 UTC
xrdp-0.9.11-5.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-625e654909

Comment 18 Fedora Update System 2019-09-24 03:03:47 UTC
xrdp-0.9.11-5.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-602c4a53d2

Comment 19 Fedora Update System 2019-09-24 03:57:23 UTC
xrdp-0.9.11-5.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-6e641aad91

Comment 20 Fedora Update System 2019-10-02 00:46:42 UTC
xrdp-0.9.11-5.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2019-10-02 01:40:58 UTC
xrdp-0.9.11-5.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2019-10-02 01:59:27 UTC
xrdp-0.9.11-5.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2019-10-09 17:28:04 UTC
xrdp-0.9.11-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2019-10-09 18:55:28 UTC
xrdp-0.9.11-5.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.