Re: BUG #16041: Error shows up both in pgAdmin and in Ruby (pg gem) - Segmentation fault

Greetings,

* Chris Bandy (chris(dot)bandy(at)crunchydata(dot)com) wrote:
> Notice that host must be a TCP address (not Unix) and gssencmode must be
> "prefer" (default is "prefer".) The version of the server doesn't appear to
> matter; I tested 10, 11, and 12.

So, gssencmode didn't exist in 10 or 11- but are you actually testing
those different versions of *libpq*? That's really what is relevant
here, I believe, if libpq is actually even relevant at all...

> This has been reported in a variety of Ruby projects and often dismissed as
> "a PostgreSQL issue."

I'm really inclined to say that this isn't a PG issue...

> Based on that report, I crafted a minimal C program to make the same GSS
> call as libpq. I compiled (with deprecation warnings) and tested with the
> following:
>
> gcc macos-gss-crash.c -o macos-gss-crash -lgssapi_krb5
> ./macos-gss-crash

Particularly since that isn't linking against libpq and it's still
crashing.

I took the liberty to update the C code version to run on a Linux
system, and sure enough, it works just fine:

before gss_acquire_cred in main
after gss_acquire_cred in main
gss complete: true
before gss_acquire_cred in child
after gss_acquire_cred in child
gss complete: true
child exit code: 0

(also tested w/o having GSS creds and it still worked without a crash)

The only difference I needed to get it to compile on my Ubuntu box was
to add:

#include <sys/types.h>
#include <sys/wait.h>

and then compile as:

➜ ~ gcc macos-gss-crash.c -o macos-gss-crash -I /usr/include/mit-krb5 -L /usr/lib/x86_64-linux-gnu/mit-krb5 -lgssapi_krb5

> It prints:
>
> before gss_acquire_cred in main
> after gss_acquire_cred in main
> gss complete: true
> before gss_acquire_cred in child
> child signalled: 11
>
> I've attached the C program and crash reports for it and the above Ruby
> snippet.

Unfortunately, MacOS is pretty well known to be terrible about less
commonly used libraries and maintaining them. I'd suggest building a
current version of the Kerberos libraries, making sure you're linking
against just those and not whatever is provided by MacOS, and see if you
still have an issue.

The other possibility is that this is an current bug in Heimdal, which
seems to be the Kerberos library being used on MacOS, in which case
you'd need to bring up the issue with them.

There seems to be some indepedent confirmation of this being an issue
with the Heimdal provided by MacOS:

https://github.com/zenchild/gssapi/issues/12

The docs for gss_acquire_cred() don't seem to say much about what
happens when there's a fork():

https://docs.oracle.com/cd/E19683-01/816-1331/overview-141/index.html

If there's something we should be doing differently with
gss_acquire_cred() to "fix" this then I'm certainly open to it but I'm
really not sure what we'd do here; it seems pretty clearly to be some
issue where the Kerberos/Heimdal library being used is maintaining its
own state and getting confused after a fork happens.

Thanks,

Stephen