Bug 228054 - www/rubygem-passenger is missing passenger_native_support.so
Summary: www/rubygem-passenger is missing passenger_native_support.so
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Sergey A. Osokin
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2018-05-07 18:45 UTC by Mark Felder
Modified: 2019-12-02 11:54 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (osa)


Attachments
ruby-passenger rework (4.66 KB, patch)
2018-05-09 20:32 UTC, Mark Felder
no flags Details | Diff
ruby-passenger rework (6.80 KB, patch)
2018-05-10 18:43 UTC, Mark Felder
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Felder freebsd_committer 2018-05-07 18:45:16 UTC
Hello,

Seems the www/rubygem-passenger package is missing the inclusion of passenger_native_support.so. As a result it will try to download it from the internet(!) which is a grave security concern:

App 94175 stderr:  [passenger_native_support.so] finding downloads for the current Ruby interpreter...
App 94175 stderr: 
App 94175 stderr:      (set PASSENGER_DOWNLOAD_NATIVE_SUPPORT_BINARY=0 to disable)
App 94175 stderr: 
App 94175 stderr:      Could not download https://oss-binaries.phusionpassenger.com/binaries/passenger/by_release/5.2.1/rubyext-ruby-2.4.4-x86_64-freebsd.tar.gz: no download tool found (curl or wget required)
App 94175 stderr:      Trying next mirror...
App 94175 stderr:      Could not download https://s3.amazonaws.com/phusion-passenger/binaries/passenger/by_release/5.2.1/rubyext-ruby-2.4.4-x86_64-freebsd.tar.gz: no download tool found (curl or wget required)
App 94175 stderr:  [passenger_native_support.so] will not be used (can't compile or download) 
App 94175 stderr: 
App 94175 stderr:   --> Passenger will still operate normally.

If someone happens to have wget or curl on their system they may not be seeing this issue as the download could be working, but it is unclear how the download is validated and if it is strict about requiring a trusted certificate authority.
Comment 1 Sergey A. Osokin freebsd_committer 2018-05-09 00:23:56 UTC
Hi Mark,

thanks for the report.

I've just tried to reproduce the issue, so I built and installed www/rubygem-passenger port with nginx flavor, found the shared object in place:

% ls -la /usr/local/lib/ruby/gems/2.4/gems/passenger/buildout/ruby/ruby-2.4.4-x86_64-freebsd/passenger_native_support.so
-rw-r--r--  1 root  wheel  17616  8 мая   20:18 /usr/local/lib/ruby/gems/2.4/gems/passenger/buildout/ruby/ruby-2.4.4-x86_64-freebsd/passenger_native_support.so

Could you provide more details how can I reproduce the issue.

Thanks.
Comment 2 Sergey A. Osokin freebsd_committer 2018-05-09 00:32:10 UTC
I've just built and installed the port with default apache flavor, everything looks fine as well:

% ls -la /usr/local/lib/ruby/gems/2.4/gems/passenger/buildout/ruby/ruby-2.4.4-x86_64-freebsd/passenger_native_support.so
-rw-r--r--  1 root  wheel  17616  8 мая   20:29 /usr/local/lib/ruby/gems/2.4/gems/passenger/buildout/ruby/ruby-2.4.4-x86_64-freebsd/passenger_native_support.so

Any glue?
Comment 3 Dan Langille freebsd_committer 2018-05-09 13:38:25 UTC
Note the 2.4.3 in Mark's post and the 2.4.4 mentioned in the tests above.
Comment 4 Mark Felder freebsd_committer 2018-05-09 17:27:06 UTC
I looked at the plist for the port and forgot to check if it was a rubygem which would additionally have its own automatic plist.

> pkg info -l rubygem-passenger-apache | grep passenger_native_support.so
	/usr/local/lib/ruby/gems/2.4/gems/passenger-5.2.1/buildout/ruby/ruby-2.4.3-x86_64-freebsd/passenger_native_support.so


hmm so now I wonder why this is refusing to be used. Is the /buildout/ directory the right place for this file? Have you ever seen this error?

I will check packages for other OSes to see if they differ.
Comment 5 Mark Felder freebsd_committer 2018-05-09 17:31:37 UTC
Here is the layout of the debian package. It has the library in a different place:

/usr/lib/x86_64-linux-gnu/ruby/vendor_ruby/2.1.0/passenger_native_support.so

https://packages.debian.org/jessie/amd64/ruby-passenger/filelist


I think packaging the contents of the buildout directory is a mistake. Those files are not meant to be in the package, and the passenger_native_support.so library is not in a location that Ruby/Passenger will find.
Comment 6 Mark Felder freebsd_committer 2018-05-09 17:52:00 UTC
I wonder if we should be doing something closer to the way Gentoo is handling the packaging of Passenger? They seem to be able to avoid any custom installation of files/directories. It seems you can make rake do all the work for you.


https://github.com/gentoo/gentoo/blob/f96acfec9b38eb6fc822d42cd5fe820adbcfd676/www-apache/passenger/passenger-5.2.3.ebuild


I'll keep investigating...
Comment 7 Mark Felder freebsd_committer 2018-05-09 18:20:42 UTC
Ok, I think the Gentoo way is the right way to handle this. Here's the crux of the solution:

https://github.com/gentoo/gentoo/blob/f96acfec9b38eb6fc822d42cd5fe820adbcfd676/www-apache/passenger/files/passenger-5.1.11-gentoo.patch

Patch fakeroot similar to how they do it here, but make it point to STAGEDIR. Then we run do-build with "${RUBY} -S rake fakeroot" and it will build and install all of the files into the right locations. You end up with a layout like this, but we will have fakeroot be STAGEDIR:


root@111R-dev:/wrkdirs/usr/ports/www/rubygem-passenger/work-apache/passenger-5.2.3/pkg/fakeroot # find . -name passenger_native_support.so
./usr/lib/ruby/2.4/amd64-freebsd11/passenger_native_support.so


This looks correct and matching other platforms. Of course we need to make sure it's doing this into /usr/local, but that should be trivial.

This should simplify post-install.


Sergey I'm not an expert on ruby/passenger, so please let me know if I'm overlooking anything.
Comment 8 Mark Felder freebsd_committer 2018-05-09 20:32:48 UTC
Created attachment 193223 [details]
ruby-passenger rework

This is my suggested change to the port.

- Don't use the gem as the distfile; ignore this being a gem completely. This is how it is handled on Debian/RHEL/Gentoo
- Build similar to how Gentoo does it
- Install the Apache module correctly into the Apache module dir
- Automate the pkg-plist
- Rename the port/package to ruby-passenger instead of rubygem-passenger


This produces a result that seems more consistent with other projects packaging. I still need to do some runtime tests with this.
Comment 9 Mark Felder freebsd_committer 2018-05-10 18:43:52 UTC
Created attachment 193244 [details]
ruby-passenger rework

Patch in last comment was missing a new file
Comment 10 Sergey A. Osokin freebsd_committer 2018-05-10 21:15:50 UTC
Hi Mark,

looks good for me.

I'm not totally sure about new `ruby-passenger' name for the port.
Probably I missied something, so you can guide me.  My question here is do we have a naming convention to use `ruby-' prefix for such ports?
Can we use just `passenger' name for the port?

Thanks.
Comment 11 Dan Langille freebsd_committer 2018-05-10 21:23:05 UTC
I will be testing this at work with the system which first highlighted the problem.  This might take a few days, depending on the folks using said server.
Comment 12 Mark Felder freebsd_committer 2018-05-11 14:42:12 UTC
(In reply to Sergey A. Osokin from comment #10)

I don't have a strong opinion here. "passenger" would be fine as well.
Comment 13 Michael Kastner 2019-01-19 06:42:08 UTC
I am having problems with the binary package. This is on FreeBSD 12.0/ruby2.4.5/nginx1.14.2/passenger6.0.0 (quarterly branch)

I keep getting "ngx_modules" failed (Undefined symbol "ngx_modules") in /usr/local/etc/nginx/nginx.conf:20

The module is properly pointed to in the nginx.conf

load_module /usr/local/lib/ruby/gems/2.4/gems/passenger-6.0.0/builout/ruby/ruby-2.4.5-x86_64-freebsd/passenger_native_support.so;


However when I build the module from the port everything works fine. However, then the module is locate here:

/usr/local/libexec/nginx/ngx_passenger.so

First of all, there still seems to be a bug in the rubygem-passenger-nginx package.

Second, why do the file locations for the binaries vary between binary package and port?
Comment 14 Jan Bramkamp 2019-02-25 19:34:57 UTC
I just ran into the same problem. Did you find a solution?
Comment 15 Steve Wills freebsd_committer 2019-02-25 21:45:02 UTC
(In reply to Sergey A. Osokin from comment #10)
We do have a history of naming ports with a "ruby-" prefix when they are not rubygem- based. This is the list I see currently:

audio/ruby-smf
audio/ruby-taglib
biology/ruby-bio
databases/ruby-bdb
databases/ruby-gdbm
databases/ruby-odbc
databases/ruby-qdbm
databases/ruby-tokyocabinet
databases/ruby-xapian
devel/ruby-bsearch
devel/ruby-build
devel/ruby-gems
devel/ruby-rbprof
devel/ruby-sdl
devel/ruby-setup.rb
devel/ruby-subversion
graphics/ruby-gd
japanese/ruby-romkan
japanese/ruby-uconv
security/ruby-camellia
textproc/ruby-escape
textproc/ruby-format
textproc/ruby-htree
textproc/ruby-rd-mode.el
textproc/ruby-rdtool
textproc/ruby-rttool
textproc/ruby-xmlparser

So, I think having ruby-passenger-apache and ruby-passenger-nginx packages would be fine.
Comment 16 Jan Bramkamp 2019-03-05 15:39:39 UTC
I reproduced the problem with version 6.0.2:

# service nginx configtest
Performing sanity check on nginx configuration:
nginx: [emerg] dlsym() "/usr/local/lib/ruby/gems/2.4/gems/passenger-6.0.2/buildout/ruby/ruby-2.4.5-x86_64-freebsd/passenger_native_support.so", "ngx_modules" failed (Undefined symbol "ngx_modules") in /usr/local/etc/nginx/nginx.conf:4
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
Comment 17 Dan Langille freebsd_committer 2019-03-07 15:13:44 UTC
(In reply to Dan Langille from comment #11)
I can confirm  this works for use on Apache 2.4 on FreeBSD 11.2:

LoadModule passenger_module /usr/local/libexec/apache24/mod_passenger.so

Previously, we had to use this, which needed to be updated with newer releases:

LoadModule passenger_module /usr/local/lib/ruby/gems/2.5/gems/passenger-6.0.0/buildout/apache2/mod_passenger.so


My nextgoal, can we get a static link for PassengerRoot:

PassengerRoot /usr/local/lib/ruby/gems/2.5/gems/passenger-6.0.0/

Again, with the goal of not having to update the Apache configuration with each new release.
Comment 18 Michael Kastner 2019-03-07 15:44:44 UTC
(In reply to Jan Bramkamp from comment #14)
Nope, sorry.
Comment 19 John Doe 2019-12-02 11:34:18 UTC
(In reply to Michael Kastner from comment #13)

I am facing the same issues.
Comment 20 Dan Langille freebsd_committer 2019-12-02 11:54:57 UTC
I know the static link is still an issue for us with each upgrade.