[BUG] Ohai passwd - segmentation fault at 0x0000000000000000

[fibd]

Description

Starting Chef Client, version 18.0.161 / 17.10.3 and ohai-cli yields a stacktrace.
This happens only when Passwd ohai module is in use with libnss-mysql.

Steps to Reproduce

Clean AlmaLinux 8.6 with uptodate packages.
Additionally libnss-mysql installed from EPEL (libnss-mysql 1.5-35.el8), configured with default settings:

/usr/share/doc/libnss-mysql/sample/linux/libnss-mysql-root.cfg
/usr/share/doc/libnss-mysql/sample/linux/libnss-mysql.cfg
/usr/share/doc/libnss-mysql/sample/linux/sample_database.sql

/etc/nsswitch.conf:

passwd:       files mysql
shadow:      files mysql
group:        files mysql

mariadb.x86_64                           3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream
mariadb-backup.x86_64                    3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream
mariadb-common.x86_64                    3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream
mariadb-connector-c.x86_64               3.1.11-2.el8_3                           @almalinux-appstream
mariadb-connector-c-config.noarch        3.1.11-2.el8_3                           @almalinux-appstream
mariadb-connector-c-devel.x86_64         3.1.11-2.el8_3                           @almalinux-appstream
mariadb-errmsg.x86_64                    3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream
mariadb-gssapi-server.x86_64             3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream
mariadb-server.x86_64                    3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream
mariadb-server-utils.x86_64              3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream

Additional informations

Creating test script based of: /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.0.20/lib/ohai/plugins/passwd.rb:

test.rb:

require "etc" unless defined?(Etc)
require "chef-utils/mash"

Mash = ChefUtils::Mash unless defined?(Mash)

etc = Mash.new

etc[:passwd] = Mash.new
etc[:group] = Mash.new

def fix_encoding(str)
  str.force_encoding(Encoding.default_external) if str.respond_to?(:force_encoding)
  str
end

etc[:passwd] = Mash.new
etc[:group] = Mash.new

Etc.passwd do |entry|
  user_passwd_entry = Mash.new(dir: entry.dir, gid: entry.gid, uid: entry.uid, shell: entry.shell, gecos: entry.gecos)
  user_passwd_entry.each_value { |v| fix_encoding(v) }
  entry_name = fix_encoding(entry.name)
  etc[:passwd][entry_name] = user_passwd_entry unless etc[:passwd].key?(entry_name)
end

print etc[:passwd]

Executing it directly using: /opt/chef/embedded/bin/ruby test.rb works as expected, all users are returned.

Ohai Version

ohai-18.0.20 / ohai-17.9.0

Platform Version

NAME="AlmaLinux"
VERSION="8.6 (Sky Tiger)"
ID="almalinux"
ID_LIKE="rhel centos fedora"

NAME="CloudLinux"
VERSION="8.6 (Leonid Kadenyuk)"
ID="cloudlinux"

Ohai Output

ohai -c /etc/chef/client.rb -l debug
https://gist.github.com/fibd/385c2fc855a3983bfc5bce775017cab9

[fibd]

AlmaLinux 8.6 use different OpenSSL version than ruby included in chef:

/opt/chef/embedded/bin/ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.2zb  23 Sep 2021

System:

- **ruby**:
/usr/bin/ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.1.1k  FIPS 25 Mar 2021
- openssl version:
OpenSSL 1.1.1k  FIPS 25 Mar 2021

libnss_mysql.so is linked with /lib64/libmariadb.so.3 which is linked with system SSL - cause in default AlmaLinux is building mariadb-connector-c with SSL enabled thus it causes conflict with libraries, cause chef loads different libssl (/opt/chef/embedded/lib/libssl.so.1.0.0) and libnss_mysql.so load different one (/lib64/libssl.so.1.1) so result is segfault.

In my opinion provided ruby should be linked with system OpenSSL thus the problem wont exist.
To fix this issue I compiled mariadb-connector-c without SSL and linked it to libnss_mysql, so had to make two packages. Cause I dont use libnss_mysql everywhere I picked this solution as easiest one.

Regards