Bug#492348: libpam-devperm: Breaks execution of at jobs
[Petter Reinholdtsen] So, I see two problems here - The pam module fail when there is no tty, and thus listing it as required in /etc/pam.d/common-session will fail with the current implementation. This is still an issue, and I suspect it need to be solved in the pam configuration, ie /etc/pam.d/current-session. It could be argued that a pam module that only work when a tty is available should not be required if you want pam to accept sessions without a tty. On the other hand, perhaps the module should accept to do nothing if no tty is available? On second thought, I believe the proper way to configure pam is to only use pam-devperm for the services providing ttys, and to _not_ list it in /etc/pam.d/current-session but in /etc/pam.d/login, /etc/pam.d/gdm, etc. Then at will not try to use the module and this work properly. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#492348: libpam-devperm: Breaks execution of at jobs
tags 492348 + patch
thanks
[Petter Reinholdtsen]
The back trace look like the function pointer __write_message is
NULL, and thus a call to the function fail. But as far as I can see,
it isn't a function pointer but a real function. Perhaps the dynamic
linker is confused?
I managed to track down the crash. It happen within
__write_message(). This patch solve the issue:
--- pam-devperm-1.6.orig/src/support.c
+++ pam-devperm-1.6/src/support.c
@@ -70,8 +70,9 @@
conv = (struct pam_conv *) conv_void;
if (retval == PAM_SUCCESS)
{
- retval = conv-conv (1, (const struct pam_message **)pmsg,
- resp, conv-appdata_ptr);
+ if (conv-conv)
+ retval = conv-conv (1, (const struct pam_message **)pmsg,
+resp, conv-appdata_ptr);
if (retval != PAM_SUCCESS)
return retval;
}
The call to notify the user application do not check if there is a
function to call, and thus fail.
So, I see two problems here
- The pam module fail when there is no tty, and thus listing it as
required in /etc/pam.d/common-session will fail with the current
implementation.
This is still an issue, and I suspect it need to be solved in the pam
configuration, ie /etc/pam.d/current-session. It could be argued that
a pam module that only work when a tty is available should not be
required if you want pam to accept sessions without a tty. On the
other hand, perhaps the module should accept to do nothing if no tty
is available?
- The pam module crashes when trying to write messages. No idea why.
This is solved with the above patch.
I plan to upload a new version of this package, and orphaning in the
process, as the current maintainer seem to be missing and have not
uploaded a new version since 2003.
Happy hacking,
--
Petter Reinholdtsen
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#492348: libpam-devperm: Breaks execution of at jobs
[Petter Reinholdtsen] On second thought, I believe the proper way to configure pam is to only use pam-devperm for the services providing ttys, and to _not_ list it in /etc/pam.d/current-session but in /etc/pam.d/login, /etc/pam.d/gdm, etc. Then at will not try to use the module and this work properly. I just got this confirmed by the author (Thorsten Kukuk): To your problem: pam_devperm cannot be put in the common section for all services, you can only put it in config files for special service, which allow a local login to the user (login, kdm, gdm). It does not makes sense to put it in a common section, it will break the applications of the local logged in user. He also mentioned that SUSE dropped pam-devperm two years ago in favor of pam_resmgr. JFYI. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#492348: libpam-devperm: Breaks execution of at jobs
I am able to reproduce this issue. I rebuild libpam-devperm with
debug symbols and ran 'valgrind atd -d' to get more details on the
crash, and this is the report:
==21819== Jump to the invalid address stated on the next line
==21819==at 0x0: ???
==21819==by 0x403339A: pam_sm_open_session (pam_devperm.c:137)
==21819==by 0x4042267: (within /lib/libpam.so.0.81.6)
==21819==by 0x40457EA: pam_open_session (in /lib/libpam.so.0.81.6)
==21819==by 0x80499F7: (within /usr/sbin/atd)
==21819==by 0x804A3D7: (within /usr/sbin/atd)
==21819==by 0x804A755: (within /usr/sbin/atd)
==21819==by 0x406044F: (below main) (in /lib/i686/cmov/libc-2.7.so)
==21819== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==21819==
==21819== Process terminating with default action of signal 11 (SIGSEGV)
==21819== Bad permissions for mapped region at address 0x0
==21819==at 0x0: ???
==21819==by 0x403339A: pam_sm_open_session (pam_devperm.c:137)
==21819==by 0x4042267: (within /lib/libpam.so.0.81.6)
==21819==by 0x40457EA: pam_open_session (in /lib/libpam.so.0.81.6)
==21819==by 0x80499F7: (within /usr/sbin/atd)
==21819==by 0x804A3D7: (within /usr/sbin/atd)
==21819==by 0x804A755: (within /usr/sbin/atd)
==21819==by 0x406044F: (below main) (in /lib/i686/cmov/libc-2.7.so)
Line 137 is the call to __write_message() here:
retval = pam_get_item (pamh, PAM_TTY, (const void **)tty);
if (retval != PAM_SUCCESS || tty == NULL)
{
__write_message (pamh, flags, PAM_ERROR_MSG,
cannot determine user's tty);
return PAM_SERVICE_ERR;
}
The back trace look like the function pointer __write_message is
NULL, and thus a call to the function fail. But as far as I can see,
it isn't a function pointer but a real function. Perhaps the dynamic
linker is confused?
Commenting out the __write_message() call got rid of the crash, but
now I got Error in service module printed and the at job was still
not executed. Looking at the code, it is not obvious to me how to fix
this. It is not clear to me what the module should do when there is
no tty available, as it is when at jobs are executed. Perhaps talk to
the upstream developer about this?
So, I see two problems here
- The pam module fail when there is no tty, and thus listing it as
required in /etc/pam.d/common-session will fail with the current
implementation.
- The pam module crashes when trying to write messages. No idea why.
I hope this can help someone along to find a fix for this issue.
Happy hacking,
--
Petter Reinholdtsen
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#492348: libpam-devperm: Breaks execution of at jobs
Package: libpam-devperm Version: 1.5-2 Severity: critical Justification: breaks unrelated software Hello, as you can see in the bug description for Debian Bug #418560, at jobs are not executed if I include session required pam_devperm.so to my /etc/pam.d/common-session. I do not know if this is a problem in at or in libpam-devperm. Regards Christoph -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages libpam-devperm depends on: ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries libpam-devperm recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
