Bug#745082: PAM fails in a fakechroot environment : insufficient permissions for audit

2015-10-06 Thread Sven Ulland 
I reworked JH Chatenet's suggestion and submitted it upstream: 
. I'll try to reach 
the maintainer through various channels, as the last fakechroot 
repository log entry was in Jan 2014.


best wishes,
Sven Ulland

Bug#745082: PAM fails in a fakechroot environment : insufficient permissions for audit

2015-07-09 Thread jhcha54008 
Hi,

chfn doesn't only give an error in a fakechroot environment, but passwd - 
and possibly every PAM invocation - too. The culprit seems to be libaudit1
linked to libpam. I was mistaken blaming a setuid executable.

The symptoms : chfn outputs an error line
chfn: PAM: System error
and there is no change in/etc/passwd
passwd outputs :
passwd: System error
passwd: password unchanged

after password update in /etc/shadow

The possible causes : chfn fails in function pam_authenticate and
passwd fails in function do_pam_passwd (which calls pam_chauthtok)

There appears a line in /var/log/auth.log :
... chfn[27952]: PAM audit_log_acct_message() failed: Operation not permitted
or
... passwd[3417]: PAM audit_log_acct_message() failed: Operation not permitted

The lines 49 in pam_auth.c 
retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags);
and 61 in pam_password.c (pam version 1.1.8-3.1)
retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags);
both return -1.
(_pam_auditlog calls _pam_audit_writelog which calls audit_log_acct_message)

The ultimate cause is function check_ack returning -EPERM (line 244 of file 
lib/netlink.c in audit version 1:4.2.2-1)

There is no error with the following workaround : with a file 
fake_audit_log_acct_message.c
---8---8--
int audit_log_acct_message(int audit_fd, int type, const char *pgname,
const char *op, const char *name, unsigned int id, 
const char *host, const char *addr, const char *tty, int result)
{
return 0;
}
---8---8--

$ gcc -c -fPIC fake_audit_log_acct_message.c
$ gcc -shared -Wl,-soname,libfakeaudit.so.0 -o libfakeaudit.so.0.0 \
 fake_audit_log_acct_message.o -lc

$ export LD_LIBRARY_PATH=$(readlink -f .)
$ export LD_PRELOAD=libfakeaudit.so.0.0
$ fakechroot fakeroot -s .fakeroot.state debootstrap --variant=fakechroot \
sid mychroot http://ftp.us.debian.org/debian
[ ... ]
$ echo $?
0
$ fakechroot fakeroot -i .fakeroot.state -s .fakeroot.state chroot mychroot
# adduser someone
# echo $?
0
# passwd someone
...
passwd: password updated successfully
# echo $?
0

I hope it helps !

Regards,
JH Chatenet


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org