Bug#492348: libpam-devperm: Breaks execution of at jobs
[Petter Reinholdtsen] > On second thought, I believe the proper way to configure pam is to > only use pam-devperm for the services providing ttys, and to _not_ > list it in /etc/pam.d/current-session but in /etc/pam.d/login, > /etc/pam.d/gdm, etc. Then at will not try to use the module and > this work properly. I just got this confirmed by the author (Thorsten Kukuk): To your problem: pam_devperm cannot be put in the common section for all services, you can only put it in config files for special service, which allow a local login to the user (login, kdm, gdm). It does not makes sense to put it in a common section, it will break the applications of the local logged in user. He also mentioned that SUSE dropped pam-devperm two years ago in favor of pam_resmgr. JFYI. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#492348: libpam-devperm: Breaks execution of at jobs
[Petter Reinholdtsen] >> So, I see two problems here >> >> - The pam module fail when there is no tty, and thus listing it as >>required in /etc/pam.d/common-session will fail with the current >>implementation. > > This is still an issue, and I suspect it need to be solved in the > pam configuration, ie /etc/pam.d/current-session. It could be > argued that a pam module that only work when a tty is available > should not be required if you want pam to accept sessions without a > tty. On the other hand, perhaps the module should accept to do > nothing if no tty is available? On second thought, I believe the proper way to configure pam is to only use pam-devperm for the services providing ttys, and to _not_ list it in /etc/pam.d/current-session but in /etc/pam.d/login, /etc/pam.d/gdm, etc. Then at will not try to use the module and this work properly. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#492348: libpam-devperm: Breaks execution of at jobs
tags 492348 + patch thanks [Petter Reinholdtsen] > The back trace look like the function "pointer" __write_message is > NULL, and thus a call to the function fail. But as far as I can see, > it isn't a function pointer but a real function. Perhaps the dynamic > linker is confused? I managed to track down the crash. It happen within __write_message(). This patch solve the issue: --- pam-devperm-1.6.orig/src/support.c +++ pam-devperm-1.6/src/support.c @@ -70,8 +70,9 @@ conv = (struct pam_conv *) conv_void; if (retval == PAM_SUCCESS) { - retval = conv->conv (1, (const struct pam_message **)pmsg, - &resp, conv->appdata_ptr); + if (conv->conv) + retval = conv->conv (1, (const struct pam_message **)pmsg, +&resp, conv->appdata_ptr); if (retval != PAM_SUCCESS) return retval; } The call to notify the user application do not check if there is a function to call, and thus fail. > So, I see two problems here > > - The pam module fail when there is no tty, and thus listing it as >required in /etc/pam.d/common-session will fail with the current >implementation. This is still an issue, and I suspect it need to be solved in the pam configuration, ie /etc/pam.d/current-session. It could be argued that a pam module that only work when a tty is available should not be required if you want pam to accept sessions without a tty. On the other hand, perhaps the module should accept to do nothing if no tty is available? > - The pam module crashes when trying to write messages. No idea why. This is solved with the above patch. I plan to upload a new version of this package, and orphaning in the process, as the current maintainer seem to be missing and have not uploaded a new version since 2003. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#492348: libpam-devperm: Breaks execution of at jobs
I am able to reproduce this issue. I rebuild libpam-devperm with debug symbols and ran 'valgrind atd -d' to get more details on the crash, and this is the report: ==21819== Jump to the invalid address stated on the next line ==21819==at 0x0: ??? ==21819==by 0x403339A: pam_sm_open_session (pam_devperm.c:137) ==21819==by 0x4042267: (within /lib/libpam.so.0.81.6) ==21819==by 0x40457EA: pam_open_session (in /lib/libpam.so.0.81.6) ==21819==by 0x80499F7: (within /usr/sbin/atd) ==21819==by 0x804A3D7: (within /usr/sbin/atd) ==21819==by 0x804A755: (within /usr/sbin/atd) ==21819==by 0x406044F: (below main) (in /lib/i686/cmov/libc-2.7.so) ==21819== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==21819== ==21819== Process terminating with default action of signal 11 (SIGSEGV) ==21819== Bad permissions for mapped region at address 0x0 ==21819==at 0x0: ??? ==21819==by 0x403339A: pam_sm_open_session (pam_devperm.c:137) ==21819==by 0x4042267: (within /lib/libpam.so.0.81.6) ==21819==by 0x40457EA: pam_open_session (in /lib/libpam.so.0.81.6) ==21819==by 0x80499F7: (within /usr/sbin/atd) ==21819==by 0x804A3D7: (within /usr/sbin/atd) ==21819==by 0x804A755: (within /usr/sbin/atd) ==21819==by 0x406044F: (below main) (in /lib/i686/cmov/libc-2.7.so) Line 137 is the call to __write_message() here: retval = pam_get_item (pamh, PAM_TTY, (const void **)&tty); if (retval != PAM_SUCCESS || tty == NULL) { __write_message (pamh, flags, PAM_ERROR_MSG, "cannot determine user's tty"); return PAM_SERVICE_ERR; } The back trace look like the function "pointer" __write_message is NULL, and thus a call to the function fail. But as far as I can see, it isn't a function pointer but a real function. Perhaps the dynamic linker is confused? Commenting out the __write_message() call got rid of the crash, but now I got "Error in service module" printed and the at job was still not executed. Looking at the code, it is not obvious to me how to fix this. It is not clear to me what the module should do when there is no tty available, as it is when at jobs are executed. Perhaps talk to the upstream developer about this? So, I see two problems here - The pam module fail when there is no tty, and thus listing it as required in /etc/pam.d/common-session will fail with the current implementation. - The pam module crashes when trying to write messages. No idea why. I hope this can help someone along to find a fix for this issue. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#492348: libpam-devperm: Breaks execution of at jobs
Package: libpam-devperm Version: 1.5-2 Severity: critical Justification: breaks unrelated software Hello, as you can see in the bug description for Debian Bug #418560, at jobs are not executed if I include "session required pam_devperm.so" to my /etc/pam.d/common-session. I do not know if this is a problem in at or in libpam-devperm. Regards Christoph -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages libpam-devperm depends on: ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries libpam-devperm recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]