[Bug 1571903] [NEW] PAM gets stuck waiting for audit_log_acct_message()

Mon, 18 Apr 2016 17:26:12 -0700 

Public bug reported:

During PAM processing of any request (auth, acct, or session), the
function audit_log_acct_message () (from /lib/i386-linux-
gnu/libaudit.so.1 ) is called to audit the event. One of the variables
that can be used during audit logging is the hostname of the requester
(PAM_RHOST). The audit_log_acct_message () function try to resolve this
hostname if the address is still not known, but when the DNS server is
not reachable or the query return is SERVFAIL, system tries a couple of
times before aborting the process of name resolution, which leads to
time wasted by PAM waiting for the return of  audit_log_acct_message ().
In some cases, this time wasting causes the requester application to
timeout, for example a VPN user.

This issue happened to me while testing a vpn solution using pppd, and
at the same time dns server was down. The vpn client was timing out
during user/pass verification phase, and by looking at pppd debug logs
it was because of a very slow PAM processing. At same time, I could see
server was sending strange dns queries about "ppp0". (pppd includes the
dynamic interface name as the PAM_RHOST when calling PAM).

Summary of events:
1-pppd passes user/pass to PAM for auth
2-PAM pocess auth
3-PAM audit the event  <- time wasted waiting for dns (>5 seconds)
(...)->the process is repeated for PAM acct and session checks.

By the way if DNS server responds with NXDOMAIN, the resolver aborts
immediately and the stuck issue is not seen. This I think is what
happens on most cases.

I wonder if PAM can be improved by making a non-blocking call to
audit_log_acct_message ().

Packages:
libpam0g:i386  - 1.1.8-1ubuntu2.2
libaudit1:i386   - 1:2.3.2-2ubuntu1

# lsb_release -rd
Description:    Ubuntu 14.04.4 LTS
Release:        14.04

Backtrace attached using pppd example.

** Affects: pam (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: blocking dns gethostbyname pam pppd query stuck

** Attachment added: "backtrace_pppd_gethostbyname.txt"
   
https://bugs.launchpad.net/bugs/1571903/+attachment/4639556/+files/backtrace_pppd_gethostbyname.txt

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1571903

Title:
  PAM gets stuck waiting for audit_log_acct_message()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1571903/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to