Your message dated Tue, 27 Feb 2007 19:02:04 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#412061: fixed in shadow 1:4.0.18.1-7 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: login Version: 1:4.0.18.1-6 Severity: normal I'm currently deploying Kerberos authentication in our group. I'm using libpam-krb5 in /etc/pam.d/common-* and have a problem with the Kerberos credential cache file being deleted when using 'su'. When logging in via login/gdm/kdm, the pam_krb5.so module puts the Kerberos5 credentials in a file like /tmp/krb5cc_1000, so all other processes can use those credentials directly without requiring another password entry. This file cache is creates by pam_acct_mgmt() and/or pam_open_session(). Using 'su - some_user' doesn't work as expected, since the cache file is deleted before executing the shell. Strace'ing a 'su' shows the following behaviour: open("/tmp/krb5cc_pam_N2kh8U", O_RDWR|O_CREAT|O_EXCL, 0600) = 4 # This is for the Ticket granting ticket unlink("/tmp/krb5cc_pam_N2kh8U") = 0 open("/tmp/krb5cc_pam_N2kh8U", O_RDWR|O_CREAT|O_TRUNC|O_EXCL, 0600) = 4 open("/tmp/krb5cc_pam_N2kh8U", O_RDWR) = 4 open("/tmp/krb5cc_1000_q9oTxG", O_RDWR|O_CREAT|O_EXCL, 0600) = 4 # This is the user's ticket open("/tmp/krb5cc_pam_N2kh8U", O_RDONLY) = 4 open("/tmp/krb5cc_pam_N2kh8U", O_RDONLY) = 4 open("/tmp/krb5cc_pam_N2kh8U", O_RDONLY) = 4 unlink("/tmp/krb5cc_1000_q9oTxG") = 0 open("/tmp/krb5cc_1000_q9oTxG", O_RDWR|O_CREAT|O_TRUNC|O_EXCL, 0600) = 4 # no idea why it is done a second time open("/tmp/krb5cc_1000_q9oTxG", O_RDWR) = 4 chown32("/tmp/krb5cc_1000_q9oTxG", 1000, 1000) = 0 open("/tmp/krb5cc_pam_N2kh8U", O_RDWR) = 4 unlink("/tmp/krb5cc_pam_N2kh8U") = 0 # the TGT is no longer needed clone(Process 25189 attached [pid 25189] open("/tmp/krb5cc_1000_q9oTxG", O_RDWR) = 3 [pid 25189] unlink("/tmp/krb5cc_1000_q9oTxG") = 0 ##### this is the culprit ##### [pid 25189] execve("/bin/bash", ["-su"], [/* 10 vars */]) = 0 ... Process 25189 detached open("/tmp/krb5cc_1000_q9oTxG", O_RDWR) = -1 ENOENT (No such file or directory) Taking a look at shadow-4.0.18.1/src/su.c:167 shows the following code: child = fork (); if (child == 0) { /* child shell */ pam_end (pamh, PAM_SUCCESS); <<<<<<<<<<<<<<<<<< if (doshell) (void) shell (shellstr, (char *) args[0], envp); else (void) execve (shellstr, (char **) args, envp); exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC); } ... waitpid(); ret = pam_close_session (pamh, 0); pam_end (pamh, ret); Calling pam_end() in the child closes the PAM session and by that deletes the credential cache. I think that is wrong. For example, take a look at what 'login' does in shadow-4.0.18.1/src/login.c:1009 child = fork (); if (child < 0) { ... } else if (child) { wait (NULL); PAM_END; exit (0); } /* child */ ... if ((tmp = getdef_str ("FAKE_SHELL")) != NULL) err = shell (tmp, pwent.pw_shell, newenvp); /* fake shell */ else /* exec the shell finally */ err = shell (pwent.pw_shell, (char *) 0, newenvp); exit (err == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC); No call to pam_end() for the child. Apple doesn't do it either: http://www.opensource.apple.com/darwinsource/WWDC2004/shell_cmds-55/su/su.c FreeBSD asks the same question: http://archives.neohapsis.com/archives/freebsd/2001-01/0348.html I haven't checked other PAM users (http://www.google.de/search?q=su.c+pam_end+fork), but I think just calling pam_end() in the child is wrong. The manual page of pam_end(3) has the following text on this: pam_end Terminate the Linux-PAM library. The service application associated with the pamh handle, is terminated. The argument, pam_status, passes the value most recently returned to the application from the library; it indicates the manner in which the library should be shutdown. Besides carrying a return value, this argument may be logically OR’d with PAM_DATA_SILENT to indicate that the module should not treat the call too seriously. It is generally used to indicate that the current closing of the library is in a fork(2)ed process, and that the parent will take care of cleaning up things that exist outside of the current process space (files etc.). Note, the PAM_DATA_SILENT flag is pending acceptance with the DCE (as of 1996/12/4). And now the BUTs: 1. Grepping libpam-krb5-2.6 pam-0.79 shadow-4.0.18.1 for PAM_DATA_SILENT does not show anything interesting. It seems not to be implemented, so using is would be "right", but doesn't solve the problem. 2. Removing the pam_end() for the child solves the problem. Looking at pam-0.79/Linux-PAM/libpam/pam_end.c and pam-0.79/Linux-PAM/libpam/pam_data.c shows, that pam_end() mostly frees memory, but modules may do other things (as does pam_krb5, which unlinks it's cache file). Memory will not be leaked if the call is removed, since the child calls execve() and thus replaces the process image. It other resources like open files, which would get closed when pam_end() isn't called any more, but I don't know if a PAM-session might open files and have them put into the session context. I don't think so, but the documentation of PAM is week. 3. Before changing it, I would like some feedback from PAM and Kerberos5 experienced developers/maintainers. Sincerely Philipp Hahn -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (989, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.20.1-laptop Locale: LANG=de_DE.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages login depends on: ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libpam-modules 0.79-4 Pluggable Authentication Modules f ii libpam-runtime 0.79-4 Runtime support for the PAM librar ii libpam0g 0.79-4 Pluggable Authentication Modules l ii libpam-krb5 2.6-1 PAM module for MIT Kerberos login recommends no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: shadow Source-Version: 1:4.0.18.1-7 We believe that the bug you reported is fixed in the latest version of shadow, which is due to be installed in the Debian FTP archive: login_4.0.18.1-7_i386.deb to pool/main/s/shadow/login_4.0.18.1-7_i386.deb passwd_4.0.18.1-7_i386.deb to pool/main/s/shadow/passwd_4.0.18.1-7_i386.deb shadow_4.0.18.1-7.diff.gz to pool/main/s/shadow/shadow_4.0.18.1-7.diff.gz shadow_4.0.18.1-7.dsc to pool/main/s/shadow/shadow_4.0.18.1-7.dsc A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christian Perrier <[EMAIL PROTECTED]> (supplier of updated shadow package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 27 Feb 2007 06:51:44 +0100 Source: shadow Binary: login passwd Architecture: source i386 Version: 1:4.0.18.1-7 Distribution: unstable Urgency: low Maintainer: Shadow package maintainers <[EMAIL PROTECTED]> Changed-By: Christian Perrier <[EMAIL PROTECTED]> Description: login - system login tools passwd - change and administer password and group data Closes: 403210 412061 Changes: shadow (1:4.0.18.1-7) unstable; urgency=low . * The "Pélardon" release * Debian packaging fixes: - debian/recode_manpages.sh: Recode the Swedish manpages to ISO-8859-1. Closes: #403210 - 200_regenerate_manpages: Manually generate the man pages. This fixes the formatting of some pages (e.g. passwd.5); permits to propagate the Debian changes to the translated manpages; and to benefit from the fixes in the Swedish manpages (see 104_man-sv). * Upstream bugs fixed upstream: - 104_man-sv: Fix Swedish manpages's PO encoding (some characters were converted twice to UTF-8). * Upstream bugs or fixes not yet fixed in upstream releases or CVS: - 405_su_no_pam_end_before_exec: Avoid terminating the PAM library in the forked child. This is done later in the parent after closing the PAM session. With pam_krb5, this allow users to reuse the cached credential in the forked shell. Closes: #412061 Files: 1363241c0753173c70afb127492a1004 1102 admin required shadow_4.0.18.1-7.dsc 1ab34a76b362b812f8bcf37abbedbdb3 294495 admin required shadow_4.0.18.1-7.diff.gz 7578312df55c28a66c0091fe57fbd031 789268 admin required passwd_4.0.18.1-7_i386.deb 57d7b377d8405ee82b0a281e6bfc91d6 799252 admin required login_4.0.18.1-7_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF5GSc1OXtrMAUPS0RAgbIAKCmamo+MTJ/pKdrbG1Qe16U91I6IACfVOo9 pYVNsl9hXe61F6DJ/x1Zs3Y= =5kTw -----END PGP SIGNATURE-----
--- End Message ---
