Possible IMAP Bug Causes IMAP with PAM_KRB5 to rapidly deplete INODEs and DISK space

[Jason Sauve]

See text below or the following URL

 

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=132272

 

 

 

 

Opened by Jason Sauve ([EMAIL PROTECTED]) on 2004-09-10 11:00

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
SV1; .NET CLR 1.1.4322)

Description of problem:
Using IMAP with PAM_KRB5 will leave all tickets in /tmp saved as 
krb5cc_*****_***** and never remove them, eventually filling up the 
free space and free inodes on a production sever very quickly where 
imap/pop3 is used heavily.





Version-Release number of selected component (if applicable):
imap-2002d-9

How reproducible:
Always

Steps to Reproduce:
Enable pam_krb5 and use POP3 to check using KRB5 account credentials. 
IMAP will not delete leftover kerberos tickets 
in /tmp/krb5cc_####_######.

Actual Results:  Thousands of kerberos tickets created in /tmp

Expected Results:  Kerberos tickets to be removed from /tmp

Additional info:

I've verified that the problem occurs with all combinations of the 
following packages installed.

imap-2002d-9, imap-2002d-8, and imap-2002d-2
pam-0.75-54, pam-0.75-58 
krb5-workstation-1.2.7-28, krb5-workstation-1.2.7-24
pam_krb5-1.73-1

------- Additional Comment #1 From Jason Sauve ([EMAIL PROTECTED]) on 2004-09-10 13:06 -------

Here is an article I found that describes with more detail my problem 
origin is http://archives.neohapsis.com/archives/pam-list/2003-
10/0039.html

On Thu, Oct 23, 2003 at 04:01:14PM +0100, David Lee wrote: 
> OS: Mostly Redhat 9 but also Solaris 8. PAM/krb5 details at end of 
email. 


> Although our passwd information on those RH and Solaris machines 
uses NIS, 
> we recently migrated the authentication aspect from NIS to Kerberos 
(on 
> Active Directory). 


> Since then I have noticed that each machine's "/tmp" contains lots 
of 
> files with names of the form "/tmp/krb5<NIS-domain>_<uid>_<random>" 
on 
> Redhat (on Solaris it is the simpler "/tmp/krb5<NIS-
domain>_<uid>"). 


> These seem to persist for days after the session that generates 
them has 
> gone. Generally this is not a problem. But our email machines have 
a 
> very high daily quantity of IMAP and POP sessions, so the sheer 
quantity 
> of these files has a significant impact on filespace (we currently 
have 
> over 350,000 such files on one machine). 


> Presumably these files have no relevance after the initiating IMAP 
or POP 
> session has gone away. Is there something we can do in PAM (or 
krb5.conf 
> or elsewhere) so it tidies up after itself? Have we missed 
something? 


> Currently we have (on Redhat): 


> /etc/pam.d/imap: 
> auth required pam_stack.so service=system-auth 
> account required pam_stack.so service=system-auth 
> 
> 
> /etc/pam.d/pop: 
> auth required pam_stack.so service=system-auth 
> account required pam_stack.so service=system-auth 


Looks familiar. Whenever I've seen this problem, it's been a bug 
(deficiency) in the application, rather than the PAM module. It's 
very 
common with "sessionless" services, like POP and IMAP, which tend to 
call the PAM open calls and not clean up after themselves on the way 
out. A call to pam_setcred(PAM_DELETE_CRED) is almost certainly 
what's 
missing here. 

------- Additional Comment #2 From Jason Sauve ([EMAIL PROTECTED]) on 2004-09-10 14:39 -------

Ok. There is DEFINATELY a problem with PAM kerberos ticket cleanup in 
the UW IMAP code.

I added the pam_setcred (hdl,PAM_DELETE_CRED); line below the 
comment "// Added by Jason on 2004-10-10" to the source 
file "/src/osdep/unix/ckp_pam.c", and "/src/osdep/unix/ckp_pmb.c" as 
well for when PAM authentication succeeds. The code already performed 
a proper cleanup on a PAM failure. However, if PAM authentication 
succeeds there is no need for the kerberos ticket any longer. Without 
my modification, the PAM library is not called to do any ticket 
cleanup.

Can someone PLEASE confirm that this resolution is acceptable and 
provide a RHN fix as I'm not a source maintainer for either PAM or UW 
IMAP. This is a serious issue for production level servers that use 
UW IMAP coupled with PAM_KRB5 as EVERY individual POP3/IMAP access 
causes disk space and inodes to be rapidly consumed under /tmp

struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char 
*argv[])
{
  pam_handle_t *hdl;
  struct pam_conv conv;
  struct checkpw_cred cred;
  conv.conv = &checkpw_conv;
  conv.appdata_ptr = &cred;
  cred.uname = pw->pw_name;
  cred.pass = pass;
  if ((pam_start ((char *) mail_parameters (NIL,GET_SERVICENAME,NIL),
                  pw->pw_name,&conv,&hdl) != PAM_SUCCESS) ||
      (pam_set_item (hdl,PAM_RHOST,tcp_clientaddr ()) != PAM_SUCCESS) 
||
      (pam_authenticate (hdl,NIL) != PAM_SUCCESS) ||
      (pam_acct_mgmt (hdl,NIL) != PAM_SUCCESS) ||
      (pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS)) {
                                /* clean up */
    pam_setcred (hdl,PAM_DELETE_CRED);
    pam_end (hdl,PAM_AUTH_ERR); /* failed */
    return NIL;
  }
  // Added by Jason on 2004-10-10
  pam_setcred (hdl,PAM_DELETE_CRED);
#if 0
  /*
   * Some people have reported that this causes a SEGV in strncpy() 
from
   * pam_unix.so.1
   */
  /*
   * This pam_open_session() call is inconsistant with how we handle 
other
   * platforms, where we don't write [uw]tmp records.  However, 
unlike our
   * code on other platforms, pam_acct_mgmt() will check those 
records for
   * inactivity and deny the authentication.
   */
  pam_open_session (hdl,NIL);   /* make sure account doesn't go 
inactive */
#endif
                                /* arm hook to delete credentials */
  mail_parameters (NIL,SET_LOGOUTHOOK,(void *) checkpw_cleanup);
  mail_parameters (NIL,SET_LOGOUTDATA,(void *) hdl);
  return pw;
}