Bug#667470: systemd: breaks sudo
If I've understood the issue correctly, the current forwarded tag on this bug is wrong, in the sense that the fundamental underlying problem is in sudo, and so any possible forwarding waiting for upstream fix should point to a sudo bug. AFAIK this problem with libpam-systemd is caused by the same sudo bug as #648066 (and others). sudo incorrectly forks a child process, does the open side of pam authentication there, runs the command to execute in that child, and then runs the close side in the parent (which never saw anything about the open, so lacks the state stored from that!). The specific problem this behavior causes in the libpam-systemd case is that the fd received during the open phase (which is part of the pam session state) is closed on exec, terminating the session. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#667470: systemd: breaks sudo
On 09.04.2012 22:07, Michael Biebl wrote: Hello Michael, After upgrading from 37-1.1, many commands fail with error codes 143 or 129 under sudo, including sudo bash or sudo passwd root, meaning that the problem cannot easily be rectified or circumvented if root logins are disabled. Hence, I'm filing this at RC severity, feel free to downgrade if you cannot reproduce the problem. I think I've found something. This bug seems to happen only if if you use libpam-systemd. The reason why I didn't encounter this myself is because I've added pam_loginuid.so to my login and gdm3* pam config locally. Could you please update the pam configuration of login and/or the login manager you are using and include pam_loginuid *before* @include common-session. In my case I've changed /etc/pam.d/login and /etc/pam.d/gdm3* and added a line session requiredpam_loginuid.so just before @include common-session I'm interested to know if that fixes the problem for you, too. This fixes the issue for me as well. Best Regards, Bernhard -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#667470: systemd: breaks sudo
On Mon, 2012-04-09 at 22:07 +0200, Michael Biebl wrote: On 04.04.2012 12:43, Sven Joachim wrote: Package: systemd Version: 44-1 Severity: grave After upgrading from 37-1.1, many commands fail with error codes 143 or 129 under sudo, including sudo bash or sudo passwd root, meaning that the problem cannot easily be rectified or circumvented if root logins are disabled. Hence, I'm filing this at RC severity, feel free to downgrade if you cannot reproduce the problem. I think I've found something. This bug seems to happen only if if you use libpam-systemd. The reason why I didn't encounter this myself is because I've added pam_loginuid.so to my login and gdm3* pam config locally. Could you please update the pam configuration of login and/or the login manager you are using and include pam_loginuid *before* @include common-session. In my case I've changed /etc/pam.d/login and /etc/pam.d/gdm3* and added a line session requiredpam_loginuid.so just before @include common-session I'm interested to know if that fixes the problem for you, too. Cheers, Michael I added pam_loginuid.so to common-session-noninteractive before pam_systemd.so and it appears to work around the bug. Regards, -- Sam Morris s...@robots.org.uk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#667470: systemd: breaks sudo
On Tue, 2012-04-10 at 12:42 +0100, Sam Morris wrote: I added pam_loginuid.so to common-session-noninteractive before pam_systemd.so and it appears to work around the bug. Correction: adding pam_loginuid.so makes sudo work more often, but not always. It still fails about 75% of the time (very roughly). -- Sam Morris s...@robots.org.uk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#667470: systemd: breaks sudo
Package: systemd Version: 44-1 Followup-For: Bug #667470 I found adding pam_loginuid.so fixes the problem in all cases, except obvously for already running user sessions. I have plain added it to common-session and common-session-noninteractive. Is there an issue with adding it to common-session ? I saw you told to add it in gdm pam file but would not this let the login console sessions without a working sudo ? BR, Alban -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.3.0-rc5test0-00204-gae942ae (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages systemd depends on: ii dpkg 1.16.2 ii initscripts 2.88dsf-22.1 ii libacl1 2.2.51-5 ii libaudit01:1.7.18-1.1 ii libc62.13-27 ii libcap2 1:2.22-1 ii libcryptsetup4 2:1.4.1-2 ii libdbus-1-3 1.5.12-1 ii libkmod2 6-2 ii liblzma5 5.1.1alpha+20110809-3 ii libpam0g 1.1.3-7 ii libselinux1 2.1.9-4 ii libsystemd-daemon0 44-1 ii libsystemd-id128-0 44-1 ii libsystemd-journal0 44-1 ii libsystemd-login044-1 ii libudev0 175-3.1 ii libwrap0 7.6.q-23 ii udev 175-3.1 ii util-linux 2.20.1-4 Versions of packages systemd recommends: ii libpam-systemd 44-1 Versions of packages systemd suggests: ii python 2.7.2-10 ii systemd-gui 44-1 -- Configuration Files: /etc/systemd/system.conf changed [not included] -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#667470: systemd: breaks sudo
On Tue, 2012-04-10 at 16:36 +0200, Alban Browaeys wrote:
Package: systemd
Version: 44-1
Followup-For: Bug #667470
I found adding pam_loginuid.so fixes the problem in all cases,
except obvously for already running user sessions.
I have plain added it to common-session and
common-session-noninteractive.
Is there an issue with adding it to common-session ? I saw you told to
add it in gdm pam file but would not this let the login console sessions
without a working sudo ?
BR,
Alban
Ah, I see what I did wrong now. I added it to /etc/pam.d/login and
indeed sudo now seems to work 100% of the time. The couple of tests I
performed earlier having added it
to /etc/pam.d/common-session-noninteractive only succeeded by chance.
Anyway, I'm very suspicious that sudo still works *sometimes* without
pam_loginuid.so and caution against papering over this bug, even if the
various owners of /etc/pam.d/{login,*dm,sshd} and so on can be persauded
to add pam_loginuid.so.
Regards,
--
Sam Morris s...@robots.org.uk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#667470: systemd: breaks sudo
On 2012-04-09 22:07 +0200, Michael Biebl wrote: This bug seems to happen only if if you use libpam-systemd. Certainly, disabling libpam-systemd helped (thanks for the tip, BTW). The reason why I didn't encounter this myself is because I've added pam_loginuid.so to my login and gdm3* pam config locally. Could you please update the pam configuration of login and/or the login manager you are using and include pam_loginuid *before* @include common-session. In my case I've changed /etc/pam.d/login and /etc/pam.d/gdm3* and added a line session requiredpam_loginuid.so just before @include common-session I'm interested to know if that fixes the problem for you, too. Tested with login, and it does indeed help. Cheers, Sven -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#667470: systemd: breaks sudo
Am 10.04.2012 16:36, schrieb Alban Browaeys: Package: systemd Version: 44-1 Followup-For: Bug #667470 I found adding pam_loginuid.so fixes the problem in all cases, except obvously for already running user sessions. I have plain added it to common-session and common-session-noninteractive. Is there an issue with adding it to common-session ? I saw you told to add it in gdm pam file but would not this let the login console sessions without a working sudo ? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661745 signature.asc Description: OpenPGP digital signature
Bug#667470: systemd: breaks sudo
On 04.04.2012 12:43, Sven Joachim wrote: Package: systemd Version: 44-1 Severity: grave After upgrading from 37-1.1, many commands fail with error codes 143 or 129 under sudo, including sudo bash or sudo passwd root, meaning that the problem cannot easily be rectified or circumvented if root logins are disabled. Hence, I'm filing this at RC severity, feel free to downgrade if you cannot reproduce the problem. I think I've found something. This bug seems to happen only if if you use libpam-systemd. The reason why I didn't encounter this myself is because I've added pam_loginuid.so to my login and gdm3* pam config locally. Could you please update the pam configuration of login and/or the login manager you are using and include pam_loginuid *before* @include common-session. In my case I've changed /etc/pam.d/login and /etc/pam.d/gdm3* and added a line session requiredpam_loginuid.so just before @include common-session I'm interested to know if that fixes the problem for you, too. Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#667470: systemd: breaks sudo
Package: systemd Version: 44-1 Severity: grave After upgrading from 37-1.1, many commands fail with error codes 143 or 129 under sudo, including sudo bash or sudo passwd root, meaning that the problem cannot easily be rectified or circumvented if root logins are disabled. Hence, I'm filing this at RC severity, feel free to downgrade if you cannot reproduce the problem. Attached is the output of strace -f sudo env run under root. It shows that sudo was SIGHUP'ed, but I have no idea why that happened. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 3.3.1-nouveau (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages systemd depends on: ii dpkg 1.16.2 ii initscripts 2.88dsf-22.1 ii libacl1 2.2.51-5 ii libaudit01:1.7.18-1.1 ii libc62.13-27 ii libcap2 1:2.22-1 ii libcryptsetup4 2:1.4.1-2 ii libdbus-1-3 1.5.12-1 ii libkmod2 6-2 ii liblzma5 5.1.1alpha+20110809-3 ii libpam0g 1.1.3-7 ii libselinux1 2.1.9-4 ii libsystemd-daemon0 44-1 ii libsystemd-id128-0 44-1 ii libsystemd-journal0 44-1 ii libsystemd-login044-1 ii libudev0 175-3.1 ii libwrap0 7.6.q-23 ii udev 175-3.1 ii util-linux 2.20.1-4 Versions of packages systemd recommends: ii libpam-systemd 44-1 Versions of packages systemd suggests: pn python 2.7.2-10 pn systemd-gui none -- no debconf information sudo_env.gz Description: strace of sudo env
Bug#667470: systemd: breaks sudo
Hi, I can reproduce this under wheezy when I install systemd from unstable. -Timo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#667470: systemd: breaks sudo
reassign 667470 libpam-systemd found 667470 44-1 forwarded 667470 https://bugs.freedesktop.org/show_bug.cgi?id=45670 thanks On 04.04.2012 12:43, Sven Joachim wrote: After upgrading from 37-1.1, many commands fail with error codes 143 or 129 under sudo, including sudo bash or sudo passwd root, meaning that the problem cannot easily be rectified or circumvented if root logins are disabled. Hence, I'm filing this at RC severity, feel free to downgrade if you cannot reproduce the problem. I've seen this problem myself some time ago (and filed the upstream bug report), so we added a workaround in 43-1, where we removed pam_systemd.so from /etc/pam.d/commen-session-noninteractive (which you can do yourself, if you rely on sudo). I wasn't able to reproduce the problem anymore so this workaround was removed again for the 44-1 upload. It's apparently pretty hard to reliably reproduce the bug, i.e. describe the circumstances/environment where this happens. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#667470: systemd: breaks sudo
I can reproduce the issue with exit code 143 on an unstable/experimental system (x86-64 with custom kernels 3.3 and 3.4-rc1). Interestingly it seems that I was able to run sudo echo Hello successfully once, so it does not seem to happen everytime (but that has really been the only time while testing where it worked). Further sudo invocations always returned with exit code 143. I might spend some time debugging that another day. If you need further system/environment information please contact me. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
