On 08/05/2016 07:41 PM, Petter Reinholdtsen wrote:
>
> Package: libpam-abl
> Version: 0.6.0-3
>
> Hi. I discovered this probelm when trying to log into a long negleted
> FreedomBox. I am unable to log in on the console, and these lines show
> up after I enter the user name:
>
> pam-abl: BDB1546 unable to join the environment
> pam-abl: BDB0137 write: 07fd282048091, 25: No space left on device
>
> This make me suspect pam-abl do not handle well a full disk. What is
> expected to happen with libpam-abl enabled when the disk is full?
>
> I'm unable to provide more details, as I am unable to get into the
> machine. :(
>
Hi Petter,
I wasn't able to reproduce the problem with libpam-abl 0.6.0-5 and stretch.
A user can login via ssh without any messages.
Via console I do get the messages but I still able to log-in even for
the user blocked via ssh.
Here is my testing setup.
On the ssh server with pam_abl:
dd if=/dev/zero of=/finishit
dd: writing to 'finishit': No space left on device
188833+0 records in
188832+0 records out
96681984 bytes (97 MB, 92 MiB) copied, 0.583207 s, 166 MB/s
df -h | egrep -v 'tmpfs|udev'
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 2.0G 2.0G 0 100% /
root@abltest:~# pam_abl
Bus error
root@abltest:~# pam_abl
pam-abl: BDB0137 write: 0x7ffd5d49d85f, 1: No space left on device
No space left on device (28) while opening the database environment
No space left on device (28) while Creating database environment.
root@abltest:~# pam_abl
pam-abl: BDB1546 unable to join the environment
pam-abl: BDB1546 unable to join the environment
pam-abl: BDB0137 write: 0x7ffdc7c1ba5f, 1: No space left on device
No space left on device (28) while opening the database environment
No space left on device (28) while Creating database environment
client side:
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
alex@localhost -p 3023
alex@abltest:~$
alex@abltest:~$ echo >test
-bash: echo: write error: No space left on device
I must confirm that pam_abl is not functional when there is no free
space for the database update, so an attacker can use a bruteforce
attack without being blocked by pam_abl.