After compiling both pwdb and pam with -fstack-protector, pam fails with * ERROR: pam_pwdb module did not build. Using the selinux profile. Reproducible: Always Steps to Reproduce: 1. Emerge pam and pwdb with -fstack-protector Actual Results: * ERROR: pam_pwdb module did not build. Expected Results: It to compile with Propolice support Portage 2.0.48-r1 (selinux-x86-1.4, [unavailable], glibc-2.3.1-r4) ================================================================= System uname: 2.4.20-xfs-r2 i686 AMD Athlon(tm) XP 1700+ GENTOO_MIRRORS="http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linux/distributions/gentoo" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/config /usr/kde/3/share/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/usr/portage/distfiles" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR_OVERLAY="" USE="crypt libwww mmx ncurses selinux zlib berkdb readline tcpd pam ssl perl python spell -nls -X -gtk -gnome -alsa -kde -qt mysql -apache2 gd png jpg gif xml xml2 x86" COMPILER="gcc3" CHOST="i686-pc-linux-gnu" CFLAGS="-mcpu=athlon-xp -O2 -pipe -fstack-protector" CXXFLAGS="-O2 -mcpu=i686 -pipe" ACCEPT_KEYWORDS="x86 ~x86" MAKEOPTS="-j2" AUTOCLEAN="yes" SYNC="rsync://rsync.gentoo.org/gentoo-portage" FEATURES="sandbox ccache"
Az, we should make sys-libs/pwdb optional because only pam_radius.so and pam_pwdb.so need it anyways.. both of these arent really crucial. please see my post to -dev mailing list with respect to this. subject was something like: "possibly trim sys-libs/pwdb from profiles"
by the way, the bug reporter is not correct, my PAM works just fine with propolice. the problem is just the pwdb crap.
*** Bug 24353 has been marked as a duplicate of this bug. ***
I ran into this the other day trying to recompile my x86 system using the propolice in gcc-3.3-r1. I thought it was a gcc-3.3 bug...Seems not to be the case. I doubled checked this error on sparc64 as well, and using -fstack-protector there, it also fails as well.
I've added filter-flags "-fstack-protector" to the pwdb ebuilds. This should resolve the issue (for now).
so can we close this?
I'd think this could be closed now. It's a shame however that -fstack has to be filtered for pwdb. Anybody know the root reason of why pwdb could not cope with the flag?
It smashes the stack at one point? Probably just a byte of in a string. (I have seen gcc 3.3 and higher smash stack if you re-use arrays in different variables and use -O2 or higher)
The problem is in general pwdb .. security issues is one reason why we switched from pam_pwdb to pam_unix again ...
Closing, as it is no longer an issue.