Comment 1 Andreas Proschofsky (RETIRED) 2011-09-01 21:01:22 UTC

Same here, X won't load anymore so this is pretty severe.

Same here

compiling openrc without pam useflag, around the problem

Same thing here. Has to downgrade openrc to previous version.

Portage 2.1.10.11 (default/linux/x86/10.0/desktop/kde, gcc-4.5.3, glibc-2.13-r4, 3.0.4 i686)
=================================================================
System uname: Linux-3.0.4-i686-Intel-R-_Pentium-R-_4_CPU_3.20GHz-with-gentoo-2.0.3
Timestamp of tree: Thu, 01 Sep 2011 19:15:01 +0000
ccache version 3.1.6 [enabled]
app-shells/bash:          4.2_p10
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.7.2-r2, 3.2-r2
dev-util/ccache:          3.1.6
dev-util/cmake:           2.8.5-r2
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.8.3-r1
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.10.3, 1.11.1-r1
sys-devel/binutils:       2.21.1-r1
sys-devel/gcc:            4.5.3-r1
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 2.6.39 (virtual/os-headers)
sys-libs/glibc:           2.13-r4
Repositories: gentoo x-my
ACCEPT_KEYWORDS="x86 ~x86"
ACCEPT_LICENSE="*"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -msse3 -mmmx -pipe --param l2-cache-size=2048 -mfpmath=sse,387 -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=prescott -msse3 -mmmx -pipe --param l2-cache-size=2048 -mfpmath=sse,387 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y"
FEATURES="assume-digests binpkg-logs ccache distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="ru_RU.UTF-8"
LC_ALL=""
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="ru en"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/my"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi aften alsa amr ass audio bash-completion branding bzip2 cairo cdda cdr cleartype consolekit cracklib crypt css cups cxx dbus declarative djvu dri dts dv dvd dvdr encode exif faac faad fam fat ffmpeg firefox flac gdu gif gpm gstreamer gzip iconv id3tag ieee1394 imagemagick ipv6 jack java jpeg kde kipi ladspa lame lash lcms libnotify lm_sensors lzma lzo mad matroska midi mmx mng modules mp3 mp4 mpeg mplayer mudflap ncurses nls nptl nptlonly ntfs nvidia ogg opengl openmp pam pango pcre pdf phonon pie plasma png policykit ppds pppd qt3support qt4 quicktime rar readline scanner sdl session sse sse2 sse3 ssl startup-notification svg sysfs tcpd theora threads tiff toolame truetype twolame udev unicode usb vorbis vpx wav wavpack win32codecs x264 x86 xcb xcomposite xml xorg xscreensaver xulrunner xv xvid xvmc zip zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="ru en" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Created attachment 285293 [details]
start-stop-daemon.pam

Fixed File for sys-apps/openrc-0.9.0, for pam access ok, with use pam activated

Comment 5 Jeremy Olexa (darkside) (RETIRED) 2011-09-01 22:38:07 UTC

*** Bug 381493 has been marked as a duplicate of this bug. ***

Comment 6 Anthony Basile 2011-09-01 22:44:20 UTC

We caught this and it will be fixed in 0.9.1 which WilliamH is pushing out now.

For the records, here's what's going on.

The new pam.d/start-stop-daemon reads

   account required pam_permit.so
   session include system-services


But src/rc/start-stop-daemon.c was still checking pam_authenticate().  These leads to the authentication failure.  This shouldn't even be there because start-stop-daemon doesn't every authenticate!  So, the following patch fixed it:

diff --git a/src/rc/start-stop-daemon.c b/src/rc/start-stop-daemon.c
index da2a81a..b6316ec 100644
--- a/src/rc/start-stop-daemon.c
+++ b/src/rc/start-stop-daemon.c
@@ -1184,8 +1184,6 @@ start_stop_daemon(int argc, char **argv)
 			    "nobody", &conv, &pamh);
 
 		if (pamr == PAM_SUCCESS)
-			pamr = pam_authenticate(pamh, PAM_SILENT);
-		if (pamr == PAM_SUCCESS)
 			pamr = pam_acct_mgmt(pamh, PAM_SILENT);
 		if (pamr == PAM_SUCCESS)
 			pamr = pam_open_session(pamh, PAM_SILENT);


Thanks to Flameeyes who immediately figured that openrc must be dealing with pam incorrectly.

Comment 7 Anthony Basile 2011-09-01 22:47:14 UTC

(In reply to comment #4)
> Created attachment 285293 [details]
> start-stop-daemon.pam
> 
> Fixed File for sys-apps/openrc-0.9.0, for pam access ok, with use pam activated

This patch does work, but its not the correct solution.  start-stop-daemon should not be doing any auth or passwd, which is why we reduced start-stop-daemon in the first place.  We missed the accompanying fix of the previous comment.

Comment 8 Christian Ruppert (idl0r) 2011-09-02 03:41:57 UTC

*** Bug 381497 has been marked as a duplicate of this bug. ***

> Thanks to Flameeyes who immediately figured that openrc must be dealing with
> pam incorrectly.
Yeah lol immediately after killing all ~arch users who updated world yesterday... those reporting here are just those who recovered - there must be zillions left skimming all corners for rescue discs, l0l.
big mishap - but after all it's called 'ble3ding edge' for a reason ;)

Critical packages as this one should get extra QA testing, before being available with keywords and non-pmasked.

Comment 11 William Hubbs 2011-09-02 12:02:20 UTC

(In reply to comment #10)
> Critical packages as this one should get extra QA testing, before being
> available with keywords and non-pmasked.

If you want to minimize the breakages you have, do not run ~arch. There will be breakages sometimes, and they will hit ~arch first.

Yes, I agree this was a major breakage, but the fix was in the tree, and the broken version was removed in a reasonable amount of time as far as I can tell.

I disagree with your statement that we need to add another layer of testing to this package before it goes into ~arch.

(In reply to comment #9)
> > Thanks to Flameeyes who immediately figured that openrc must be dealing with
> > pam incorrectly.
> Yeah lol immediately after killing all ~arch users who updated world
> yesterday... those reporting here are just those who recovered - there must be
> zillions left skimming all corners for rescue discs, l0l.
> big mishap - but after all it's called 'ble3ding edge' for a reason ;)

lol ;-) We got it fixed within hours so I think we are ok at this point.

(In reply to comment #11)
> We got it fixed within hours so I think we are ok at this point.
I do not. Please test the package before you ship it.
Something like the tinderbox might help you with that, I am not sure.

Comment 13 Christian Ruppert (idl0r) 2011-09-02 14:37:14 UTC

*** Bug 381549 has been marked as a duplicate of this bug. ***

Sorry for intruding into your warm conversation, but I have to say couple things:
1. ~arch is apriori unstable. so ~arch users should be prepared for breakage and/or another consequences.
2. bugzilla isn't right place for any controversy (correct me if I am wrong)

so please stop arguing :)

Comment 15 William Hubbs 2011-09-02 15:19:48 UTC

(In reply to comment #14)
> Sorry for intruding into your warm conversation, but I have to say couple
> things:

Hello Ivan,

> 1. ~arch is apriori unstable. so ~arch users should be prepared for breakage
> and/or another consequences.

You are correct, and that's all  I was saying; I wasn't trying to argue with anyone. I was just clarifying that the bug is resolved. Any comments about what could or should be done wrt testing in the future are irrelivent to this bug.

> 2. bugzilla isn't right place for any controversy (correct me if I am wrong)

Again, you are correct, so this will be my last posting to this bug.

Have a good day. :-)

Comment 16 SpanKY 2011-09-02 18:58:56 UTC

tinderbox builds packages.  it doesnt boot things.

as for the rest, Ivan/William covered it.

I just got hit by the same bug on openrc-0.9.4, so I'm not sure this has been fully fixed.  This is on amd64 stable btw.

My /etc/pam.d/start-stop-daemon is the two line version described in the thread.  Rather than updating that file (which seems like a bad idea 'cause it will get clobbered on the next emerge), I set sys-apps/openrc -pam in /etc/portage/package.use until this is all sorted out.

Any other suggestions?

I also got the same error after upgrading just baselayout and openrc.

openrc-0.9 series should depend on a newer version of pam as on my system which is running sys-libs/pam-0.78-r3, the /etc/pam.d/system-services file and the modules it uses aren't available.