Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 50337 - PAM broken_shadow option is broken
Summary: PAM broken_shadow option is broken
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: PAM Gentoo Team (OBSOLETE)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-05-07 04:33 UTC by Martijn Koster
Modified: 2005-02-25 11:25 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Martijn Koster 2004-05-07 04:33:23 UTC 
Background: I was experimenting with small program that uses PAM to
check a user's password. I noticed that the pam_authenticate would
succeed, but the pam_acct_mgmt call would fail. The reason turned out
to be that the pam_authenticate uses the setuid /sbin/unix_chkpwd, but
the pam_acct_mgmt doesn't, so when run as a non-root user it fails to
read /etc/shadow. Then I noticed that Gentoo's pam contains a patch to
work around "broken shadow" systems. I added the broken_shadow option
to the appropriate config file, but it didn't work.


Reproducible: Always
Steps to Reproduce:
This is reproducable, but there are quite a few steps.  Of course PAM
is a rather important subsystem, so before you start messing with it
make sure you have a backup, and a couple of spare root shells open.

  emerge sys-libs/pam

  wget http://www.pangalactic.org/PyPAM/PyPAM-0.4.2.tar.gz
  tar xvzf PyPAM-0.4.2.tar.gz
  cd PyPAM-0.4.2/examples/
  gcc -o pamexample -g pamexample.c -lpam -lpam_misc
  cat > /etc/pam.d/check_user <<EOT
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
EOT

Now in /etc/pam.d/system-auth, modify the account line:

  account    required     /lib/security/pam_unix.so broken_shadow

Now run (with username and password of a system user):

  ./pamexample myusername
  Password: mypassword
  Not Authenticated

Actual Results:  
Not Authenticated 
 

Expected Results:  
Authenticated 

I debugged it, and the problem is in 
/var/tmp/portage/pam-0.77/work/pam-0.77-patches/redhat-patches/pam-0.77-unix-brokenshadow.patch. 
It has: 
 
        if (ctrl & UNIX_BROKEN_SHADOW) 
 
whereas it should have: 
 
        if (on(UNIX_BROKEN_SHADOW, ctrl)) 
 
as you can see from the other patches there. 
 
To fix: 
 
  ebuild /usr/portage/sys-libs/pam/pam-0.77.ebuild compile 
  cd /var/tmp/portage/pam-0.77/work/Linux-PAM-0.77/modules/pam_unix 
  vi pam_unix_acct.c 
 
and change the UNIX_BROKEN_SHADOW line 133 as shown above, then: 
 
  make 
  mv /lib/security/pam_unix.so /lib/security/pam_unix.so.ok 
  cp pam_unix.so /lib/security/pam_unix.so 
 
Now re-run the test case, this time it works: 
 
  ./pamexample myusername 
  Password: 
  Authenticated 
 
Of course, for this particular test-case there is an easier 
workaround: change the /etc/pam.d/check_user file to have: 
 
  account    required     /lib/security/pam_permit 
 
so that it doesn't use pam_unix in the first place. 
 
 
For completeness, here is my emerge info: 
Portage 2.0.50-r6 (default-x86-1.4, gcc-3.3.3, glibc-2.3.3_pre20040420-r0, 
2.6.5-gentoo-r1) 
================================================================= 
System uname: 2.6.5-gentoo-r1 i686 Intel(R) Pentium(R) 4 CPU 2.00GHz 
Gentoo Base System version 1.4.8 
distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) 
[enabled] 
ccache version 2.3 [enabled] 
Autoconf: sys-devel/autoconf-2.58-r1 
Automake: sys-devel/automake-1.8.3 
ACCEPT_KEYWORDS="x86" 
AUTOCLEAN="yes" 
CFLAGS="-O2 -mcpu=i686 -pipe" 
CHOST="i686-pc-linux-gnu" 
COMPILER="gcc3" 
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/alias /var/qmail/control" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" 
CXXFLAGS="-O2 -mcpu=i686 -pipe" 
DISTDIR="/usr/portage/distfiles" 
FEATURES="autoaddcvs ccache distcc sandbox" 
GENTOO_MIRRORS="http://www.mirror.ac.uk/sites/www.ibiblio.org/gentoo/ 
ftp://ftp.easynet.nl/mirror/gentoo// 
http://ftp.snt.utwente.nl/pub/os/linux/gentoo 
ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo 
rsync://ftp.snt.utwente.nl::gentoo ftp://trumpetti.atm.tut.fi/gentoo/ 
rsync://trumpetti.atm.tut.fi/gentoo/ 
http://sunsite.cnlab-switch.ch/ftp/mirror/gentoo/ 
ftp://sunsite.cnlab-switch.ch/mirror/gentoo/" 
MAKEOPTS="-j4" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/var/tmp" 
PORTDIR="/usr/portage" 
PORTDIR_OVERLAY="" 
SYNC="rsync://rsync.nl.gentoo.org/gentoo-portage" 
USE="X alsa apm arts avi berkdb bonobo cdr crypt cups encode esd foomaticdb 
gdbm gif gnome gphoto2 gpm gtk gtk2 gtkhtml guile imap imlib java jpeg kde 
ldap libg++ libwww mad mikmod motif mozilla mpeg mysql ncurses nls nptl 
oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl 
slang spell ssl svga tcltk tcpd tiff truetype x86 xml2 xmms xv zlib"
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-08-12 00:12:15 UTC 
I can't reproduce this problem with 0.77-r1 as your have specified.
pamexample does return your expected result of 'Authenticated'.
Comment 2 Martin Schlemmer (RETIRED) gentoo-dev 2005-02-10 09:56:00 UTC 
Is this still an issue ?  Tried newer shadow versions maybe?
Comment 3 Martin Schlemmer (RETIRED) gentoo-dev 2005-02-25 11:25:21 UTC 
Please try pam-0.78 and reopen if still an issue.