su crashes when there are incorrect entries in /etc/pam.d/su In my case, the first line #%PAM-1.0 was replaced by PAM-1.0 Reproducible: Always Steps to Reproduce: 1. Remove the first two characters (#%) from /etc/pam.d/su 2. Log in as user (not root) 2. Type in "su" 3. su writes to the syslog: Aug 29 00:10:07 psychopriest su[31759]: PAM (su) illegal module type: PAM-1.0 4. su crashes with SEGV Actual Results: SEGV Expected Results: su should inform the user that PAM is not available and exit gracefully Portage 2.0.50-r9 (default-amd64-2004.2, gcc-3.3.3, glibc-2.3.4.20040605-r0, 2.6.9-rc1) ================================================================= System uname: 2.6.9-rc1 x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r3 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache" GENTOO_MIRRORS="http://gentoo.inode.at/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X alsa amd64 apm arts avi berkdb cdr crypt dvd encode esd foomaticdb gdbm gif gnome gpm gtk gtk2 imlib jpeg libg++ libwww mikmod motif mozilla mpeg ncurses nls nogcj oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl slang spell ssl tcpd truetype xml2 xmms xv zlib"
Here's a start: (gdb) bt #0 0x4004e747 in _pam_strCMP () from /lib/libpam.so.0 #1 0x4004da65 in _pam_dispatch () from /lib/libpam.so.0 #2 0x4004dd85 in _pam_init_handlers () from /lib/libpam.so.0 #3 0x4004d0fb in pam_start () from /lib/libpam.so.0 #4 0x08049f48 in ?? () #5 0x0804bf85 in _IO_stdin_used () #6 0x0804d520 in stderr () #7 0x0804bea0 in _IO_stdin_used () #8 0x0804d500 in stderr () #9 0x08048cff in ?? () #10 0x00000000 in ?? () #11 0xbffff3a8 in ?? () #12 0xbffff3a8 in ?? () #13 0x401428c0 in __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__ () from /lib/libc.so.6 #14 0x40142c08 in libgcc_s_personality () from /lib/libc.so.6 #15 0x400e4eec in __close_nocancel () from /lib/libc.so.6 #16 0x4006a44e in __guard_setup () from /lib/libc.so.6 #17 0x4006a142 in __libc_start_main () from /lib/libc.so.6 #18 0x08049651 in ?? ()
Created attachment 51314 [details, diff] Implement missing null handling for strtok return This problem was reproducible on a x86 box, so it doesn't appear to be platform specific. The code wasn't prepared for having only a single token on a line, like the uncomment PAM-1.0 line presents. strtok was returning a NULL when trying to get the second token, and the code wasn't prepared to receive a NULL. The code now aborts and reports the error to syslog, example output below. jkf@outreach jkf # su su: pam_start: error 26 This is what appears in syslog after the above runs... Feb 15 22:04:05 outreach su[29631]: PAM (su) illegal module type: PAM-1.0 Feb 15 22:04:05 outreach su[29631]: PAM (su) premature end of line found Feb 15 22:04:05 outreach su[29631]: PAM _pam_init_handlers: error reading /etc/p am.d/su Feb 15 22:04:05 outreach su[29631]: PAM _pam_init_handlers: [Critical error - im mediate abort] Feb 15 22:04:05 outreach su[29631]: PAM error reading PAM configuration file Feb 15 22:04:05 outreach su[29631]: PAM pam_start: failed to initialize handlers Feb 15 22:04:05 outreach su[29631]: pam_start: error 26 Feel free to change the error messages to something more appropriate if needed.
Added for pam-0.78, thanks.
