Summary: | Authen-PAM causes segfaults in webmin | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Gary <gary> |
Component: | Current packages | Assignee: | Gentoo Perl team <perl> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | amax, davidgrant, eradicator, pam-bugs+disabled, pdcooper, quantumdigit, robteichmann, rumen, sgtphou, tupone, wirwzd |
Priority: | Highest | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Output of "strace /etc/init.d/webmin start 2> filename.txt" |
Description
Gary
2004-08-29 10:38:12 UTC
what version of pperl did you have before? Please provide the output of 'emerge info' Previous version of perl was dev-lang/perl-5.8.4-r1 Portage 2.0.50-r10 (default-x86-1.4, gcc-3.3.4, glibc-2.3.4.20040619-r0, 2.6.7-gentoo-r11) ================================================================= System uname: 2.6.7-gentoo-r11 i686 Pentium III (Coppermine) Gentoo Base System version 1.5.2 distcc 2.17 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-march=pentium3 -O3 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium3 -O3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache distcc sandbox" GENTOO_MIRRORS="ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://mirror.datapipe.net/gentoo ftp://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="X alsa apm avi berkdb bonobo crypt cups dga encode esd evo f2c fbcon foomaticdb gb gd gdbm gif gnome gpm gtk gtk2 gtkhtml guile imlib java jpeg lcms libgda libwww mad maildir mbox mmx motif mozilla mpeg nas ncurses nls oggvorbis opengl oss pam pcmcia pdflib perl pic plotutils png pnp python quicktime readline ruby sasl sdl slang slp snmp spell sse ssl svga tcltk tcpd tetex threads tiff truetype trusted usb wmf x86 xface xml xml2 xmms xv zlib" did you re-emerge your perl modules since updating perl? I thought that /usr/portage/dev-lang/perl/files/libperl_rebuilder would re-emerge the modules. It certainly seemed like it emerged a lot of mods. Is there a resonably easy way to re-emerge all of the perl stuff? oh it does... sorry I missed that when I was re-reading it... I can't reproduce it... can you please try getting me a backtrace? Jeremy, I hate to sound lame, but how do I generate the backtrace? I can confirm this bug. However an update of perl didn't cause the problem in my case. Here webmin segfaulted ever since I installed usermin, which in turn led to the installation of dev-perl/Authen-PAM-0.14 as a dependency. It seems like this (updated) perl module caused the problem. After an 'emerge -C Authen-PAM', the webmin miniserver works again as expected. (perl 5.8.4, webmin 1.160) Roberto is correct. The problem appears to be the Authen-PAM module. When I removed (emerge -C Authen-PAM) as per Roberto's suggestion Webmin starts properly. Roberto, will you open a bug report for Authen-PAM? Seems the webmin ebuilds don't even depend on Authen::PAM or Authen::Libwrap (which isn't in portage) - but the package does.... Can someone please post the exact error message that miniserv is reporting relevant to Authen::PAM? Not the init error (which vaguely says it failed it to start), but the actual message. Thanks! Got it. It's an incompaitbility between Authen::PAM and the current stable PAM (when this module was added to the tree, the PAM of the time worked fine with it). Looking... AFAIK, webmin doesn't require pam, but if it is present, it makes use of it... once this bug gets settled, I'll use the pam USE flag to optionally pull in this perl module... I'm having problems locking down the cause for this... I have three boxes to look at. 2 are perl 5.8.4, one is perl 5.8.5, all have pam-0.77. 2 of the boxes - 1 5.8.4 and the 5.8.5 - are throwing the same error. The third machine - no problems, compiles and runs it without a problem. Hi, Have a all ~x86 system, hardened-kernel-2.6.7-r8, quite full PaX&grsec2. Also have this bug. But in my case there are PaX logs in dmesg. They too confirm that the culpit is libpam.so.0.77. ...SKIP... 1.This is output from #paxctl -v /lib/libpam.so.0.77 ... PaX control v0.2 Copyright 2004 PaX Team <pageexec@freemail.hu> - PaX flags: -------x-e-- [/lib/libpam.so.0.77] RANDEXEC is disabled EMUTRAMP is disabled ...END1... shows that pam is compiled PaX-protected - OK. 2.Output (PaX) from dmesg: ...SKIP... PAX: execution attempt in: /lib/libpam.so.0.77, 23b58000-23b60000 00000000 PAX: terminating task: /usr/bin/perl5.8.5(miniserv.pl):14638, uid/euid: 0/0, PC: 23b59969, SP: 5b62feb0 PAX: bytes at PC: 80 7d 00 00 89 e8 0f 84 fe fe ff ff c6 00 00 40 80 38 00 75 PAX: bytes at SP: 2399b970 00000010 2399b960 23999fd8 23999fd8 2399b960 2399b2a4 00000000 fb6af317 00000005 00000000 154bbbe3 15612c4c 00000000 00000005 23b606d0 2399b2a4 00000000 2399b2a4 23b5cb20 grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /usr/libexec/webmin/miniserv.pl[miniserv.pl:14638] uid/euid:0/0 gid/egid:0/0, parent /sbin/runscript.sh[runscript.sh:14586] uid/euid:0/0 gid/egid:0/0 ...END2... Don't know much about webmin but think it's a bunch of perl scripts to handle linux administration so there can't be a PaX problem with them but with some binary. So the culpit is Authen-PAM-(0.14 in my case). Unmerged it webmin starts. But this log leads me to think that thare are something which causes this previously mentioned segmentation errors - logged above. As there is a solution already pls ignore if this info is not usefull. Rumen Actually the info is handy. There is a problem with authen-pam (on some boxes, randomly not on others) and pam-0.77. I'm not having any luck figuring out what specifically, so any info is helpful :) I have the same situation with two out of three systems exhibiting this behaviour. After doing a emerge -e world on a system which was exhibitng the behaviour, it is now sptiitng the followng message into my /var/log/messages when webmin fails art boot: Oct 4 00:35:30 wintermute perl: PAM application failed to re-exec stack [76092486:1] The Oracle of Google shows the error may be coming from: http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/libpam/pam_dispatch.c?rev=1.6&view=markup Portage 2.0.51_rc7 (default-x86-2004.0, gcc-3.4.2, glibc-2.3.4.20040808-r0, 2.6.8-gentoo-r6 i686) ================================================================= System uname: 2.6.8-gentoo-r6 i686 Intel(R) Pentium(R) 4 CPU 3.06GHz Gentoo Base System version 1.5.3 distcc 2.17 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.15.90.0.1.1-r3 Headers: media-tv/ivtv-0.1.9-r4 Libtools: sys-devel/libtool-1.5.2-r5 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O3 -mfpmath=sse,387 -march=pentium4 -fstack-protector-all -ffast-math -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control /var/www/localhost/htdocs//mythweb/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -mfpmath=sse,387 -march=pentium4 -fstack-protector-all -ffast-math -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache distcc distlocks prelink" GENTOO_MIRRORS="ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://mirrors.tds.net/gentoo http://gentoo.osuosl.org/ http://mirror.datapipe.net/gentoo" MAKEOPTS="-j7" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl acpi aim alsa apm arts avi berkdb bitmap-fonts bonobo cdr crypt cups curl curlwrappers dba divx4linux doc dvd encode esd ethereal flac foomaticdb ftp gd gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile iconv icq imlib ipv6 ithreads jabber java joystick jpeg kde libg++ libwww lirc mad mikmod mmx motif mozilla mpeg mysql ncurses nls nptl odbc offensive oggvorbis opengl oscar oss pam pcmcia pcre pdflib perl png pnp posix python qt quicktime readline ruby samba sdl session sessions slang slp snmp soap spell spl sse sse2 ssl svga sysvipc tcltk tcpd theora threads tidy tiff transcode truetype usb videos x86 xinerama xml2 xmms xosd xprint xv xvid yahoo zlib" Hope this helps. *** Bug 78964 has been marked as a duplicate of this bug. *** perl guys... any word on this? I have a bug in with the author and absolutely no response on the matter from him. The problem began during the updates to pam in late november, but I'm not conversant enough in Pam to be able to identify where the problem is. I believe its related to a similar "bug" (security fix) where you can't execute a login from a command shell (sounds weird, I know, but the failure in authen-pam is that it can't link or execute authentication on tty's). I'm willing to -arch it for now if the usermin folks are agreeable (only ebuild outside of dev-perl to dep it). Michael, go ahead and throw it into package.mask or -arch. It isn't required for all of usermin, just a couple modules. Would you like me to put pressure upstream? And maybe the pam herd knows something that can help here... If you can sway upstream, I am indebted. He's got a horrible rating on rt (cpan) (official perl qa site) - most people can't get Authen::Pam to compile against current pam libraries. I even poked at other distros - and they are all using a horridly ancient copy (not an option - years and year and years old, minus security fixes...then again, at least it worked...). I'd rather -arch it for now - too easy to forget that it's in package.mask for me :) For what it's worth, I have a test bed now. My box at work, which was based on an image made in December, can use Authen-PAM without any problem, whereas my boxes at home cannot. I'm attempting to track down the differences now (any input welcome), on the surface at least the only diff is that at work this is a generic 2.6.6 kernel vs gentoo-2.6.8 at home Okay, I had the same problem here because I thought I needed to install Authen::PAM. I was wrong. You don't need it. Just unmerge Authen::PAM and stop Webmin. Delete the certificate from your browser's cache, reemerge Webmin, and pray. Then run etc-update and accept the changes (it should recalculate the certificate and make a modification to an mtime line in its config file). When you try to log in again, you should have success. Make sure you log in from 127.0.0.1 first, as that is exactly what I did. It should make no difference, but if someone else can overcome the problem in the same manner there's a basis for comparison. Good luck to you! ;-) *** Bug 84928 has been marked as a duplicate of this bug. *** Michael, any progress here? *** Bug 86958 has been marked as a duplicate of this bug. *** Michael, any progress here? No, I still have sporadic results, and I truly believe these are related to changes in PAM - attempting to execute a regular login (at prompt, type login) works fine on the box that Authen::PAM works and tests well on, segfaults and crashes on the box that Authen::PAM can't test on. Yikes, this bug is almost a year old. I am having the same problem with webmin 1.210. 1.200 worked fine. Merging Authen-PAM-0.14 myself (the ebuild should depend on this, I reckon?) stopped the error in /var/log/webmin/miniserv.error, and now it says this upon start: [16/Aug/2005:11:52:56 -0400] miniserv.pl started [16/Aug/2005:11:52:56 -0400] PAM authentication enabled However, the init script shows [!!], and a netstat / lsof does not reveal miniserv listening anywhere. There are no errors at all in miniserv.error. I have pam-0.78-r2 installed, with the following USE flags: +berkdb -nis -pam_chroot -pam_console -pam_timestamp +pwdb (-selinux) Yesterday is when I upgraded webmin from 1.200 to 1.2100. It is also when I upgraded pam-login from 3.17 to 4.0.11.1-r2 . I will be attaching an strace output for /etc/init.d/webmin start. Portage 2.0.51.22-r1 (default-linux/x86/2005.0, gcc-3.4.3, glibc-2.3.4.20041006-r0, 2.6.12.4 i686) ================================================================= System uname: 2.6.12.4 i686 Pentium III (Katmai) Gentoo Base System version 1.12.0_pre5 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [enabled] dev-lang/python: 2.2.3-r1, 2.3.4-r1, 2.4.1-r1 sys-apps/sandbox: 1.2.11 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9, 1.8.5-r2, 1.9.6 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.4.19 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium3 -mtune=pentium3 -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium3 -mtune=pentium3 -O2 -pipe" DISTDIR="/var/portage/distfiles" FEATURES="autoconfig buildpkg ccache distlocks notitles sandbox sfperms strict" GENTOO_MIRRORS="ftp://gentoo.mirrors.pair.com/ http://mirror.datapipe.net/gentoo http://open-systems.ufl.edu/mirrors/gentoo ftp://gentoo.netnitco.net/pub/mirrors/gentoo/source/ ftp://gentoo.ccccom.com" MAKEOPTS="-j2" PKGDIR="/var/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/var/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="x86 X apache2 apm avi berkdb bitmap-fonts cdr chroot crypt cscope cups curl dvdr eds emboss encode esd fam flac foomaticdb fortran gd gdbm gif gnome gpm gstreamer gtk gtk2 imagemagick imlib java jpeg kde kerberos libg++ libwww mad mikmod mmx motif mozilla mp3 mpeg mysql ncurses nls ogg oggvorbis opengl oss pam pdflib perl png python qt quicktime readline samba sdl slang snmp spell sse ssl svga tcltk tcpd tiff truetype truetype-fonts type1-fonts vorbis xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY Created attachment 66084 [details]
Output of "strace /etc/init.d/webmin start 2> filename.txt"
This bug just appeared for me after I upgraded baselayout from 1.11.13 to 1.12.0_pre5. Webmin worked fine with the earlier baselayout version. In my case I do not have Authen-PAM installed so I do see the following in /var/log/webmin/miniserv.error each time webmin is started [15/Aug/2005:22:20:59 -0500] miniserv.pl started [15/Aug/2005:22:20:59 -0500] Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (@INC contains: /etc/perl... <snip> but it does not seem to affect startup or functionality. Immediately after upgrading baselayout to 1.12.0_pre5 webmin stopped loading on startup with the same behaviour described above by FieldySnuts. Downgrading baselayout to 1.11.13 returned webmin to working order. My current (working) relevant versions are as follows: . webmin-1.210 . baselayout-1.11.13 . perl-5.8.7 . pam-0.78-r2 Portage 2.0.51.22-r2 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r1, 2.6.12-gentoo-r8 i686) ================================================================= System uname: 2.6.12-gentoo-r8 i686 Intel(R) Pentium(R) 4 CPU 2.40GHz Gentoo Base System version 1.6.13 dev-lang/python: 2.2.3-r5, 2.3.5, 2.4.1-r1 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=i686 -O3 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-march=i686 -O3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X alsa apm arts avi berkdb bitmap-fonts cdr crypt cups curl eds emacs emboss encode esd fam foomaticdb fortran gd gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 imagemagick imlib ipv6 java jpeg junit libg++ libwww mad mikmod motif mozilla mp3 mpeg mysql nas ncurses nls odbc ogg oggvorbis opengl oss pam pdflib perl png postgres python quicktime readline ruby samba sdl session slang spell ssl svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts vorbis xml xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTDIR_OVERLAY Regards to Comment #30 : Curious, because I just upgraded to that very same version of baselaoyout. Bug 102826 seems related to this, and that seems to have been fixed. Then again, maybe not. I still have the issue. Mass re-assign. Where is this bug going? Over a year old and its not even assigned yet. Looking back at the history I'm not even certain it is the same root cause. All I know is that I can't take an upgrade to baselayout any longer without losing Webmin functionality. Obviously, this is backing up upgrades for other packages that depend on the newer baselayout. worksforme Mass re-assign. I would try the latest 0.16 version I just put in portage. mcummings was telling me last night that some of the tests failed in 0.15, but don't fail for me in 0.16. That said, give it a spin. Works for me Looks like Authen-PAM 0.16 is more PAM friendly again. Can anyone confirm that this is also resolves this bug? Closing. You know what to do if the new authen-pam ebuilds don't work for you :) eradicator - can we get this dep added back now? PAM and Authen-PAM play nice again. closing - this is resolved now |