Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 389485 - sys-libs/libcap-2.22: unresolved symbol pam_get_item(), breaks authentication
Summary: sys-libs/libcap-2.22: unresolved symbol pam_get_item(), breaks aut...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo's Team for Core System packages
Depends on:
Reported: 2011-11-04 13:17 UTC by Israel G. Lugo
Modified: 2015-08-26 23:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

emerge --info (emerge-info.txt,4.45 KB, text/plain)
2011-11-05 23:05 UTC, Aaron D Borden

Note You need to log in before you can comment on or make changes to this bug.
Description Israel G. Lugo 2011-11-04 13:17:42 UTC
I've got libcap and am using it in my /etc/pam.d/system-auth, as such:

auth           required

sudo breaks with the following error message:
$ sudo -i
sudo: pam_authenticate: Module is unknown

This is left in the logs:
sudo: PAM unable to dlopen(/lib64/security/ /lib64/security/ undefined symbol: pam_get_item
sudo: PAM adding faulty module: /lib64/security/
sudo:     _myusername_ : pam_authenticate: Module is unknown ; TTY=pts/4 ; PWD=/home/_myusername_ ; USER=root ; COMMAND=/bin/bash

Using sys-libs/pam-1.1.5 and app-admin/sudo-1.8.1_p2. Use flags follow:

sys-libs/libcap-2.22 was built with the following:
USE="(multilib) pam"

sys-libs/pam-1.1.5 was built with the following:
USE="berkdb cracklib (multilib) nls vim-syntax -audit -debug -nis (-selinux) -test"

app-admin/sudo-1.8.1_p2 was built with the following:
USE="(multilib) pam -ldap -offensive (-selinux) -skey"

This seems to be the following bug:
Comment 1 Israel G. Lugo 2011-11-04 13:20:00 UTC
Forgot to mention: the breakage happened after an upgrade yesterday, from libcap-2.17.
Comment 2 Israel G. Lugo 2011-11-04 13:27:55 UTC
Undefined symbols in
$ nm -u -D /lib64/security/ 
                 w _Jv_RegisterClasses
                 w __cxa_finalize
                 w __gmon_start__
                 U __sprintf_chk
                 U __strdup
                 U __vsyslog_chk
                 U cap_free
                 U cap_from_text
                 U cap_get_proc
                 U cap_set_proc
                 U cap_to_text
                 U closelog
                 U fclose
                 U fgets
                 U fopen64
                 U free
                 U malloc
                 U openlog
                 U pam_get_item
                 U pam_get_user
                 U strcmp
                 U strcpy
                 U strlen
                 U strtok

pam_get_item and pam_get_user are defined in
$ nm -D /lib64/ | grep -E 'pam_get_(item|user)'
0000003608e06840 T pam_get_item
0000003608e069c0 T pam_get_user

However, does not link against it:
$ ldd /lib64/security/ =>  (0x00007fff3e789000) => /lib64/ (0x00007fb8c6082000) => /lib64/ (0x00007fb8c5d17000) => /lib64/ (0x00007fb8c5b11000)
        /lib64/ (0x0000003167600000)
Comment 3 SpanKY gentoo-dev 2011-11-05 22:44:12 UTC
you need to post `emerge --info` in every report ...

upstream specifically does not link against -lpam ... thinking about it, it should just work anyways since sudo is linked against libpam, and it's libpam that is loading this module, so the module should be able to locate symbols from that search path.
Comment 4 Aaron D Borden 2011-11-05 23:05:32 UTC
Created attachment 291779 [details]
emerge --info

Seeing the same behavior.

It looks like is not being linked to libpam despide the use flag being enabled:

pangur adborden # equery u libcap
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for sys-libs/libcap-2.22:
 U I
 + + pam : Adds support for PAM (Pluggable Authentication Modules) - DANGEROUS
           to arbitrarily flip

pangur adborden # ldd /lib64/security/ =>  (0x00007fff68bbb000) => /lib64/ (0x00007f18bbc28000) => /lib64/ (0x00007f18bb8c2000) => /lib64/ (0x00007f18bb6bc000)
	/lib64/ (0x00007f18bc05a000)

pangur adborden # ldd /lib64/security/ =>  (0x00007fff3d5ff000) => /lib64/ (0x00007f0fc07d2000) => /lib64/ (0x00007f0fc05c5000) => /lib64/ (0x00007f0fc025e000) => /lib64/ (0x00007f0fc0059000) => /lib64/ (0x00007f0fbfe55000)
	/lib64/ (0x00007f0fc0c04000)
Comment 5 Adrian 2011-12-13 19:49:19 UTC
Why does nobody fix this bug? Not being able to use sudo is annoying.

[adrian@cheops3:~]> sudo su -
sudo: pam_authenticate: Module is unknown
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-12-13 20:44:06 UTC
Mike, if pam_cap does not lik to libpam it might get the wrong symbol versions, so please make it link libpam.
Comment 7 SpanKY gentoo-dev 2011-12-20 18:53:00 UTC
i don't understand what you mean.  pam loads the module, so its symbols are available already.  if was built against a newer pam than the that is resident in memory, there could possibly be a mismatch, but there would already be a problem as you'd have the host process (let's say "sshd") using one version of libpam and the modules it loads using a different version.  the only sane thing there would be to rebuild/reload everything.
Comment 8 SpanKY gentoo-dev 2015-05-25 02:32:42 UTC
also from upstream source Makefile:
# Note (as the author of much of the Linux-PAM library, I am confident
# that this next line does *not* require -lpam on it.) If you think it
# does, *verify that it does*, and if you observe that it fails as
# written (and you know why it fails), email me and explain why. Thanks!