Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 752390 - sys-libs/pam-1.4.0_p20200829 pam returning PERM_DENIED instead of AUTH_ERROR for invalid login/unlock attempts
Summary: sys-libs/pam-1.4.0_p20200829 pam returning PERM_DENIED instead of AUTH_ERROR ...
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Mikle Kolyada (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-02 22:53 UTC by Chris Henhawke
Modified: 2020-12-05 12:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Henhawke 2020-11-02 22:53:08 UTC 
Since upgrading to the latest pam/pambase, pam is returning the wrong status code for unsuccessfully logging in/unlocking existing sessions.  This manifests in programs using different error messages.  For example, Gnome/MATE screensaver will return "Not permitted to gain access at this time" instead of "Incorrect password". https://github.com/mate-desktop/mate-screensaver/blob/master/src/gs-auth-pam.c#L470

Reproducible: Always

Steps to Reproduce:
1. upgrade to latest stable pam and pambase
2. screw up entering your password
3.
Actual Results:  
PERM_DENIED

Expected Results:  
AUTH_ERROR

chris@gazelle ~ $ equery l pam
 * Searching for pam ...
[IP-] [  ] sys-libs/pam-1.4.0_p20200829:0
chris@gazelle ~ $ equery l pambase
 * Searching for pambase ...
[IP-] [  ] sys-auth/pambase-20201028.1:0
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-11-04 19:59:21 UTC 
This has nothing to do with pam itself, rather with software using pam.
Comment 2 Chris Henhawke 2020-11-04 20:32:23 UTC 
Care to explain?  It worked just fine before you guys updated things...
Comment 3 Chris Henhawke 2020-11-19 14:46:21 UTC 
More issues with this...  Rebooted my laptop for a kernel upgrade, mistyped my password logging into slim, and the screen blacked out and wouldn't give me another login prompt.  Had to kill -9 both X and slim.

slim: pam_authenticate(): Permission denied

I tried filing a bug with mate-screensaver but it didn't go anywhere.  I have a hard time believing that every package that uses pam uses it wrong.
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-11-19 17:21:20 UTC 
Please reopen the bug if you only have something more acceptable which can be analyzed. Currently it is a guess game which does not reveal anything in regards with pam itself.
Comment 5 Chris Henhawke 2020-11-20 13:13:19 UTC 
I've been dealing with this on 5 systems for the past 2 weeks.  I'm going to just comment out faillock and leave it commented out since that restores the correct behaviour.  Whenever someone decides to fix this, you know where the problem lies.
Comment 6 Chris Henhawke 2020-11-20 13:15:58 UTC 
I've been dealing with this on 5 systems for the past 2 weeks.  I'm going to just comment out faillock and leave it commented out since that restores the correct behaviour.  Whenever someone decides to fix this, you know where the problem lies.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-20 13:34:02 UTC 
USE=debug on pambase and syslog may help? I just don't understand why you're hitting this and nobody else is.

emerge -pvO pam pambase?
Comment 8 bagas 2020-12-05 12:51:04 UTC 
Hello.
Same problem.
My system.
Linux 5.4.80-gentoo-r1 x86_64

[ebuild   R    ] sys-libs/pam-1.5.1::gentoo  USE="berkdb filecaps pie (split-usr) -audit -debug -nis (-selinux)" 0 KiB
[ebuild   R    ] sys-auth/pambase-20201103::gentoo  USE="elogind nullok passwdqc sha512 -caps -debug -gnome-keyring -minimal -mktemp -pam_krb5 -pam_ssh -pwhistory -pwquality -securetty (-selinux) -systemd" 0 KiB
[ebuild   R    ] x11-misc/slim-1.3.6-r5::gentoo  USE="pam -branding" 0 KiB