Bug 551312 - [RFE] pam_listfile calls getgrent(), apply patch to call pam_modutil_user_in_group_nam_nam()
Summary: [RFE] pam_listfile calls getgrent(), apply patch to call pam_modutil_user_in_...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam
Version: 5.4
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: Dalibor Pospíšil
URL:
Whiteboard:
: 548410 574574 (view as bug list)
Depends On:
Blocks: 554476
TreeView+ depends on / blocked
 
Reported: 2009-12-29 23:26 UTC by Ray Van Dolson
Modified: 2018-12-01 18:48 UTC (History)
11 users (show)

Fixed In Version: pam-0.99.6.2-10.el5
Doc Type: Enhancement
Doc Text:
The pam_listfile module was searching through all group entries using the getgrent() call when looking for group matches. Due to this inefficient implementation it was very slow on systems where large number of groups are stored on a central identity server such as LDAP. The module now uses more efficient implementation that does not require look up through all groups on the system. The module is now much faster when doing group matches.
Clone Of:
Environment:
Last Closed: 2013-01-08 07:15:19 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Upstream's patch to use pam_modutil_user_in_group_nam_nam(). (3.14 KB, patch)
2009-12-29 23:28 UTC, Ray Van Dolson
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0032 0 normal SHIPPED_LIVE pam bug fix and enhancement update 2013-01-07 15:28:39 UTC

Description Ray Van Dolson 2009-12-29 23:26:58 UTC
When using pam_listfile to restrict logins based on group membership on a
system connected either to LDAP or AD via winbind, there are large delays
while group membership checks are done due to inefficiences in how
pam_listfile determined group membership.

See this[1] thread for discussion.  This patch[2] appears to address the
issue but would need to be backported to PAM in RHEL5.

This issue is occurring with pam-0.99.6.2-6.el5.

The "workaround" is to disable enumeration of groups in the smb.conf file,
however this isn't an ideal solution.

An SRPM with the patch applied can be found here[3].  I have tested this
patched version on our production servers and can confirm that pam_listfile
now works extremely quickly when using group restrictions.

[1] http://www.redhat.com/archives/pam-list/2009-September/msg00001.html
[2] http://tinyurl.com/y9beq49
[3] http://fedorapeople.org/~rayvd/pam/pam-0.99.6.2-6.el5.esri1.src.rpm

Comment 1 Ray Van Dolson 2009-12-29 23:28:10 UTC
Created attachment 380866 [details]
Upstream's patch to use pam_modutil_user_in_group_nam_nam().

Comment 2 Ray Van Dolson 2009-12-30 00:07:26 UTC
Opened RH SR #1982110 for this issue.

Comment 4 Tomas Mraz 2010-01-11 21:39:33 UTC
*** Bug 548410 has been marked as a duplicate of this bug. ***

Comment 5 Chris Williams 2010-03-17 20:50:45 UTC
*** Bug 574574 has been marked as a duplicate of this bug. ***

Comment 7 RHEL Program Management 2010-08-09 18:12:48 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 8 RHEL Program Management 2011-01-11 20:03:12 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 9 Ray Van Dolson 2011-01-11 23:01:37 UTC
This seems like a trivial change.  Will bump this again with support (Case #00335957).

Comment 10 RHEL Program Management 2011-01-11 23:19:26 UTC
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.

Comment 11 RHEL Program Management 2011-05-31 13:12:09 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 12 RHEL Program Management 2011-12-09 17:27:34 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 15 Ray Van Dolson 2012-01-24 20:50:30 UTC
For those watching this bug, got an update from RH Support that the fix should be included in RHEL 5.9.

Comment 21 Jake Kodak 2012-05-25 20:36:34 UTC
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. This request will be considered in a future release of Red Hat Enterprise Linux.

Comment 22 Tomas Mraz 2012-06-12 06:59:50 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The pam_listfile module was searching through all group entries using the getgrent() call when looking for group matches.
Due to this inefficient implementation it was very slow on systems where large number of groups are stored on a central identity server such as LDAP.
The module now uses more efficient implementation that does not require look up through all groups on the system.
The module is now much faster when doing group matches.

Comment 34 errata-xmlrpc 2013-01-08 07:15:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0032.html


Note You need to log in before you can comment on or make changes to this bug.