Bug 1169877

Summary: pam_radius does not respect linux ephemeral port range and is blocked by SELinux
Product: [Fedora] Fedora EPEL Reporter: Brian J. Atkisson <batkisso>
Component: pam_radiusAssignee: timlank <timlank>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: el6CC: timlank
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam_radius-1.4.0-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-02 17:21:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian J. Atkisson 2014-12-02 15:36:28 UTC 
Description of problem:

When using pam_radius, radius authentication takes much longer than it should.  After investigating the issue, it appears that a SELinux policy is blocking pam_radius from binding to low numbered ports. When pam_radius needs an egress port, it simply takes the process ID and adds 1024 to it, rather than respecting the Linux ephemeral port range (/proc/sys/net/ipv4/ip_local_port_range).  When SELinux blocks that port, pam_radius then tries the next port to use, then the next one, then the next one.  It does this until reaching 32748, then it is successful in binding.  Scanning through all these ports can take more than 10 seconds and delay every authentication attempt.  See https://github.com/FreeRADIUS/pam_radius/blob/master/src/pam_radius_auth.c#L689

Version-Release number of selected component (if applicable):
pam_radius-1.3.17-2.el6.x86_64

How reproducible:

Reproducible when system assigns program calling pam_radius a pid lower than 31744.

Steps to Reproduce:
1. Install pam_radius with SELinux enabled

Actual results:
long delay in authentication

Additional info:
In my case, I'm using pam_radius combined with the pam_passthru plugin for Directory Server.
Comment 1 timlank 2014-12-02 17:14:51 UTC 
The C code is wrong.  It should just use 0 for a local port.
A fix has been pushed and the next rev will be released later this week.

I will attach it to this case when it becomes available for you to test.
Comment 2 Brian J. Atkisson 2014-12-11 03:47:41 UTC 
Please let me know when you have a test build, I'm anxious to test.
Comment 3 Brian J. Atkisson 2014-12-18 14:14:08 UTC 
The port allocation code looks like it'll work. I grabbed the source, but I'm having some problems building the RPM:

+ cd pam_radius-1.4.0
+ LANG=C
+ export LANG
+ unset DISPLAY
+ make -j16 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall -fPIC'
cc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall -fPIC -c src/pam_radius_auth.c -o pam_radius_auth.o
cc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall -fPIC -c src/md5.c -o md5.o
In file included from src/md5.c:43:
src/md5.h:3:20: error: config.h: No such file or directory
In file included from src/pam_radius_auth.c:62:
src/pam_radius_auth.h:4:20: error: config.h: No such file or directory
make: *** [md5.o] Error 1
make: *** Waiting for unfinished jobs....
src/pam_radius_auth.h:35:4: error: #error security/pam_modules.h or pam/pam_modules.h required
src/pam_radius_auth.c:183: error: expected ')' before '*' token

Would you mind taking a look.

Thanks!
Brian
Comment 4 Brian J. Atkisson 2015-01-08 16:18:57 UTC 
I just confirmed that the newly released pam_radius 1.4.0 resolves this issue.  Thanks for the help!
Comment 5 Fedora Update System 2015-01-19 05:02:33 UTC 
pam_radius-1.4.0-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/pam_radius-1.4.0-1.fc21
Comment 6 Fedora Update System 2015-01-19 05:31:36 UTC 
pam_radius-1.4.0-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/pam_radius-1.4.0-1.fc20
Comment 7 Brian J. Atkisson 2015-01-19 14:46:26 UTC 
Will we see EL6 and EL7 builds for this?  Thanks!
Comment 8 Fedora Update System 2015-01-20 21:06:30 UTC 
Package pam_radius-1.4.0-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam_radius-1.4.0-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-0941/pam_radius-1.4.0-1.fc21
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2015-01-21 14:20:46 UTC 
pam_radius-1.4.0-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/pam_radius-1.4.0-2.fc21
Comment 10 Fedora Update System 2015-01-21 20:17:05 UTC 
pam_radius-1.4.0-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/pam_radius-1.4.0-2.fc20
Comment 11 Fedora Update System 2015-02-02 17:21:10 UTC 
pam_radius-1.4.0-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2015-02-16 03:26:18 UTC 
pam_radius-1.4.0-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2015-02-17 17:23:18 UTC 
pam_radius-1.4.0-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/pam_radius-1.4.0-2.el6
Comment 14 Fedora Update System 2015-02-19 11:09:41 UTC 
pam_radius-1.4.0-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.