Bug 1267836

Summary: PAM responder crashed if user was not set
Product: Red Hat Enterprise Linux 7 Reporter: Lukas Slebodnik <lslebodn>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: grajaiya, jgalipea, jhrozek, ksiddiqu, lmiksik, lslebodn, mkosek, mzidek, ndehadra, nkinder, pbrezina, preichl, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.13.0-38.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 11:40:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
C Prgram for reproducing crash none

Description Lukas Slebodnik 2015-10-01 08:00:19 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2811

{{{
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f29f8324fe0][19]
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f29f8324fe0][19]
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_cmd_preauth] (0x0100): entering pam_cmd_preauth
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): user: not set
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): service: ipsilon_ecp
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not set
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: 192.168.52.2
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 29509
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: not set
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
}}}
Comment 1 Lukas Slebodnik 2015-10-01 09:22:02 UTC 
Created attachment 1078997 [details]
C Prgram for reproducing crash

Prepare new service in /etc/pam.d

[root@host ~]# cat /etc/pam.d/ipsilon_ecp 
auth    required   pam_sss.so
account required   pam_sss.so

Compile attached reproducer.
gcc sssd_pam_crash_reproducer.c -o sssd_pam_crash_reproducer -lpam

Expected result:
The pam responder (ssss_pam) should not crash
Comment 2 Lukas Slebodnik 2015-10-01 13:19:54 UTC 
It is reproducible only in case if pam preauth is available.

So you need to test with ipa provider
Comment 4 Lukas Slebodnik 2015-10-02 10:20:18 UTC 
master: 
* 2e76b32e74abedb23665808bacc73cafd1097c37

sssd-1-13:
* ba9d5c0456a2fbb9adf9b4b4dffbfb190628a273
Comment 6 Nikhil Dehadrai 2015-10-12 12:23:29 UTC 
IPA Server/Client: ipa-server-4.2.0-12.el7.x86_64, ipa-client-4.2.0-12.el7.x86_64
RHEL: 7.2

Tested the bug with following Scenarios:

Scenario A) For sssd-1.13.0-36.el7.x86_64 (Used to reproduce the issue)
observations:
1) Create /etc/pam.d/ipsilon_ecp with paramters:
	auth    required   pam_sss.so
	account required   pam_sss.so
2) Notice the sssd_pam process id, using ps -elf | grep sssd
	(In my case)
	4 S root      2580  2549  0  80   0 - 59732 ep_pol 16:55 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
3) Now run the GCC compiler for the attached C program
	gcc sssd_pam_crash_reproducer.c -o sssd_pam_crash_reproducer -lpam
4) Execute ./sssd_pam_crash_reproducer
5) Noticed the id for sssd_pam is changed:
	4 S root      2620  2549  0  80   0 - 59732 ep_pol 17:01 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
6) Also, following error message is noticed under /var/log/messages:
	Oct 12 17:01:08 <ipa-server> kernel: sssd_pam[2580]: segfault at 10 ip 00007f0f11409730 sp 00007ffc27d5e490 error 4 in sssd_pam[7f0f11400000+20000]
	Oct 12 17:01:08 <ipa-server> sssd[pam]: Starting up


Scenario B) For sssd-1.13.0-39.el7.x86_64, (On the same system, upgraded the sssd to latest version and Used this to verify fix for the issue)
observations:
1) Notice the sssd_pam process id, using ps -elf | grep sssd
	(In my case)
	4 S root      2702  2698  0  80   0 - 59760 ep_pol 17:12 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
2) Now run the GCC compiler for the attached C program
	gcc sssd_pam_crash_reproducer.c -o sssd_pam_crash_reproducer -lpam
3) Execute ./sssd_pam_crash_reproducer, following message is returned which is expected. (As per discussion with dev Team)
	testing pam_authenticate
	pam_authenticate: Insufficient credentials to access authentication data
4) Noticed the id for sssd_pam is NOT changed:
	4 S root      2702  2698  0  80   0 - 59760 ep_pol 17:12 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
5) Also, NO error message is noticed under /var/log/messages:
	
Thus on the basis of above observations in Scenario A) and Scenario B), marking the status of bug as "VERIFIED".
Comment 7 errata-xmlrpc 2015-11-19 11:40:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html