Bug 1728777

Summary: pam_loginuid prevents login in unprivileged containers
Product: Red Hat Enterprise Linux 7 Reporter: Dzmitry Kazei <rh>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6CC: dapospis, tmraz
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam-1.1.8-23.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 19:10:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dzmitry Kazei 2019-07-10 16:46:58 UTC 
Description of problem:
pam_loginuid prevents login via ssh in unprivileged containers because it can't write /proc/self/loginuid even as namespaced root. Upstream had been patched (https://github.com/linux-pam/linux-pam/commit/2e62d5aea3f5ac267cfa54f0ea1f8c07ac85a95a#diff-8322fbd4507ee14b865167c196cb78d2) years ago to work around the issue in user namespaces.

Could you please apply the patch?

pam_loginuid can be set as optional instead of required for ssh as workaround, but that's not the way to go.

Thanks

Version-Release number of selected component (if applicable):
pam-1.1.8-22.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Run sshd in a container with user namespace mapping enabled (example 0 100000 65536)
2. try to connect from another host with ssh

Actual results:
session closed with debug message "debug3: PAM session not opened, exiting"

Expected results:
session opened
Comment 5 Dalibor Pospíšil 2019-07-24 16:22:28 UTC 
Dzmitry, can you share with us the steps you've done to run sshd in a container?
Comment 6 Dzmitry Kazei 2019-07-24 16:32:36 UTC 
Hello,

I installed required files with "yum -y --installroot=/var/lib/lxc/test/rootfs install openssh-server openssh-clients", the package manager was run with custom python script wrapper in new namespace to set correct ownership for container fs (the script will not affect actual sshd running - that's just system preparation).

Then I configured LXC (installed from EPEL repo):

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.include = /usr/share/lxc/config/centos.userns.conf
lxc.arch = x86_64
lxc.start.auto = 1
lxc.cgroup.cpu.shares = 512
lxc.cgroup.memory.limit_in_bytes = 256M
lxc.cgroup.memory.memsw.limit_in_bytes = 320M
lxc.haltsignal = SIGTERM
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.pts = 64
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.network.ipv4 = IP_HERE
lxc.network.ipv4.gateway = IP_HERE
lxc.rootfs = /var/lib/lxc/test-test/rootfs
lxc.utsname = HOSTNAME


then started it with (tried with different -d / -D options later for verbose debug, etc):
lxc-start -dn test -- /usr/sbin/sshd -D
Comment 12 errata-xmlrpc 2020-03-31 19:10:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1005