Bug 210120

Summary: PAM passthru plugin causes directory server to crash
Product: [Retired] 389 Reporter: Miika Pekkarinen <miipekk>
Component: Server - PluginsAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: high Docs Contact:
Priority: medium    
Version: 1.0.2CC: amsharma, vtsuryawanshi
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 17:07:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 208654    
Attachments:
Description Flags
Simple patch to fix the issue
none
new diffs none

Description Miika Pekkarinen 2006-10-10 06:24:53 UTC 
Description of problem:

Providing an incorrect authentication parameters for LDAP bind operation 
causes pam_passthru-plugin to pass a NULL pointer string to the system PAM 
authentication modules which will crash.

How reproducible:

Behaviour should be reproduceable with all versions.


Steps to Reproduce:
1. Make sure kerberos is used for PAM authentication
2. Enable pam_passthru -plugin
3. ldapsearch -x -D 'asdasdadf' -w asdasfas
4. Directory server crashes
  
Actual results:

Server is running fine and working correctly with a valid query like:
ldapsearch -x -b 'dc=valid,dc=data -D 'uid=user,ou=People,dc=valid,dc=data' -w 
blah123

But providing incorrect bind data crashes server immediately:
[root@auth0 fedora-ds]# ldapsearch -x -b 'dc=valid,dc=data -D 'blah123' -w 
blah123
ldap_bind: Can't contact LDAP server (-1)


Additional info:

A patch to fix this problem is provided as attachment. The fix was to prevent 
str being NULL.
Comment 1 Miika Pekkarinen 2006-10-10 06:24:53 UTC 
Created attachment 138116 [details]
Simple patch to fix the issue
Comment 2 Rich Megginson 2006-10-10 13:56:18 UTC 
Thanks!

In order to accept your patch into the codebase, we need to have a signed
Contributor License Agreement from you - see
http://directory.fedora.redhat.com/wiki/Contributing for more details.  We are
just about to release Fedora DS 1.0.3 and we would really like to get this bug
fix in, so please send in the CLA as soon as possible.  And thanks again.
Comment 3 Rich Megginson 2006-10-10 15:30:21 UTC 
Created attachment 138150 [details]
new diffs

The previous patch would fix the problem, but I think it is better to just skip
the pam processing if there is a problem with the given bind dn.
Comment 4 Noriko Hosoi 2006-10-10 16:07:29 UTC 
Looks good to me.
Comment 5 Rich Megginson 2006-10-10 16:32:49 UTC 
Reviewed by: nhosoi (Thanks!)
Files: pam_ptimpl.c
Branch: HEAD
Fix Description: If the DN given in the BIND request is bogus i.e. not a valid
DN (at least not one that ldap_explode_dn can parse), we should just skip the
PAM processing and just report a reasonable error to the client.  Similarly, if
the map method says to lookup the pam ID from the bind DN entry, and the entry
cannot be found, just report an error and skip pam processing.
Platforms tested: FC5
Flag Day: no
Doc impact: no

Checking in pam_ptimpl.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/pam_ptimpl.c,v  <-- 
pam_ptimpl.c
new revision: 1.9; previous revision: 1.8
done
Comment 6 Michael Gregg 2007-11-21 19:22:01 UTC 
 
I'm punting this because the pam_pasthrough plugin is not shipped with redhat-ds.
Comment 9 Amita Sharma 2011-06-20 06:56:58 UTC 
PAM passthrough startup Tests  PASS   : 100% (13/13)
PAM passthrough run Tests  PASS       : 100% (9/9)
PAM passthrough cleanup Tests  PASS   : 100% (5/5)

hence marking Verified -sanity only.