Bug 211756

Summary: su segfaults on bad password with pam_krb5
Product: [Fedora] Fedora Reporter: W. Michael Petullo <redhat>
Component: pamAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: meyering, nalin, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-27 12:50:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description W. Michael Petullo 2006-10-21 22:06:30 UTC 
Description of problem:
The su command segfaults if I configure PAM to authenticate using Kerberos and
provide an incorrect password.

Version-Release number of selected component (if applicable):
coreutils-5.97-11

How reproducible:
Every time

Steps to Reproduce:
1. Configure PAM as below.
2. su - someuser
3. Enter an incorrect password
  
Actual results:
Segmentation fault

Expected results:
The su utility should refuse to authenticate user and not segfault.

Additional info:
auth        required      /lib/security/$ISA/pam_env.so
auth        optional      /lib/security/$ISA/pam_keyring.so
auth        sufficient    /lib/security/$ISA/pam_unix.so use_first_pass
auth        [authinfo_unavail=ignore success=1 default=2]
/lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
[...]

If I remove the line for pam_krb5.so then su will not segfault.

(gdb) run - mike
Starting program: /bin/su - mike
[Thread debugging using libthread_db enabled]
[New Thread 805494224 (LWP 2555)]
Error while reading shared library symbols:
Cannot find new threads: generic error
Password: 

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 805494224 (LWP 2555)]
0x07fd60d0 in _pam_dispatch () from /lib/libpam.so.0
(gdb) ba
#0  0x07fd60d0 in _pam_dispatch () from /lib/libpam.so.0
#1  0x07fd55d8 in pam_authenticate () from /lib/libpam.so.0
#2  0x08003838 in main (argc=3, argv=0x7f8d54b4) at su.c:364
#3  0x07dc0d4c in generic_start_main () from /lib/libc.so.6
#4  0x07dc0f74 in __libc_start_main () from /lib/libc.so.6
#5  0x00000000 in ?? ()
(gdb)
Comment 1 Tim Waugh 2006-10-22 09:29:22 UTC 
If all you've changed is the pam config then it sounds like a pam_krb5 bug. 
Reassigning..
Comment 2 W. Michael Petullo 2006-10-22 18:19:11 UTC 
Is this a bug in the pam library instead?  I have used [authinfo_unavail=ignore
success=1 default=2], however, there is not enough auth modules listed to jump
down two levels in the stack.

I realize that this configuration is not quite right.  However, su certainly
should not segfault!
Comment 3 Tim Waugh 2006-10-23 10:31:49 UTC 
su isn't -- pam_krb5.so (which it dynamically loads) is, from the sound of it.
Comment 4 Tomas Mraz 2008-03-27 12:50:48 UTC 
This is fixed in Linux-PAM-0.99.10.0 which is in rawhide.