From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030718 Description of problem: In some cases, login will immediately terminate a new user session due to zombie process which triggers a wait() which does not check to verify that it is the login session which died. We see the problem when using pam_securid.so. Version-Release number of selected component (if applicable): util-linux-2.11y-9 How reproducible: Sometimes Steps to Reproduce: 1.install and configure RSA's securid pam agent for login 2.login 3. Actual Results: login session immediately terminates when the parent process executes a wait() without checking the return value and a zombie process already exists. Expected Results: login parent process should wait for the child login session to terminate normally. Whatever created the zombie process should have waited for it, but regardless login should ignore it. Additional info: RSA's securid pam agent is only supported on RedHat 7.3. Nevertheless, it seems to work fine on 9.0 systems if login is patched.
Created attachment 94745 [details] login.c patch to unchecked wait() call I don't know what causes the zombie process, it appears in the process list as "[ps <defunct>]"
login cannot anticipate every possible brokenness that PAM modules might create. The right solution is to fix pam_securid. It doesn't look like pam_securid is not part of the distribution, but the source is out there. I suggest contacting the author directly for a fix.
I strongly disagree. Checking the return value of wait() or any other system call is a good programming practice. Similarly, making a one line patch which would allow a popular COTS package to work with your system is good business practice. Otherwise, your customers may be forced to choose an alternate system. PAM exists to make the authentication subsystem more flexible. It is safe to assume that with that flexibility will come errors. login should be strengthened to withstand those errors.