Red Hat Bugzilla – Bug 105615
login fails when using securid and PAM
Last modified: 2007-04-18 12:57:50 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030718
Description of problem:
In some cases, login will immediately terminate a new user session due to zombie
process which triggers a wait() which does not check to verify that it is the
login session which died. We see the problem when using pam_securid.so.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.install and configure RSA's securid pam agent for login
Actual Results: login session immediately terminates when the parent process
executes a wait() without checking the return value and a zombie process already
Expected Results: login parent process should wait for the child login session
to terminate normally. Whatever created the zombie process should have waited
for it, but regardless login should ignore it.
RSA's securid pam agent is only supported on RedHat 7.3. Nevertheless, it seems
to work fine on 9.0 systems if login is patched.
Created attachment 94745 [details]
login.c patch to unchecked wait() call
I don't know what causes the zombie process, it appears in the process list as
login cannot anticipate every possible brokenness that PAM modules might create. The
right solution is to fix pam_securid.
It doesn't look like pam_securid is not part of the distribution, but the source is out there. I
suggest contacting the author directly for a fix.
I strongly disagree. Checking the return value of wait() or any other system
call is a good programming practice.
Similarly, making a one line patch which would allow a popular COTS package to
work with your system is good business practice. Otherwise, your customers may
be forced to choose an alternate system.
PAM exists to make the authentication subsystem more flexible. It is safe to
assume that with that flexibility will come errors. login should be
strengthened to withstand those errors.