Bug 105615 - login fails when using securid and PAM
login fails when using securid and PAM
Product: Red Hat Linux
Classification: Retired
Component: util-linux (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Elliot Lee
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2003-09-25 19:00 EDT by George Boyce
Modified: 2007-04-18 12:57 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-10-24 11:41:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
login.c patch to unchecked wait() call (624 bytes, patch)
2003-09-25 19:05 EDT, George Boyce
no flags Details | Diff

  None (edit)
Description George Boyce 2003-09-25 19:00:27 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030718

Description of problem:
In some cases, login will immediately terminate a new user session due to zombie
process which triggers a wait() which does not check to verify that it is the
login session which died. We see the problem when using pam_securid.so.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.install and configure RSA's securid pam agent for login

Actual Results:  login session immediately terminates when the parent process
executes a wait() without checking the return value and a zombie process already

Expected Results:  login parent process should wait for the child login session
to terminate normally. Whatever created the zombie process should have waited
for it, but regardless login should ignore it.

Additional info:

RSA's securid pam agent is only supported on RedHat 7.3. Nevertheless, it seems
to work fine on 9.0 systems if login is patched.
Comment 1 George Boyce 2003-09-25 19:05:30 EDT
Created attachment 94745 [details]
login.c patch to unchecked wait() call

I don't know what causes the zombie process, it appears in the process list as
"[ps <defunct>]"
Comment 2 Elliot Lee 2003-10-06 13:37:41 EDT
login cannot anticipate every possible brokenness that PAM modules might create. The 
right solution is to fix pam_securid.

It doesn't look like pam_securid is not part of the distribution, but the source is out there. I 
suggest contacting the author directly for a fix.
Comment 3 George Boyce 2003-10-06 13:54:23 EDT
I strongly disagree. Checking the return value of wait() or any other system 
call is a good programming practice.

Similarly, making a one line patch which would allow a popular COTS package to 
work with your system is good business practice. Otherwise, your customers may 
be forced to choose an alternate system.

PAM exists to make the authentication subsystem more flexible. It is safe to 
assume that with that flexibility will come errors. login should be 
strengthened to withstand those errors.

Note You need to log in before you can comment on or make changes to this bug.