Bug 105615 - login fails when using securid and PAM
Summary: login fails when using securid and PAM
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: util-linux
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Elliot Lee
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-09-25 23:00 UTC by George Boyce
Modified: 2007-04-18 16:57 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2003-10-24 15:41:59 UTC
Embargoed:


Attachments (Terms of Use)
login.c patch to unchecked wait() call (624 bytes, patch)
2003-09-25 23:05 UTC, George Boyce
no flags Details | Diff

Description George Boyce 2003-09-25 23:00:27 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030718

Description of problem:
In some cases, login will immediately terminate a new user session due to zombie
process which triggers a wait() which does not check to verify that it is the
login session which died. We see the problem when using pam_securid.so.

Version-Release number of selected component (if applicable):
util-linux-2.11y-9

How reproducible:
Sometimes

Steps to Reproduce:
1.install and configure RSA's securid pam agent for login
2.login
3.
    

Actual Results:  login session immediately terminates when the parent process
executes a wait() without checking the return value and a zombie process already
exists.

Expected Results:  login parent process should wait for the child login session
to terminate normally. Whatever created the zombie process should have waited
for it, but regardless login should ignore it.

Additional info:

RSA's securid pam agent is only supported on RedHat 7.3. Nevertheless, it seems
to work fine on 9.0 systems if login is patched.

Comment 1 George Boyce 2003-09-25 23:05:30 UTC
Created attachment 94745 [details]
login.c patch to unchecked wait() call

I don't know what causes the zombie process, it appears in the process list as
"[ps <defunct>]"

Comment 2 Elliot Lee 2003-10-06 17:37:41 UTC
login cannot anticipate every possible brokenness that PAM modules might create. The 
right solution is to fix pam_securid.

It doesn't look like pam_securid is not part of the distribution, but the source is out there. I 
suggest contacting the author directly for a fix.

Comment 3 George Boyce 2003-10-06 17:54:23 UTC
I strongly disagree. Checking the return value of wait() or any other system 
call is a good programming practice.

Similarly, making a one line patch which would allow a popular COTS package to 
work with your system is good business practice. Otherwise, your customers may 
be forced to choose an alternate system.

PAM exists to make the authentication subsystem more flexible. It is safe to 
assume that with that flexibility will come errors. login should be 
strengthened to withstand those errors.


Note You need to log in before you can comment on or make changes to this bug.