Bug 125653 - segfaults when compat mode used in nsswitch.conf
segfaults when compat mode used in nsswitch.conf
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
2
All Linux
medium Severity high
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-09 14:06 EDT by Paul Raines
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version: 0.77-62
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-19 09:29:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (1.54 KB, patch)
2004-09-09 09:47 EDT, Tomas Mraz
no flags Details | Diff

  None (edit)
Description Paul Raines 2004-06-09 14:06:48 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Description of problem:
'su - user' segfaults when compat mode used in nsswitch.conf
for passwd, shadow, group.

Also, trying to ssh into the box as the user fails immediately
with a 'Connection reset by peer' error.  I assume the sshd
child is segfaulting too.

Changing nsswitch.conf to have 'files nis' for passwd, shadow
and group fix things (though sshd needs a restart after a
change in /etc/nsswitch.conf)

In either configuration, something like 'id user' works

Version-Release number of selected component (if applicable):
2.3.3-27

How reproducible:
Always

Steps to Reproduce:
1. put passwd, shadow, group in 'compat' mode in /etc/nsswitch
2. bind to and NIS server
3. run 'su - user' where user is an NIS user
    

Actual Results:  'su - user' dies with segmentation fault

Expected Results:  Should have gotten a shell as given user

Additional info:
Comment 1 Paul Raines 2004-06-09 14:21:54 EDT
Seems to affect only users that are in more than 8 groups
Comment 2 Paul Raines 2004-06-10 10:07:32 EDT
The bug seems to actually be in the PAM compenent as I discovered it 
goes away if I remove the pam_succeed_if line from system-auth
Comment 3 Mike Schwarz 2004-07-09 14:28:55 EDT
I've also found this.  If the groups are in /etc/group it works but
getting them from NIS is when the problem occurs.  It looks like a
problem in getgrouplist() and/or the libnss_compat functions.  Here is
a backtrace from a 'su - user' coredump:

(gdb) bt
#0  0x009c69f8 in getgrent_next_nss () from /lib/libnss_compat.so.2
#1  0x009c6726 in internal_getgrent_r () from /lib/libnss_compat.so.2
#2  0x009c6137 in _nss_compat_initgroups_dyn () from
/lib/libnss_compat.so.2
#3  0x006b3565 in getgrouplist () from /lib/tls/libc.so.6
#4  0x00435a5d in pam_sm_authenticate () from
/lib/security/../../lib/security/pam_succeed_if.so
#5  0x000000c8 in ?? ()
#6  0x0892c070 in ?? ()
#7  0xfef2e600 in ?? ()
#8  0x00748780 in __after_morecore_hook () from /lib/tls/libc.so.6
#9  0x0892a2e8 in ?? ()
#10 0xfef2e5d4 in ?? ()
#11 0x0069273b in free () from /lib/tls/libc.so.6
Previous frame inner to this frame (corrupt stack?)

I've also played with the example in the getgrouplist man page and
found similar results.  The example needs changed so *ng is > 0 and
groups points to valid storage or the 2nd call will always coredump.
Comment 4 Jason Sauve 2004-07-19 12:38:21 EDT
By some chance, do any of your user accounts primary groups in NIS 
contain invalid characters such as a space? 

I was experiencing su segfaulting when querying LDAP users, who's 
primary group names contained spaces. After fixing the group names su 
would not segfault anymore.

Comment 5 Mike Schwarz 2004-07-19 17:59:51 EDT
Nope, there are no spaces.  There are names with uppercase, some with
underscore and some longer than 8 chars.

It works when the NIS groups are appended to /etc/group and the +:
taken out.  I also since tested changing /etc/nsswitch.conf from:
  group: compat
to
  group: files nis
and it will work correctly then also. 

Looks like the real problem is in _nss_compat_initgroups_dyn() in the
library /lib/libnss_compat.so.2 which is part of glibc.
Comment 6 Tomas Mraz 2004-09-09 09:47:10 EDT
Created attachment 103639 [details]
Proposed patch

The code calling getgrouplist in the pam module is unnecessary as the data it
obtains aren't used by the module anyway.
So I removed the call.
Comment 7 Tomas Mraz 2004-10-19 09:29:54 EDT
Hopefully the removed getgrouplist call will fix this.

Note You need to log in before you can comment on or make changes to this bug.