From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Description of problem: 'su - user' segfaults when compat mode used in nsswitch.conf for passwd, shadow, group. Also, trying to ssh into the box as the user fails immediately with a 'Connection reset by peer' error. I assume the sshd child is segfaulting too. Changing nsswitch.conf to have 'files nis' for passwd, shadow and group fix things (though sshd needs a restart after a change in /etc/nsswitch.conf) In either configuration, something like 'id user' works Version-Release number of selected component (if applicable): 2.3.3-27 How reproducible: Always Steps to Reproduce: 1. put passwd, shadow, group in 'compat' mode in /etc/nsswitch 2. bind to and NIS server 3. run 'su - user' where user is an NIS user Actual Results: 'su - user' dies with segmentation fault Expected Results: Should have gotten a shell as given user Additional info:
Seems to affect only users that are in more than 8 groups
The bug seems to actually be in the PAM compenent as I discovered it goes away if I remove the pam_succeed_if line from system-auth
I've also found this. If the groups are in /etc/group it works but getting them from NIS is when the problem occurs. It looks like a problem in getgrouplist() and/or the libnss_compat functions. Here is a backtrace from a 'su - user' coredump: (gdb) bt #0 0x009c69f8 in getgrent_next_nss () from /lib/libnss_compat.so.2 #1 0x009c6726 in internal_getgrent_r () from /lib/libnss_compat.so.2 #2 0x009c6137 in _nss_compat_initgroups_dyn () from /lib/libnss_compat.so.2 #3 0x006b3565 in getgrouplist () from /lib/tls/libc.so.6 #4 0x00435a5d in pam_sm_authenticate () from /lib/security/../../lib/security/pam_succeed_if.so #5 0x000000c8 in ?? () #6 0x0892c070 in ?? () #7 0xfef2e600 in ?? () #8 0x00748780 in __after_morecore_hook () from /lib/tls/libc.so.6 #9 0x0892a2e8 in ?? () #10 0xfef2e5d4 in ?? () #11 0x0069273b in free () from /lib/tls/libc.so.6 Previous frame inner to this frame (corrupt stack?) I've also played with the example in the getgrouplist man page and found similar results. The example needs changed so *ng is > 0 and groups points to valid storage or the 2nd call will always coredump.
By some chance, do any of your user accounts primary groups in NIS contain invalid characters such as a space? I was experiencing su segfaulting when querying LDAP users, who's primary group names contained spaces. After fixing the group names su would not segfault anymore.
Nope, there are no spaces. There are names with uppercase, some with underscore and some longer than 8 chars. It works when the NIS groups are appended to /etc/group and the +: taken out. I also since tested changing /etc/nsswitch.conf from: group: compat to group: files nis and it will work correctly then also. Looks like the real problem is in _nss_compat_initgroups_dyn() in the library /lib/libnss_compat.so.2 which is part of glibc.
Created attachment 103639 [details] Proposed patch The code calling getgrouplist in the pam module is unnecessary as the data it obtains aren't used by the module anyway. So I removed the call.
Hopefully the removed getgrouplist call will fix this.