Red Hat Bugzilla – Bug 125653
segfaults when compat mode used in nsswitch.conf
Last modified: 2007-11-30 17:10:44 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Description of problem:
'su - user' segfaults when compat mode used in nsswitch.conf
for passwd, shadow, group.
Also, trying to ssh into the box as the user fails immediately
with a 'Connection reset by peer' error. I assume the sshd
child is segfaulting too.
Changing nsswitch.conf to have 'files nis' for passwd, shadow
and group fix things (though sshd needs a restart after a
change in /etc/nsswitch.conf)
In either configuration, something like 'id user' works
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. put passwd, shadow, group in 'compat' mode in /etc/nsswitch
2. bind to and NIS server
3. run 'su - user' where user is an NIS user
Actual Results: 'su - user' dies with segmentation fault
Expected Results: Should have gotten a shell as given user
Seems to affect only users that are in more than 8 groups
The bug seems to actually be in the PAM compenent as I discovered it
goes away if I remove the pam_succeed_if line from system-auth
I've also found this. If the groups are in /etc/group it works but
getting them from NIS is when the problem occurs. It looks like a
problem in getgrouplist() and/or the libnss_compat functions. Here is
a backtrace from a 'su - user' coredump:
#0 0x009c69f8 in getgrent_next_nss () from /lib/libnss_compat.so.2
#1 0x009c6726 in internal_getgrent_r () from /lib/libnss_compat.so.2
#2 0x009c6137 in _nss_compat_initgroups_dyn () from
#3 0x006b3565 in getgrouplist () from /lib/tls/libc.so.6
#4 0x00435a5d in pam_sm_authenticate () from
#5 0x000000c8 in ?? ()
#6 0x0892c070 in ?? ()
#7 0xfef2e600 in ?? ()
#8 0x00748780 in __after_morecore_hook () from /lib/tls/libc.so.6
#9 0x0892a2e8 in ?? ()
#10 0xfef2e5d4 in ?? ()
#11 0x0069273b in free () from /lib/tls/libc.so.6
Previous frame inner to this frame (corrupt stack?)
I've also played with the example in the getgrouplist man page and
found similar results. The example needs changed so *ng is > 0 and
groups points to valid storage or the 2nd call will always coredump.
By some chance, do any of your user accounts primary groups in NIS
contain invalid characters such as a space?
I was experiencing su segfaulting when querying LDAP users, who's
primary group names contained spaces. After fixing the group names su
would not segfault anymore.
Nope, there are no spaces. There are names with uppercase, some with
underscore and some longer than 8 chars.
It works when the NIS groups are appended to /etc/group and the +:
taken out. I also since tested changing /etc/nsswitch.conf from:
group: files nis
and it will work correctly then also.
Looks like the real problem is in _nss_compat_initgroups_dyn() in the
library /lib/libnss_compat.so.2 which is part of glibc.
Created attachment 103639 [details]
The code calling getgrouplist in the pam module is unnecessary as the data it
obtains aren't used by the module anyway.
So I removed the call.
Hopefully the removed getgrouplist call will fix this.