Bug 1267836 - PAM responder crashed if user was not set
Summary: PAM responder crashed if user was not set
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-01 08:00 UTC by Lukas Slebodnik
Modified: 2020-05-02 18:11 UTC (History)
13 users (show)

Fixed In Version: sssd-1.13.0-38.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 11:40:53 UTC
Target Upstream Version:


Attachments (Terms of Use)
C Prgram for reproducing crash (1.63 KB, text/x-csrc)
2015-10-01 09:22 UTC, Lukas Slebodnik
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3852 0 None closed PAM responder crashed if user was not set 2020-12-15 22:51:47 UTC
Red Hat Product Errata RHSA-2015:2355 0 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Description Lukas Slebodnik 2015-10-01 08:00:19 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2811

{{{
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f29f8324fe0][19]
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f29f8324fe0][19]
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_cmd_preauth] (0x0100): entering pam_cmd_preauth
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): user: not set
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): service: ipsilon_ecp
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not set
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: 192.168.52.2
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 29509
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: not set
(Thu Oct  1 02:19:04 2015) [sssd[pam]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
}}}

Comment 1 Lukas Slebodnik 2015-10-01 09:22:02 UTC
Created attachment 1078997 [details]
C Prgram for reproducing crash

Prepare new service in /etc/pam.d

[root@host ~]# cat /etc/pam.d/ipsilon_ecp 
auth    required   pam_sss.so
account required   pam_sss.so

Compile attached reproducer.
gcc sssd_pam_crash_reproducer.c -o sssd_pam_crash_reproducer -lpam

Expected result:
The pam responder (ssss_pam) should not crash

Comment 2 Lukas Slebodnik 2015-10-01 13:19:54 UTC
It is reproducible only in case if pam preauth is available.

So you need to test with ipa provider

Comment 4 Lukas Slebodnik 2015-10-02 10:20:18 UTC
master: 
* 2e76b32e74abedb23665808bacc73cafd1097c37

sssd-1-13:
* ba9d5c0456a2fbb9adf9b4b4dffbfb190628a273

Comment 6 Nikhil Dehadrai 2015-10-12 12:23:29 UTC
IPA Server/Client: ipa-server-4.2.0-12.el7.x86_64, ipa-client-4.2.0-12.el7.x86_64
RHEL: 7.2

Tested the bug with following Scenarios:

Scenario A) For sssd-1.13.0-36.el7.x86_64 (Used to reproduce the issue)
observations:
1) Create /etc/pam.d/ipsilon_ecp with paramters:
	auth    required   pam_sss.so
	account required   pam_sss.so
2) Notice the sssd_pam process id, using ps -elf | grep sssd
	(In my case)
	4 S root      2580  2549  0  80   0 - 59732 ep_pol 16:55 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
3) Now run the GCC compiler for the attached C program
	gcc sssd_pam_crash_reproducer.c -o sssd_pam_crash_reproducer -lpam
4) Execute ./sssd_pam_crash_reproducer
5) Noticed the id for sssd_pam is changed:
	4 S root      2620  2549  0  80   0 - 59732 ep_pol 17:01 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
6) Also, following error message is noticed under /var/log/messages:
	Oct 12 17:01:08 <ipa-server> kernel: sssd_pam[2580]: segfault at 10 ip 00007f0f11409730 sp 00007ffc27d5e490 error 4 in sssd_pam[7f0f11400000+20000]
	Oct 12 17:01:08 <ipa-server> sssd[pam]: Starting up


Scenario B) For sssd-1.13.0-39.el7.x86_64, (On the same system, upgraded the sssd to latest version and Used this to verify fix for the issue)
observations:
1) Notice the sssd_pam process id, using ps -elf | grep sssd
	(In my case)
	4 S root      2702  2698  0  80   0 - 59760 ep_pol 17:12 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
2) Now run the GCC compiler for the attached C program
	gcc sssd_pam_crash_reproducer.c -o sssd_pam_crash_reproducer -lpam
3) Execute ./sssd_pam_crash_reproducer, following message is returned which is expected. (As per discussion with dev Team)
	testing pam_authenticate
	pam_authenticate: Insufficient credentials to access authentication data
4) Noticed the id for sssd_pam is NOT changed:
	4 S root      2702  2698  0  80   0 - 59760 ep_pol 17:12 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
5) Also, NO error message is noticed under /var/log/messages:
	
Thus on the basis of above observations in Scenario A) and Scenario B), marking the status of bug as "VERIFIED".

Comment 7 errata-xmlrpc 2015-11-19 11:40:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html


Note You need to log in before you can comment on or make changes to this bug.