Bug 127894 - pam-0.77-47 breaks passwd
Summary: pam-0.77-47 breaks passwd
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-07-14 22:59 UTC by Steve Grubb
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2004-07-22 22:43:52 UTC

Attachments (Terms of Use)

Description Steve Grubb 2004-07-14 22:59:00 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)

Description of problem:
When using the latest version of pam from rawhide, the passwd utility
is broken because of SELinux patches and will not let you set a new
passwd. I enabled pam debug to get this:

[pam_item.c:pam_get_item(170)] returning user=root
[pam_unix_passwd.c:pam_sm_chauthtok(1295)] password processed
[pam_unix_passwd.c:_do_setpass(740)] called
[pam_unix_passwd.c:_unix_run_shadow_binary(231)] called.
[pam_unix_passwd.c:pam_sm_chauthtok(1309)] retval was 1
[pam_dispatch.c:_pam_dispatch_aux(84)] module returned: dlopen() failure

It indicates that a dlopen failure occurred.


If you dig deeper, you will see that it uses a little utility called
unix_chkpwd. In pam_unix_passwd.c around line 297, you will see this:

  rc=waitpid(child, &retval, 0);  /* wait for helper to complete */
  if (rc<0) {
    _log_err(LOG_ERR, pamh, "unix_chkpwd waitpid returned %d: %s", rc,
    retval = PAM_AUTH_ERR;
  } else {
    retval = WEXITSTATUS(retval);
It basically sets retval to whatever the exit code was from
unix_chkpwd. This doesn't sound like a dlopen() problem. Looking
inside unix_chkpwd.c around line 306 is this:

      retval = _unix_verify_password(forwho, pass, 0);
      if (retval != PAM_SUCCESS) {
        return retval;

This unconditionally returns the return code of _unix_verify_password
if its not PAM_SUCCESS. Looking at that function, I see

int retval = UNIX_FAILED;

Looking up UNIX_FAILED, I see its set to a 1. This would not be the
correct pam return code. This is what's causing the dlopen failure
message, but the bigger question is "why is it verifying a password
that is being changed?" It obviously will fail since it doesn't agree
with what's in the shadow database.

Please fix?  Running the passwd utility appearantly has not been tested.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. passwd
2. Enter the new password
3. Enter it again
4. Boom

Actual Results:  passwd: dlopen() failure

Expected Results:  All tokens successfully changed

Additional info:

Comment 1 Daniel Walsh 2004-07-20 19:24:46 UTC
Modified unix_chkpwd to exit with all pam Error codes

Comment 2 Steve Grubb 2004-07-21 15:38:48 UTC
Thanks Dan. Its much less of a wild goose chase now. ;) 

I recompiled -50 & installed it and now I get this:

[root@buildhost root]# passwd
Changing password for user root.
New UNIX password:
BAD PASSWORD: it is too short
Retype new UNIX password:
passwd: Authentication failure

Can you test exactly as above? Run passwd as root, set the password to
12345. (I know its a stupid password, but it *is* the test.) Does
root's password successfully change? 

There might also need to be some D() macros added to the pam-selinux
patch in the unix_chkpwd utility for debugging problems like this. As
it is, there's no way to see why/where unix_chkpwd is failing. D()
macros are only compiled when the debug option is set in ./configure,
so it should not be a security concern. Just a suggestion...

Comment 3 Daniel Walsh 2004-07-21 17:02:28 UTC
Works for me.

Changing password for user root.
New UNIX password: 
BAD PASSWORD: it is too short
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.

Comment 4 Daniel Walsh 2004-07-21 17:03:24 UTC
Of course I am using targeted policy.

Comment 5 Steve Grubb 2004-07-22 21:52:07 UTC
Thanks Dan. I relabeled the filesystem and everything works now. The
cleanup of the error messages in unix_chkpwd looks good. This bug
report can be closed.

Comment 6 Leonard Avilla 2004-10-13 14:32:52 UTC
I have 2 servers 1 works fine and the other I get.

[root@ns1 root]# passwd
Changing password for user root.
New password:
BAD PASSWORD: it is too short
Retype new password:
passwd: dlopen() failure

Note You need to log in before you can comment on or make changes to this bug.