Description of problem: I updated a F33 KDE Plasma spin installation with updates-testing enabled with dnf on 2020-12-8. The update included fprintd-1.90.6-1.fc33.x86_64. su and sudo have segmentation faulted every time after that update before the password prompt appeared. For example, running su $ su Segmentation fault (core dumped) The trace has pam_sm_authenticate from /usr/lib64/security/pam_fprintd.so in frame 2. The pointer s=0x0 in __GI___strdup at strdup.c:41 in frame 1 might indicate a null pointer problem. Core was generated by `su'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120 120 movdqu (%rax), %xmm4 Missing separate debuginfos, use: dnf debuginfo-install util-linux-2.36-3.fc33.x86_64 (gdb) bt #0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120 #1 0x00007f3af7f5b533 in __GI___strdup (s=0x0) at strdup.c:41 #2 0x00007f3ae9eee267 in pam_sm_authenticate () from /usr/lib64/security/pam_fprintd.so #3 0x00007f3af80b42f2 in _pam_dispatch () from /lib64/libpam.so.0 #4 0x00007f3af80b4aad in pam_authenticate () from /lib64/libpam.so.0 #5 0x00005626813117c2 in su_main.constprop () #6 0x000056268130c7ab in main () The journal also showed fprintd starting each time I ran sudo. I think fprintd-1.90.6-1.fc33 is the most likely to be involved in these crashes. sudo has segmentation faulted with any command I've run including sudo dnf upgrade --refresh, sudo dnf info gdb, sudo dnf debuginfo-install fprintd, sudo dnf downgrade fprintd, sudo -i, sudo coredumpctl gdb. The sudo core dumps haven't been created due to some sort of resource limit with systemd-coredump Version-Release number of selected component (if applicable): fprintd-1.90.6-1.fc33.x86_64 util-linux-2.36-3.fc33.x86_64 sudo-1.9.2-1.fc33.x86_64 glibc-2.32-2.fc33.x86_64 How reproducible: su and sudo have segmentation faulted every time I've run them after updating to fprintd-1.90.6-1.fc33.x86_64 Steps to Reproduce: 1. Boot a F33 KDE Plasma spin installation with updates-testing enabled 2. Log in to Plasma on Wayland 3. Start konsole 4. sudo dnf upgrade --refresh Actual results: su and sudo segmentation faulted before the password prompt with fprintd-1.90.6-1.fc33 Expected results: No crashes would happen. Additional info: I tried to submit the su crash with gnome-abrt, but abrt wouldn't allow the creation of a bugzilla report due to insufficient infomation in the trace. A FAF report was created but the crash entry and link has been removed from gnome-abrt due to newer crashes. I'll try to get more information on these crashes without su and sudo working such as by installing the fprintd debug rpms.
Could you install the debug info for fprintd-pam and see if you can get a backtrace? coredumpctl gdb su should give you the relevant information after installing the debug info.
Also, the full logs for fprintd and other system messages might be useful (i.e. from su/sudo). Not sure, but the information that fprintd is restarting could be interesting depending on why it is restarting (it usually just shuts down after a few seconds when unused, so that is likely normal). Also, do you have a fingerprint reader?
(In reply to Benjamin Berg from comment #2) > Also, the full logs for fprintd and other system messages might be useful > (i.e. from su/sudo). Not sure, but the information that fprintd is > restarting could be interesting depending on why it is restarting (it > usually just shuts down after a few seconds when unused, so that is likely > normal). > > Also, do you have a fingerprint reader? I rebooted into single user mode by putting S on the kernel command line in grub and downgraded to fprintd-1.90.5-1.fc33 and fprintd-pam-1.90.5-1.fc33 from koji. When I rebooted, su and sudo worked normally. I upgraded to fprintd-1.90.6-1.fc33.x86_64 after installing the fprintd-debuginfo-1.90.6-1.fc33.x86_64.rpm, pam-debuginfo-1.4.0-10.fc33.x86_64.rpm, util-linux-debuginfo-2.36-3.fc33.x86_64.rpm and debugsource rpms. su and sudo segmentation faulted as I reported. The trace with the additional debug info for su was as follows. Core was generated by `su'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120 120 movdqu (%rax), %xmm4 (gdb) bt #0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120 #1 0x00007f3af7f5b533 in __GI___strdup (s=0x0) at strdup.c:41 #2 0x00007f3ae9eee267 in open_device (has_multiple_devices=0x562681a65338, bus=<optimized out>, pamh=0x562681a64520) at ../pam/pam_fprintd.c:151 #3 do_auth (username=0x562681a646d0 "root", pamh=0x562681a64520) at ../pam/pam_fprintd.c:632 #4 pam_sm_authenticate (flags=<optimized out>, argv=<optimized out>, argc=<optimized out>, pamh=0x562681a64520) at ../pam/pam_fprintd.c:738 #5 pam_sm_authenticate (pamh=0x562681a64520, flags=<optimized out>, argc=<optimized out>, argv=<optimized out>) at /usr/include/security/pam_modules.h:34 #6 0x00007f3af80b42f2 in _pam_dispatch_aux (use_cached_chain=<optimized out>, resumed=<optimized out>, h=0x562681a6e300, flags=0, pamh=0x562681a64520) at pam_dispatch.c:110 #7 _pam_dispatch (pamh=pamh@entry=0x562681a64520, flags=flags@entry=0, choice=choice@entry=1) at pam_dispatch.c:426 #8 0x00007f3af80b4aad in pam_authenticate (pamh=0x562681a64520, flags=0) at pam_auth.c:34 #9 0x00005626813117c2 in supam_authenticate (su=0x7ffc39546960) at login-utils/su-common.c:389 #10 su_main (argc=<optimized out>, argv=0x7ffc39546cd8, mode=0) at login-utils/su-common.c:1146 #11 0x000056268130c7ab in main (argc=<optimized out>, argv=<optimized out>) at login-utils/su.c:6 My laptop doesn't have a fingerprint reader. Running sudo dnf info gdb with fprintd-1.90.6-1.fc33 showed fprintd starting and then sudo segmentation faulting without the core dump being created due to some resource limit. Running sudo with any command showed the same journal errors. Dec 08 12:26:18 systemd[1]: Starting Fingerprint Authentication Daemon... Dec 08 12:26:18 systemd[1]: Started Fingerprint Authentication Daemon. Dec 08 12:26:18 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Dec 08 12:26:18 audit[1801]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1801 comm="sudo" exe="/usr/bin/sudo" sig=11 res=1 Dec 08 12:26:18 kernel: show_signal_msg: 67 callbacks suppressed Dec 08 12:26:18 kernel: sudo[1801]: segfault at 0 ip 00007fd643922dda sp 00007ffd1c6b2668 error 4 in libc-2.32.so[7fd6438a9000+14f000] Dec 08 12:26:18 kernel: Code: f3 0f 1e fa 66 0f ef c0 66 0f ef c9 66 0f ef d2 66 0f ef db 48 89 f8 48 89 f9 48 81 e1 ff 0f 00 00 48 81 f9 cf 0f 00 00 77 66 <f3> 0f 6f 20 66 0f 74 e0 66 0f d7 d4 85 d2 74 04 0f bc c2 c3 48 83 Dec 08 12:26:18 systemd[1]: Created slice system-systemd\x2dcoredump.slice. Dec 08 12:26:18 audit: BPF prog-id=46 op=LOAD Dec 08 12:26:18 audit: BPF prog-id=47 op=LOAD Dec 08 12:26:18 audit: BPF prog-id=48 op=LOAD Dec 08 12:26:18 systemd[1]: Started Process Core Dump (PID 1807/UID 0). Dec 08 12:26:18 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@0-1807-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Dec 08 12:26:18 systemd-coredump[1808]: Resource limits disable core dumping for process 1801 (sudo). Dec 08 12:26:18 systemd-coredump[1808]: Process 1801 (sudo) of user 1000 dumped core. Dec 08 12:26:18 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@0-1807-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Dec 08 12:26:18 systemd[1]: systemd-coredump: Succeeded. Dec 08 12:26:18 audit: BPF prog-id=48 op=UNLOAD Dec 08 12:26:18 audit: BPF prog-id=47 op=UNLOAD Dec 08 12:26:18 audit: BPF prog-id=46 op=UNLOAD Dec 08 12:26:18 abrt-dump-journal-core[876]: Failed to obtain all required information from journald Dec 08 12:26:18 abrt-dump-journal-core[876]: Failed to save detect problem data in abrt database Dec 08 12:26:30 systemd[1]: systemd-hostnamed.service: Succeeded. Dec 08 12:26:30 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed Switching to another VT and trying to login as root segmentation faulted the login process with with fprintd-1.90.6-1.fc33, but no core dump was created due to the resource limit. Dec 08 13:02:50 systemd[1]: Started Getty on tty3. Dec 08 13:02:50 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=getty@tty3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Dec 08 13:02:53 systemd[1]: Starting Fingerprint Authentication Daemon... Dec 08 13:02:53 systemd[1]: Started Fingerprint Authentication Daemon. Dec 08 13:02:53 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Dec 08 13:02:53 kernel: login[3692]: segfault at 0 ip 00007f6f7fb32dda sp 00007ffc143cc6f8 error 4 in libc-2.32.so[7f6f7fab9000+14f000] Dec 08 13:02:53 kernel: Code: f3 0f 1e fa 66 0f ef c0 66 0f ef c9 66 0f ef d2 66 0f ef db 48 89 f8 48 89 f9 48 81 e1 ff 0f 00 00 48 81 f9 cf 0f 00 00 77 66 <f3> 0f 6f 20 66 0f 74 e0 66 0f d7 d4 85 d2 74 04 0f bc c2 c3 48 83 Dec 08 13:02:53 audit[3692]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 pid=3692 comm="login" exe="/usr/bin/login" sig=11 res=1 Dec 08 13:02:53 audit: BPF prog-id=79 op=LOAD Dec 08 13:02:53 audit: BPF prog-id=80 op=LOAD Dec 08 13:02:53 audit: BPF prog-id=81 op=LOAD Dec 08 13:02:53 systemd[1]: Started Process Core Dump (PID 3750/UID 0). Dec 08 13:02:53 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@11-3750-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Dec 08 13:02:53 systemd-coredump[3751]: Resource limits disable core dumping for process 3692 (login). Dec 08 13:02:53 systemd-coredump[3751]: Process 3692 (login) of user 0 dumped core. Dec 08 13:02:53 systemd[1]: getty: Succeeded. Dec 08 13:02:53 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=getty@tty3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Dec 08 13:02:53 systemd[1]: systemd-coredump: Succeeded.
The problem only happens if you do not have a fingerprint reader. I'll submit another update to fix this tomorrow.
Anyone experiencing this. A few pointers to work around: * The crash shouldn't happen if you mask fprintd ("systemctl mask fprintd.service") * Remote logins (i.e. ssh) should not be affected either So if SSH is enabled, then the easiest method of recovering should be to ssh to localhost. From there even a "sudo" should work just fine.
> Anyone experiencing this. Ever-confirmed. Used ssh to log in and ran `/usr/bin/su` to enter root password. `systemctl mask fprintd.service` did indeed work to stop the segfault. *However* The desktop user, henry, now belongs only to the henry group, and no others. `usermod -aG wheel henry` appears to have no effect, after logging in again. Weird. I was able to make sudo work by specifically adding henry to the `/etc/sudoers` file, since groups aren't working at the moment.
> *However* The desktop user, henry, now belongs only to the henry group, and no others. > `usermod -aG wheel henry` appears to have no effect, after logging in again. Really, this is unrelated. My suspicion is that your systemd user instance was still running, causing the change not to be applied, any of the below workarounds should work there: * Wait at least 10s after logging out from your last session, before logging back in * "loginctl kill-user henry" * reboot
After fixing the segfault, my user being member of wheel, no longer has sudo access for some reasons. Looking at what fprintd does , doesn't it make sense that if we mask the service it no longer can interface with it ? (I don't know how this work I'm just throwing this in the air).
I've put the details already in https://bugzilla.redhat.com/show_bug.cgi?id=1905774
I ran into this too, and masking fprind.service fixes it (I don't have fingerprint reader hardware anyway). I found not only sudo and su segfault, but also polkit. So without a locked (passwordless) root account and pretty much all normal privilege escalation tools out of commission, masking the service was not so simple. Let me leave a couple of pointers for anyone else caught here: - 'rescue mode' normally requires the root password, even if the account is locked and has no password - you can boot with init=/usr/bin/bash instead - you can't run systemctl if the system was not booted with systemd, but systemctl mask <x>.service is the same as ln -s /dev/null /etc/systemd/system/<x>.service - for the future, you can use `systemctl edit rescue.service` to create a drop-in file that modifies the rescue service; add a `[Service]` section with the line `Environment=SYSTEMD_SULOGIN_FORCE=1`. With this change, when you boot into rescue mode (with systemd.unit=rescue.service on the kernel command line), if there is a root password you still have to provide it but if there is no root password it just lets you in.
I wrote a mail to fedora-devel about it. Seems like me something that should be improved in sulogin (part of util-linux) somehow, or by replacing it with a smarter tool.
perhaps with this new update... https://bodhi.fedoraproject.org/updates/FEDORA-2020-f997de7d0e New build(s): fprintd-1.90.7-1.fc33 libfprint-1.90.6-1.fc33 Removed build(s): fprintd-1.90.6-1.fc33 libfprint-1.90.5-1.fc33 I'm testing it on a VM and until now it doesn't segfault.
Duplicate of this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1905964
Tested now on my bare metal installation and it worked fine, no crashes reported. Bare metal install on Acer Aspire V3-571 v: V2.11 CPU: Quad Core Intel Core i7-3632QM GPU: Intel 3rd Gen Core processor Graphics Controller Kernel: 5.9.13-200.fc33.x86_64 KDE Plasma 5.20.4 fprintd-1.90.7-1.fc33 libfprint-1.90.6-1.fc33 sudo-1.9.2-1.fc33.x86_64 libsss_sudo-2.4.0-3.fc33.x86_64 util-linux-2.36-3.fc33.x86_64 util-linux-user-2.36-3.fc33.x86_64 glibc-2.32-2.fc33.x86_64
Manual upgrade to glibc-2.32.9000-20.fc34.x86_64.rpm from https://bodhi.fedoraproject.org/ fixed the su/sudo segfault bug. And the upgrade also fixed the 'user not in wheel group' and 'usermod not adding groups' issues as per https://bugzilla.redhat.com/show_bug.cgi?id=1906066
Awesome update guys, updated into this today and couldn't login to my computer. I managed to fix it thanks to Peter's comment, but would like to add that I had to remount my filesystem to write to it after init'ing as bash `mount -o remount,rw /` and also make sure you set a root password at this point in time because this fix somehow removes you from the sudoers.
*** Bug 1905795 has been marked as a duplicate of this bug. ***
*** Bug 1906700 has been marked as a duplicate of this bug. ***
This was fixed in -7.