Bug 201333 - Dovecot crash with PAM authentication
Dovecot crash with PAM authentication
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: dovecot (Show other bugs)
4.0
x86_64 Linux
medium Severity high
: ---
: ---
Assigned To: Michal Hlavinka
: Reopened
Depends On: 155187
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-04 09:55 EDT by Davide Brunato
Modified: 2009-11-05 09:02 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-05 09:02:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Extracted from log file of the server - 26-27th of June 2006 (1.55 KB, text/plain)
2006-09-25 10:36 EDT, Davide Brunato
no flags Details
dovecot Log file (3.48 MB, text/plain)
2006-10-12 05:11 EDT, Davide Brunato
no flags Details
secure log (8.34 KB, application/octet-stream)
2006-10-12 05:13 EDT, Davide Brunato
no flags Details
ps command output of 27-06-2006 at 5:12 AM (43.33 KB, application/octet-stream)
2006-10-12 05:20 EDT, Davide Brunato
no flags Details
dovecot configuration 27-06-2006 (20.81 KB, application/octet-stream)
2006-10-12 05:33 EDT, Davide Brunato
no flags Details

  None (edit)
Description Davide Brunato 2006-08-04 09:55:13 EDT
Description of problem: Default dovecot auth configuration (with PAM) fault with
mailbox privacy violation.

PAM crashes under medium/high load and the dovecot-imap/pop processes permit
users to access (download in case of POP3) other user's mailboxes.

Version-Release number of selected component (if applicable):

dovecot-0.99.11-2.EL4.1.x86_64

Additional info: 

http://dovecot.org/list/dovecot/2005-February/006237.html
Comment 2 RHEL Product and Program Management 2006-08-18 10:48:38 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 Davide Brunato 2006-09-25 10:36:08 EDT
Created attachment 137054 [details]
Extracted from log file of the server - 26-27th of June 2006
Comment 5 Davide Brunato 2006-09-25 10:52:21 EDT
The server use a RHEL 4 Update 3 with Cluster Suite 4 and GFS 6.1 .
The cluster is composed by two server HP Proliant DL385 G4 with 4GB of RAM.

Crash log event reported:

dovecot-auth: Jun 27 10:52:33 Error: PAM: Child process died 
dovecot-auth: Jun 27 10:52:39 Error: PAM: Child 21671 died with signal 11

After crash events of dovecot-auth subprocesses the IMAP/POP server permits some
(about 10 cases reported in front of ~500 mailboxes) users to download (with
POP) mails of another user. 

Workaround: we are using dovecot-1.0b and use LDAP to authenticate the users.
Comment 6 Petr Rockai 2006-10-11 04:17:12 EDT
Interesting, i have been sifting through the sources and the change you 
mention in the original report seems to be completely unrelated to the error 
from the log file you have posted. Could you please verify that 0.99.14 really 
contains a fix for your problem? Also maybe a more complete log could be of 
help.
Comment 7 Petr Rockai 2006-10-11 04:25:42 EDT
Also, could you please get me the relevant parts of /var/log/secure? And pam 
config files related to dovecot (dovecot's itself and anything it uses through 
pam_stack). Thanks.
Comment 8 Davide Brunato 2006-10-12 05:11:39 EDT
Created attachment 138314 [details]
dovecot Log file

The usernames and IP are anonymized.
Comment 9 Davide Brunato 2006-10-12 05:13:14 EDT
Created attachment 138315 [details]
secure log
Comment 10 Davide Brunato 2006-10-12 05:20:16 EDT
Created attachment 138316 [details]
ps command output of 27-06-2006 at 5:12 AM

If useful. We have GFS+CS on this machine (mail-02) and on the other node
(mail-01).
Comment 11 Davide Brunato 2006-10-12 05:26:54 EDT
This is the content of the file /etc/pam.d/dovecot at the time when the problem
happened (26-27 of June):

#%PAM-1.0
auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

It's identical to the current configuration.
Comment 12 Davide Brunato 2006-10-12 05:33:35 EDT
Created attachment 138317 [details]
dovecot configuration 27-06-2006
Comment 13 Davide Brunato 2006-10-12 06:00:51 EDT
We can't verify if the 0.99.14 because the cluster is in production. 

Moreover we tested the dovecot-0.99.11-2 for several weeks before migrating to
the new e-mail server. No problems reported like the events of the 26-27 of
June. Probably the problem happens when the number of connected users is high
than we should test.

Now we run a dovecot-1.0 beta version (no problems reported) and wait for the
1.0 release to do an upgrade (it is a mantained version and has new features).

I found in the dovecot ML a resolved problem about 64 bits AMD systems:
 
http://dovecot.org/list/dovecot/2005-February/006237.html

about "- PAM crashed with 64bit systems", a problem existent in the previous
versions.

Thank You

Davide Brunato
Comment 14 Tomas Janousek 2007-01-11 08:26:21 EST
Do you use userdb ldap or user passwd with dovecot-1.0?

According to my investigation, the change in 0.99.14 is definitely not related
to this issue and I think the PAM crash in the log file is not related to the
issue with users seeing mails of other users neither. The crash should (and does
in here) just result in dovecot rejecting the login. It might be caused by
PAM/nss_ldap/whatever brokenness but should not make dovecot do anything bad.

On the other hand, the issue with users seeing mails of other users is a known
issue described in bug 154314. I suppose using userdb ldap instead of passwd
(nsswitch in fact) in dovecot should solve this issue.

Therefore, I propose to close this one and track the individual issues in bug
154314 etc. I will, however, try to workaround it according to bug 222110.
Comment 19 RHEL Product and Program Management 2007-02-05 10:41:20 EST
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request. 
Comment 21 Tomas Janousek 2007-03-09 06:01:11 EST
Seems like all this may be caused by the nss_ldap problem. I'm adding that as dep.
Comment 22 Michal Hlavinka 2009-07-21 06:17:55 EDT
I'm not able to reproduce this bug. Based on this:

- fixed: 222110 -  nss_ldap brokeness prevention attempt
- blocking bug has been already resolved

can you still reproduce this problem? If so, please provide any info useful for reproducing this. Thanks
Comment 23 Michal Hlavinka 2009-11-05 09:02:31 EST
this bug was in needinfo state for several months, closing
feel free to reopen if you can hit this bug and can provide requested information

Note You need to log in before you can comment on or make changes to this bug.