211756 – su segfaults on bad password with pam_krb5

Bug 211756 - su segfaults on bad password with pam_krb5

Summary: su segfaults on bad password with pam_krb5

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pam
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-10-21 22:06 UTC by W. Michael Petullo
Modified:	2008-03-27 13:02 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-03-27 12:50:48 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description W. Michael Petullo 2006-10-21 22:06:30 UTC

Description of problem:
The su command segfaults if I configure PAM to authenticate using Kerberos and
provide an incorrect password.

Version-Release number of selected component (if applicable):
coreutils-5.97-11

How reproducible:
Every time

Steps to Reproduce:
1. Configure PAM as below.
2. su - someuser
3. Enter an incorrect password
  
Actual results:
Segmentation fault

Expected results:
The su utility should refuse to authenticate user and not segfault.

Additional info:
auth        required      /lib/security/$ISA/pam_env.so
auth        optional      /lib/security/$ISA/pam_keyring.so
auth        sufficient    /lib/security/$ISA/pam_unix.so use_first_pass
auth        [authinfo_unavail=ignore success=1 default=2]
/lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
[...]

If I remove the line for pam_krb5.so then su will not segfault.

(gdb) run - mike
Starting program: /bin/su - mike
[Thread debugging using libthread_db enabled]
[New Thread 805494224 (LWP 2555)]
Error while reading shared library symbols:
Cannot find new threads: generic error
Password: 

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 805494224 (LWP 2555)]
0x07fd60d0 in _pam_dispatch () from /lib/libpam.so.0
(gdb) ba
#0  0x07fd60d0 in _pam_dispatch () from /lib/libpam.so.0
#1  0x07fd55d8 in pam_authenticate () from /lib/libpam.so.0
#2  0x08003838 in main (argc=3, argv=0x7f8d54b4) at su.c:364
#3  0x07dc0d4c in generic_start_main () from /lib/libc.so.6
#4  0x07dc0f74 in __libc_start_main () from /lib/libc.so.6
#5  0x00000000 in ?? ()
(gdb)

Comment 1 Tim Waugh 2006-10-22 09:29:22 UTC

If all you've changed is the pam config then it sounds like a pam_krb5 bug. 
Reassigning..

Comment 2 W. Michael Petullo 2006-10-22 18:19:11 UTC

Is this a bug in the pam library instead?  I have used [authinfo_unavail=ignore
success=1 default=2], however, there is not enough auth modules listed to jump
down two levels in the stack.

I realize that this configuration is not quite right.  However, su certainly
should not segfault!

Comment 3 Tim Waugh 2006-10-23 10:31:49 UTC

su isn't -- pam_krb5.so (which it dynamically loads) is, from the sound of it.

Comment 4 Tomas Mraz 2008-03-27 12:50:48 UTC

This is fixed in Linux-PAM-0.99.10.0 which is in rawhide.

Note You need to log in before you can comment on or make changes to this bug.