Red Hat Bugzilla – Bug 26115
pam_listfile segfaults on invalid usernames
Last modified: 2007-04-18 12:31:12 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
If one uses pam_listfile in the pam stack for login, if someone tries to
telnet in (or use any application that uses login) and enters an invalid
username, that pam module segfaults and the user has to telnet in again.
Steps to Reproduce:
1. set up /etc/pam.d/login to use pam_listfile
2. telnet in, use bad name
3. see crash
4. easier method: instead of telnet, use gdb login
easy fix, it segfaults on this code
userinfo = getpwnam(citemp);
grpinfo = getgrgid(userinfo->pw_gid);
i.e. when citemp doesn't exist, getpwnam returns NULL, and therefore you
operate on a null pointer
if (userinfo == NULL)
after the getpwnam seems to make everything work properly. However, I am
not a pam expert, so that might (probably?) is the wrong return value, but
it seems to work here.
here's a simple patch for the latest src.rpm that was in updates for 6.2
[spotter@yucs pam_listfile]$ diff pam_listfile.c pam_listfile.c.old
< if (userinfo == NULL)
< return sense?PAM_SUCCESS:PAM_AUTH_ERR;
This is still a problem in redhat 7's pam.
This will be fixed in pam-0.74-5. Thanks!