Bug 433459 - PAM audit_log_acct_message() failed: Operation not permitted
PAM audit_log_acct_message() failed: Operation not permitted
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
8
All Linux
low Severity high
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
: 433789 434563 434657 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-19 08:59 EST by Matteo Corti
Modified: 2008-02-28 07:03 EST (History)
4 users (show)

See Also:
Fixed In Version: 0.99.8.1-17.1.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-25 19:21:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matteo Corti 2008-02-19 08:59:52 EST
Description of problem:

pam authentication for crond and httpd is not working after pam upgrade (to 
0.99.8.1-17.fc8)

Version-Release number of selected component (if applicable):
0.99.8.1-17.fc8

How reproducible:
grep audit_log_acct_message /var/log/secure

Steps to Reproduce:
1. yum update pam
2. grep audit_log_acct_message /var/log/secure
  
Actual results:
Feb 19 09:45:06 sp2002a httpd: PAM audit_log_acct_message() failed: Operation
not permitted
Feb 19 09:54:16 sp2002a httpd: PAM audit_log_acct_message() failed: Operation
not permitted
Feb 19 09:55:53 sp2002a httpd: PAM audit_log_acct_message() failed: Operation
not permitted
Feb 19 09:58:22 sp2002a httpd: PAM audit_log_acct_message() failed: Operation
not permitted
Feb 19 10:20:00 sp2002a httpd: PAM audit_log_acct_message() failed: Operation
not permitted
Feb 19 10:20:03 sp2002a CROND[2058]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 10:25:03 sp2002a CROND[3066]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 10:30:01 sp2002a CROND[3787]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 10:35:01 sp2002a CROND[4643]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 10:40:02 sp2002a CROND[5391]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 10:45:01 sp2002a CROND[6174]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 10:50:01 sp2002a CROND[6911]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 10:55:02 sp2002a CROND[7698]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 11:00:01 sp2002a CROND[8462]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 11:05:01 sp2002a CROND[9309]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 11:10:01 sp2002a CROND[10050]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 11:15:02 sp2002a CROND[10869]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 11:20:01 sp2002a CROND[11726]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 11:25:04 sp2002a CROND[12737]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 11:30:01 sp2002a CROND[13464]: PAM audit_log_acct_message() failed:
Operation not permitted
[...]

Expected results:
no errors

Additional info:
The errors begun secods after the package upgrade. Nothing changed on the
machine configuration
Comment 1 Jordan Russell 2008-02-19 13:28:28 EST
I'm also seeing this with the new pam package.

To reproduce, add the following line to /etc/crontab:

* * * * * nobody /bin/true

Result:

Feb 19 12:19:01 server CROND[1785]: PAM audit_log_acct_message() failed:
Operation not permitted
Feb 19 12:20:01 server CROND[1787]: PAM audit_log_acct_message() failed:
Operation not permitted
...
Comment 2 Tomas Mraz 2008-02-19 13:55:13 EST
It is actually harmless message but it of course needs to be removed so it
doesn't clutter up the logs.
Comment 3 Matteo Corti 2008-02-19 14:09:19 EST
I fear that this is not only an harmless message since httpd refuses to
authenticate users using pam. From my httpd error log:

[Tue Feb 19 14:05:50 2008] [error] [client 129.132.57.95] PAM: user 'corti' -
not authenticated: Authentication failure


When I try to use a page which uses mod_auth_pam.so

I am pretty convinced that this is caused by pam since the errors began with
pam's update (and httpd remained the same).
Comment 4 Tomas Mraz 2008-02-19 14:17:27 EST
Do you see any other messages in /var/log/secure that could be related? Could
you try to restart httpd whether that helps? (not for removing the message but
for the authentication failure)
Comment 5 Tomas Mraz 2008-02-19 14:18:56 EST
Also if you're running with SELinux enabled, do you see any AVC messages in
audit log from SELinux?
Comment 6 Matteo Corti 2008-02-19 14:23:42 EST
Sorry I forgot to put the /var/log/secure entries related to httpd:

Feb 19 14:35:23 sp2002a httpd: pam_unix(httpd:auth): authentication failure;
logname= uid=48 euid=48 tty= ruser= rhost=  user=corti

I get the problem only with httpd (logging in using the console or ssh with the
same user and password does not give any problem).

Looking on the web I found out that having apache not able to read /etc/shadow
causes the same error message but I checked and the permissions are OK (I even
tried with su to become the user apache and read the file to check if everything
was OK)

I currently no not have SELinux enabled:

$ sestatus
SELinux status:                 disabled

Restarting httpd, increasing log verbosity does not bring any change.

Thanks for the quick reaction.
Comment 7 Tomas Mraz 2008-02-19 15:01:16 EST
Ah yes, that's actually a different problem. It is within the pam_unix module.
I'll fix it as well.
Comment 8 Tomas Mraz 2008-02-19 16:18:35 EST
Can you try the pam packages from
http://koji.fedoraproject.org/koji/taskinfo?taskID=443904
whether they fix both problems?
Comment 9 Matteo Corti 2008-02-19 16:26:59 EST
Hi,

I just updated pam and pam-devel and your build solves both problems:

 * no more error messages in /var/log/secure
 * httpd & mod_auth_pam work without problems

Many thanks for the incredibly quick fix.
Comment 10 Fedora Update System 2008-02-19 16:46:04 EST
pam-0.99.8.1-17.1.fc8 has been submitted as an update for Fedora 8
Comment 11 George Moody 2008-02-20 01:10:11 EST
pam-0.99.8.1-17.fc8 also breaks xdm logins (console logins are
unaffected).  Update to pam-0.99.8.1-17.1.fc8 fixes this.
Comment 12 Tomas Mraz 2008-02-20 02:28:00 EST
(In reply to comment #11)
> pam-0.99.8.1-17.fc8 also breaks xdm logins (console logins are
> unaffected).  Update to pam-0.99.8.1-17.1.fc8 fixes this.
This is not resolved by the new packages but by restarting xdm after the
upgrade.  If you didn't upgrade but restart the xdm it should fix this
intermittent problem as well.
Comment 13 Fedora Update System 2008-02-20 21:55:19 EST
pam-0.99.8.1-17.1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pam'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-1881
Comment 14 Tomas Mraz 2008-02-21 12:08:45 EST
*** Bug 433789 has been marked as a duplicate of this bug. ***
Comment 15 David Rees 2008-02-22 14:26:07 EST
*** Bug 434563 has been marked as a duplicate of this bug. ***
Comment 16 David Rees 2008-02-22 14:39:29 EST
I'm still seeing the error in /var/log/secure after upgrading to
pam-0.99.8.1-17.1.fc8:

CROND[28756]: PAM audit_log_acct_message() failed: Operation not permitted

I think this could actually be a bug in vixie-cron?
Comment 17 Matteo Corti 2008-02-22 14:47:09 EST
You need to restart crond after upgrading pam. This solved the problem in my case
Comment 18 David Rees 2008-02-22 15:32:24 EST
You are right. I did restart crond, but still had a single message pop up after
the restart, but after that, they have stopped.
Comment 19 Askar Ali Khan 2008-02-24 01:08:06 EST
I am still getting 'CROND[12893]: PAM audit_log_acct_message() failed: Operation
not permitted' error messages in secure log on our 40+ fedora 8 hosts even after
 updated to pam-0.99.8.1-17.fc8 and restarting crond service.
Comment 20 Marcela Mašláňová 2008-02-25 02:24:09 EST
*** Bug 434657 has been marked as a duplicate of this bug. ***
Comment 21 Tomas Mraz 2008-02-25 03:01:59 EST
(In reply to comment #19)
> I am still getting 'CROND[12893]: PAM audit_log_acct_message() failed: Operation
> not permitted' error messages in secure log on our 40+ fedora 8 hosts even after
>  updated to pam-0.99.8.1-17.fc8 and restarting crond service.

Try update to pam-0.99.8.1-17.1.fc8 + restart crond.
Comment 22 Jan Houtsma 2008-02-25 15:09:13 EST
Fixed it for me on two fedora 8 servers and also on 2 workstations. I also had
this error on the screenlock:

Feb 25 12:58:25 xps gnome-screensaver-dialog: PAM audit_log_acct_message()
failed: Operation not permitted

But also that one has gone away now with pam-0.99.8.1-17.1.fc8 (and for cron
restarting that daemon).
Comment 23 Fedora Update System 2008-02-25 19:21:43 EST
pam-0.99.8.1-17.1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Askar Ali Khan 2008-02-26 00:45:39 EST
pam-0.99.8.1-17.1.fc8 seem to fixed the issue after installing it on 6 fedora 8
hosts and restarting crond service.

I'll let you know after installing it on all other hosts.
Comment 25 Askar Ali Khan 2008-02-28 07:03:48 EST
Yeap pam-0.99.8.1-17.1.fc8 solved the issue on all 40+ hosts.

Note You need to log in before you can comment on or make changes to this bug.