Bug 469857 - pam_chauthtok() only works in main but not child threads
pam_chauthtok() only works in main but not child threads
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam (Show other bugs)
4.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE
:
Depends On:
Blocks: 219688
  Show dependency treegraph
 
Reported: 2008-11-04 09:26 EST by Nils Philippsen
Modified: 2011-03-07 03:29 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-18 16:25:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
multi threaded pam_chauthtok() test program (4.36 KB, text/plain)
2008-11-04 09:26 EST, Nils Philippsen
no flags Details

  None (edit)
Description Nils Philippsen 2008-11-04 09:26:17 EST
Created attachment 322432 [details]
multi threaded pam_chauthtok() test program

Description of problem:
In threaded applications, calling pam_chauthtok() from child threads fails.

Version-Release number of selected component (if applicable):
pam-0.77-66.25

How reproducible:
Reproducible.

Steps to Reproduce:
1. With pam, pam-devel installedm, build attached test program: "g++ -pthread -lpam MTPamTest.cpp -o MTPamTest"
2. Create pamtest user: "useradd pamtest"
3. As root, run "./MTPamTest pamtest test"
(4. Delete pamtest user)
  
Actual results:
lsia6455:emroot:/home/emroot> ./MTPamTest pamtest test

Changing password from main thread
pam_start SUCCESSFUL
pam_chauthtok SUCCESSFUL
pam_end SUCCESSFUL

Changing password from child thread
pthread_create SUCCESSFUL
pam_start SUCCESSFUL
pam_chauthtok FAILED with return value 20(errno=13)
pam_end SUCCESSFUL
pthread_join SUCCESSFUL


Expected results:
pam_chauthtok() call successful in child thread case.

Additional info:
The same problem doesn't show on RHEL5 (pam-0.99.x).
Comment 4 Tomas Mraz 2008-11-04 13:56:29 EST
What modules are in the relevant pam stack? (/etc/pam.d/passwd + system-auth)
Comment 5 Volker Diesel 2008-11-05 05:05:02 EST
Hi, Tomas.
Here is the listing of /etc/pam.d/ and the content of the relevant pam files.
Kind regards,
Volker

=======================================

? cat /etc/pam.d/passwd
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth

=======================================

? cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok md5 use_authtok shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

=======================================

? ls -la /etc/pam.d/
total 516
drwxr-xr-x   2 root root     4096 Oct 10 21:28 .
drwxr-xr-x  75 root root    12288 Nov  5 10:52 ..
-rw-r-----   1 root daemon    457 Jan 25  2008 atd
-rw-r--r--   1 root root      245 Apr 30  2008 authconfig
-rw-r--r--   1 root root      417 Apr 30  2008 authconfig-gtk
-rw-r--r--   1 root root      260 Apr  2  2008 chfn
-rw-r--r--   1 root root      260 Apr  2  2008 chsh
-rw-------   1 root root      342 Feb  6  2008 crond
-rw-r--r--   1 root root      107 Apr 22  2008 cups
-rw-r--r--   1 root root      282 Apr 20  2006 dateconfig
-rw-r--r--   1 root root      169 Feb 21  2008 halt
-rw-r--r--   1 root root      276 Jun 20 08:59 internet-druid
-rw-r--r--   1 root root      115 May  2  2007 kbdrate
-rw-r--r--   1 root root      561 Apr  2  2008 login
-rw-r--r--   1 root root      276 Jun 20 08:59 neat
-rw-r--r--   1 root root      350 Aug  1  2007 newrole
lrwxrwxrwx   1 root root       15 Sep  1 16:32 other -> /etc/pam.d/sshd
-rw-r--r--   1 root root      230 Mar 27  2008 other.old
-rw-r--r--   1 root root      169 Oct  8 15:55 passwd
-rw-r--r--   1 root root      169 Feb 21  2008 poweroff
-rw-r--r--   1 root root      204 Nov  2  2004 ppp
-rw-r--r--   1 root root      169 Feb 21  2008 reboot
-rw-r--r--   1 root root      561 Apr  2  2008 remote
-rw-r--r--   1 root root      370 Sep  1 16:32 rexec
-rw-r--r--   1 root root      282 Dec  5  2006 rhn_register
-rw-r--r--   1 root root      465 Sep  1 16:32 rlogin
-rw-r--r--   1 root root      354 Sep  1 16:32 rsh
-rw-r--r--   1 root root      350 Aug  1  2007 run_init
-rw-r--r--   1 root root      201 Jun 19 23:29 samba
-rw-r--r--   1 root root       57 Sep 11  2004 screen
lrwxrwxrwx   1 root root       22 Sep  1 16:29 serviceconf -> system-config-services
-rw-r--r--   1 root root      167 Oct  1  2004 setup
lrwxrwxrwx   1 root root       25 Sep  1 16:28 smtp -> /etc/alternatives/mta-pam
-rw-r--r--   1 root root      116 Apr 15  2008 smtp.sendmail
-rw-------   1 root root      317 Mar 28  2008 sshd
-rw-r--r--   1 root root     1017 May 29 15:11 su
-rw-r--r--   1 root root      203 Jul 21  2005 sudo
-rw-r--r--   1 root root      820 Oct 10 11:39 system-auth
-rw-r--r--   1 root root      276 Aug  3  2007 system-cdinstall-helper
-rw-r--r--   1 root root      417 Apr 30  2008 system-config-authentication
-rw-r--r--   1 root root      282 Apr 20  2006 system-config-date
-rw-r--r--   1 root root      276 Oct  8  2004 system-config-keyboard
-rw-r--r--   1 root root      276 Nov 10  2006 system-config-language
-rw-r--r--   1 root root      282 Jun 25 22:42 system-config-lvm
-rw-r--r--   1 root root      276 Oct  1  2004 system-config-mouse
-rw-r--r--   1 root root      276 Jun 20 08:59 system-config-network
-rw-r--r--   1 root root      276 Jun 20 08:59 system-config-network-cmd
-rw-r--r--   1 root root      276 Jun 20 08:59 system-config-network-druid
-rw-r--r--   1 root root      276 Oct  4  2004 system-config-nfs
-rw-r--r--   1 root root      276 Aug  3  2007 system-config-packages
-rw-r--r--   1 root root      276 Oct  1  2004 system-config-rootpassword
-rw-r--r--   1 root root      282 Jan 22  2007 system-config-samba
-rw-r--r--   1 root root      276 Apr 22  2005 system-config-securitylevel
-rw-r--r--   1 root root      282 Oct 20  2004 system-config-services
-rw-r--r--   1 root root      276 Jul 19  2005 system-config-soundcard
-rw-r--r--   1 root root      282 Apr 20  2006 system-config-time
-rw-r--r--   1 root root      276 Jul  6  2007 system-config-users
-rw-r--r--   1 root root      276 Aug  3  2007 system-install-packages
-rw-r--r--   1 root root      276 Nov 24  2004 system-logviewer
-rw-r--r--   1 root root      282 Dec  5  2006 up2date
-rw-r--r--   1 root root      282 Dec  5  2006 up2date-config
-rw-r--r--   1 root root      282 Dec  5  2006 up2date-nox
-rw-r--r--   1 root root      300 Feb  8  2008 vsftpd
-rw-r-----   1 root pegasus   353 Feb 11  2008 wbem
-rw-r--r--   1 root root      246 Jan  8  2008 wireshark

=======================================
Comment 6 Helge Deller 2008-11-14 09:57:53 EST
Hello Tomas,
This bug is currently stopping all validation of SAP products on RHEL 4 at this moment. Could you please increase the importance of this bug? It's getting urgent...
Thanks, Helge
Comment 7 Tomas Mraz 2008-11-25 11:51:17 EST
The problem is coming from the fact, that kernel does not allow setting fscreate context in the child thread. The pam_unix module then calls unix_chkpwd for the update but the unix_chkpwd in the shadow update functionality is buggy in RHEL-4 (it was not tested thoroughly as it is normally not called).

The fix is not complicated so I am OK with fixing it for RHEL-4.8.
Comment 8 Helge Deller 2008-11-25 11:59:27 EST
Thanks Tomas,
As soon as you have some pre-version of the fix, we are very interested! Just let us know.
Helge
Comment 14 errata-xmlrpc 2009-05-18 16:25:13 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0995.html

Note You need to log in before you can comment on or make changes to this bug.