56027 – pam authentication fails

Bug 56027 - pam authentication fails

Summary: pam authentication fails

Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	squid
Sub Component:	(Show other bugs)
Version:	7.2
Hardware:	i586
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Martin Stransky
QA Contact:
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2001-11-11 06:33 UTC by Matt Swanson
Modified:	2007-04-18 16:38 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2005-07-07 10:40:18 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Matt Swanson 2001-11-11 06:33:59 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2.1) Gecko/20010901

Description of problem:
When running /usr/lib/squid/pam_auth only the first person to authenticate
can use squid. All future requests from all other users fail. Exiting
/usr/lib/squid/pam_auth and restarting it again fixes the problem until a
user logs in and then only that user can log in. /usr/lib/squid/pam_auth
does recognise bad passwords for that user and the OK and ERR responses are
correct. However, all other known good accounts receive an ERR if they were
not the first person to authenticate.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Manually run /usr/lib/squid/pam_auth
2. Authenticate as a known good user
3. Using the same account use a bad password
4. Using the same account use the proper password.
5. Attempt to use any other account.
6. Use the known good account.
	

Actual Results:  Only the first user could authenticate successfully.

Expected Results:  All valid username password pairs should be
authenticated and receive an OK response.

Additional info:

This was working fine in RH 7.1. It was only after my upgrade to RH 7.2
that the problem appears. I have even fdisked and rebuilt my PC and the
problem occurs direct from the ISO images. It is not a patch from RH
Network causing the problem.

Comment 1 Andrew Meredith 2002-01-25 12:27:39 UTC

I have just completed a commercial install and had much the same experience. I
did however get slightly different results. The first user did not always
validate even with known good passwords. Subsequent validations may or may not
produce accurate results. I failed to find any good pattern. This was tested
with the connector having been launched by hand outside of squid, so this is not
a core squid issue. To confirm this I ran up a shell script that always gave an
OK response and logged the username/password pairs. Squid behaved just fine.

Also it should be noted that I could not get the connector to work without
making it setuid root. Squid in the default install runs as a non root user and
the PAM connector seems to require root permissions to run properly.

Comment 2 Andrew Meredith 2002-05-18 18:39:08 UTC

There is an additional/related issue with both the PAM and NCSA authenticators,
neither come as setuid root. As squid runs as a non-root account it does not
have permissions to access the password database .. well not if the system is
running shadow passwords anyway. I am using squid with the ncsa authenticator,
and need to reset the perms on the authentication binary every time the package
is upgraded.

Can these files be routinely setuid root out of the box ?

Comment 3 Andrew Meredith 2003-04-17 11:08:29 UTC

All of the above is still true for RH 8.0

Note You need to log in before you can comment on or make changes to this bug.