Red Hat Bugzilla – Bug 56027
pam authentication fails
Last modified: 2007-04-18 12:38:12 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2.1) Gecko/20010901
Description of problem:
When running /usr/lib/squid/pam_auth only the first person to authenticate
can use squid. All future requests from all other users fail. Exiting
/usr/lib/squid/pam_auth and restarting it again fixes the problem until a
user logs in and then only that user can log in. /usr/lib/squid/pam_auth
does recognise bad passwords for that user and the OK and ERR responses are
correct. However, all other known good accounts receive an ERR if they were
not the first person to authenticate.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Manually run /usr/lib/squid/pam_auth
2. Authenticate as a known good user
3. Using the same account use a bad password
4. Using the same account use the proper password.
5. Attempt to use any other account.
6. Use the known good account.
Actual Results: Only the first user could authenticate successfully.
Expected Results: All valid username password pairs should be
authenticated and receive an OK response.
This was working fine in RH 7.1. It was only after my upgrade to RH 7.2
that the problem appears. I have even fdisked and rebuilt my PC and the
problem occurs direct from the ISO images. It is not a patch from RH
Network causing the problem.
I have just completed a commercial install and had much the same experience. I
did however get slightly different results. The first user did not always
validate even with known good passwords. Subsequent validations may or may not
produce accurate results. I failed to find any good pattern. This was tested
with the connector having been launched by hand outside of squid, so this is not
a core squid issue. To confirm this I ran up a shell script that always gave an
OK response and logged the username/password pairs. Squid behaved just fine.
Also it should be noted that I could not get the connector to work without
making it setuid root. Squid in the default install runs as a non root user and
the PAM connector seems to require root permissions to run properly.
There is an additional/related issue with both the PAM and NCSA authenticators,
neither come as setuid root. As squid runs as a non-root account it does not
have permissions to access the password database .. well not if the system is
running shadow passwords anyway. I am using squid with the ncsa authenticator,
and need to reset the perms on the authentication binary every time the package
Can these files be routinely setuid root out of the box ?
All of the above is still true for RH 8.0