Bug 56027 - pam authentication fails
Summary: pam authentication fails
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: squid
Version: 7.2
Hardware: i586
OS: Linux
Target Milestone: ---
Assignee: Martin Stransky
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2001-11-11 06:33 UTC by Matt Swanson
Modified: 2007-04-18 16:38 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-07-07 10:40:18 UTC

Attachments (Terms of Use)

Description Matt Swanson 2001-11-11 06:33:59 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20010901

Description of problem:
When running /usr/lib/squid/pam_auth only the first person to authenticate
can use squid. All future requests from all other users fail. Exiting
/usr/lib/squid/pam_auth and restarting it again fixes the problem until a
user logs in and then only that user can log in. /usr/lib/squid/pam_auth
does recognise bad passwords for that user and the OK and ERR responses are
correct. However, all other known good accounts receive an ERR if they were
not the first person to authenticate.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Manually run /usr/lib/squid/pam_auth
2. Authenticate as a known good user
3. Using the same account use a bad password
4. Using the same account use the proper password.
5. Attempt to use any other account.
6. Use the known good account.

Actual Results:  Only the first user could authenticate successfully.

Expected Results:  All valid username password pairs should be
authenticated and receive an OK response.

Additional info:

This was working fine in RH 7.1. It was only after my upgrade to RH 7.2
that the problem appears. I have even fdisked and rebuilt my PC and the
problem occurs direct from the ISO images. It is not a patch from RH
Network causing the problem.

Comment 1 Andrew Meredith 2002-01-25 12:27:39 UTC
I have just completed a commercial install and had much the same experience. I
did however get slightly different results. The first user did not always
validate even with known good passwords. Subsequent validations may or may not
produce accurate results. I failed to find any good pattern. This was tested
with the connector having been launched by hand outside of squid, so this is not
a core squid issue. To confirm this I ran up a shell script that always gave an
OK response and logged the username/password pairs. Squid behaved just fine.

Also it should be noted that I could not get the connector to work without
making it setuid root. Squid in the default install runs as a non root user and
the PAM connector seems to require root permissions to run properly.

Comment 2 Andrew Meredith 2002-05-18 18:39:08 UTC
There is an additional/related issue with both the PAM and NCSA authenticators,
neither come as setuid root. As squid runs as a non-root account it does not
have permissions to access the password database .. well not if the system is
running shadow passwords anyway. I am using squid with the ncsa authenticator,
and need to reset the perms on the authentication binary every time the package
is upgraded.

Can these files be routinely setuid root out of the box ?

Comment 3 Andrew Meredith 2003-04-17 11:08:29 UTC
All of the above is still true for RH 8.0

Note You need to log in before you can comment on or make changes to this bug.