From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2.1) Gecko/20010901 Description of problem: When running /usr/lib/squid/pam_auth only the first person to authenticate can use squid. All future requests from all other users fail. Exiting /usr/lib/squid/pam_auth and restarting it again fixes the problem until a user logs in and then only that user can log in. /usr/lib/squid/pam_auth does recognise bad passwords for that user and the OK and ERR responses are correct. However, all other known good accounts receive an ERR if they were not the first person to authenticate. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Manually run /usr/lib/squid/pam_auth 2. Authenticate as a known good user 3. Using the same account use a bad password 4. Using the same account use the proper password. 5. Attempt to use any other account. 6. Use the known good account. Actual Results: Only the first user could authenticate successfully. Expected Results: All valid username password pairs should be authenticated and receive an OK response. Additional info: This was working fine in RH 7.1. It was only after my upgrade to RH 7.2 that the problem appears. I have even fdisked and rebuilt my PC and the problem occurs direct from the ISO images. It is not a patch from RH Network causing the problem.
I have just completed a commercial install and had much the same experience. I did however get slightly different results. The first user did not always validate even with known good passwords. Subsequent validations may or may not produce accurate results. I failed to find any good pattern. This was tested with the connector having been launched by hand outside of squid, so this is not a core squid issue. To confirm this I ran up a shell script that always gave an OK response and logged the username/password pairs. Squid behaved just fine. Also it should be noted that I could not get the connector to work without making it setuid root. Squid in the default install runs as a non root user and the PAM connector seems to require root permissions to run properly.
There is an additional/related issue with both the PAM and NCSA authenticators, neither come as setuid root. As squid runs as a non-root account it does not have permissions to access the password database .. well not if the system is running shadow passwords anyway. I am using squid with the ncsa authenticator, and need to reset the perms on the authentication binary every time the package is upgraded. Can these files be routinely setuid root out of the box ?
All of the above is still true for RH 8.0