Bug 74062 - passswd doesn't work with yppasswd
passswd doesn't work with yppasswd
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-09-14 00:19 EDT by hjl
Modified: 2007-04-18 12:46 EDT (History)
8 users (show)

See Also:
Fixed In Version: pam-0.77-65
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-27 04:05:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
A patch to avoid the deadlock with NIS (972 bytes, patch)
2002-09-14 15:37 EDT, hjl
no flags Details | Diff
Oops. Ignore the last one. This is the right one. (1.77 KB, patch)
2002-09-14 15:43 EDT, hjl
no flags Details | Diff
Patch to fix locking DoS in pam-0.77 (15.14 KB, patch)
2004-10-13 20:39 EDT, Joe Cooper
no flags Details | Diff

  None (edit)
Description hjl 2002-09-14 00:19:53 EDT
passswd doesn't work with yppasswd running on
the same machine. passwd holds the lock on
/etc/.pwd.lock while calling yppasswd which
will try to get the same lock. It winds up
with

# passwd
Changing password for user union.
Changing password for union
(current) UNIX password: 
New password: 
Retype new password: 
RPC: Timed out
The password has not been changed on gate.in.lucon.org.
passwd: Failed preliminary check by password service

In messages:

Sep 13 21:12:53 gate passwd(pam_unix)[11166]: password not changed for union on
gate.in.lucon.org
Sep 13 21:12:53 gate rpc.yppasswdd[10712]: update union (uid=10003) from host
192.168.0.6 successful.
Sep 13 21:12:53 gate rpc.yppasswdd[10712]: update union (uid=10003) from host
192.168.0.6 rejected
Sep 13 21:12:53 gate rpc.yppasswdd[10712]: Invalid password.
Sep 13 21:12:53 gate rpc.yppasswdd[10712]: update union (uid=10003) from host
192.168.0.6 rejected
Sep 13 21:12:53 gate rpc.yppasswdd[10712]: Invalid password.
Sep 13 21:12:53 gate rpc.yppasswdd[10712]: update union (uid=10003) from host
192.168.0.6 rejected
Comment 1 hjl 2002-09-14 15:36:04 EDT
The bug is in pam. I am uploading a patch.
Comment 2 hjl 2002-09-14 15:37:47 EDT
Created attachment 76164 [details]
A patch to avoid the deadlock with NIS
Comment 3 hjl 2002-09-14 15:43:33 EDT
Created attachment 76165 [details]
Oops. Ignore the last one. This is the right one.
Comment 4 Kjartan Maraas 2003-04-03 03:35:17 EST
Has this been applied?
Comment 5 Gerald Teschl 2003-04-04 13:37:29 EST
This is also present in 8.0. If I turn off ypbind on the server it will work, but 
a have to call make manually in /var/yp to update the nis information. 
Comment 6 Joe Cooper 2004-02-04 18:41:40 EST
This issue is still present in Red Hat 9.  Applying the patch listed
above solves the problem for me...shouldn't this find its way into the
errata for 9?
Comment 7 Joe Cooper 2004-08-06 17:28:29 EDT
Issue is still present in Fedora Core 1, and it doesn't look like a
relevant patch has been added in Core 2.  The above patch doesn't
apply cleanly, but it doesn't look too far off...I'll see what I can
do with it.
Comment 8 Joe Cooper 2004-10-13 20:35:38 EDT
This behavior is reportedly fixed upstream in 0.78, which also
addresses the obvious DoS inherent in this bug.

http://sourceforge.net/tracker/?group_id=6663&atid=106663&func=detail&aid=664290

I have created a patch that applies cleanly to the 0.77-15 SRPM, which
I'll attach.  It isn't thoroughly tested as I just installed it ten
minutes ago, but pam works correctly for me for the first time in
months (I had patched the RH9 version which was in service until
then).  I would love for this fix to get into an FC1 and FC2 errata,
and RHEL for that matter, which also exhibited the problem last time I
checked.  If there's anything I can do beyond providing a patch to
encourage an errata for this problem, please let me know.

Did I mention that it is a known user-exploitable DoS?
Comment 9 Joe Cooper 2004-10-13 20:39:51 EDT
Created attachment 105176 [details]
Patch to fix locking DoS in pam-0.77

Applies cleanly to the latest FC1 errata pam package.  Mostly untested, but it
works for me.
Comment 10 Tomas Mraz 2004-10-14 04:43:54 EDT
I'm sorry but the patch completely removes the locking which is not
right. I'll try to resolve it correctly.
Comment 11 Joe Cooper 2004-10-14 11:35:51 EDT
OK, the patch is more intrusive than I noticed, though it doesn't
/completely/ remove locking, there's still the first one at line ~610.
 ;-)

All of the individual locks might be able to come back without
breaking anything--the earlier patch only modified one set of locks
and it resolved the problem for earlier pam versions.  I'll poke at it
some more, though I'm well out of my depth on this one.
Comment 12 Tomas Mraz 2004-10-20 11:22:22 EDT
Ok, I've taken the previous patch, slightly changed it and applied.

Note You need to log in before you can comment on or make changes to this bug.