RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 827188 - fprintd-pam module causes SIGPIPE to be ignored by children
Summary: fprintd-pam module causes SIGPIPE to be ignored by children
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: fprintd
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Bastien Nocera
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-31 20:40 UTC by Dan Astoorian
Modified: 2020-06-22 14:03 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-06 11:02:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1094548 1 None None None 2021-01-20 06:05:38 UTC

Internal Links: 1094548

Description Dan Astoorian 2012-05-31 20:40:24 UTC 
Description of problem:
If the fprintd-pam module is in use, it causes the PAM client (e.g., /bin/su) to ignore SIGPIPE.  Child processes then inherit the SIG_IGN disposition for the signal.

Version-Release number of selected component (if applicable):
fprintd-pam-0.1-19.git04fd09cfa.el6.i686

How reproducible:
Always

Steps to Reproduce:
1. 'su' to a user whose shell is /bin/tcsh (not /bin/sh or /bin/bash); OR, log in from the text console.  (In general, log in through a method which uses /etc/pam.d/system-auth-ac.)
2. cat /dev/zero | true
3.
  
Actual results:
cat: write error: Broken pipe


Expected results:
No output, with cat being terminated with SIGPIPE

Additional info:
Note that /bin/bash resets the signal disposition for SIGPIPE during initialization, so trying this with a user whose shell is /bin/sh or /bin/bash masks the problem.

Commenting out the "auth sufficient pam_fprintd.so" line in /etc/pam.d/system-auth-ac makes the symptom go away, as does removing the fprintd and fprintd-pam packages, which is how the problem was isolated to fprintd-pam.

("grep SigIgn /proc/$$/status" may also be used to observe the change in the ignored signals mask; instead of 0000000000384004, the mask appears as 0000000000385004.)

We think the symptom appeared after updating from RHEL6.1 to RHEL6.2, but we are not 100% sure of that.  I suspect that the underlying cause of the bug might be in some underlying library rather than in fprintd-pam itself, but I have not been successful in identifying the component that changed to introduct the problem.
Comment 2 Dan Astoorian 2012-06-01 14:57:53 UTC 
The report about the problem appearing after updating from RHEL6.1 to 6.2 has not been substantiated.  We don't know when the problem first appeared: it may have been there for a long time.
Comment 6 RHEL Program Management 2012-07-10 08:46:11 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 7 RHEL Program Management 2012-07-10 23:13:44 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 8 RHEL Program Management 2012-09-07 05:37:40 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 9 matthew patton 2013-03-11 17:10:47 UTC 
It would help if Anaconda would stop including a reference pam_fprintd during an install. The *ONLY* package that should be inserting that line into pamd./system-auth-ac is fprintd-pam. In RHEL6.3+ (only ones I have personal experience) the failure mode of the .so missing is benign but why keep propagating an invalid configuration that was caused by a mis-behaving installer/authconfig default values?
Comment 10 Dalibor Pospíšil 2015-03-09 16:01:06 UTC 
This issue blocks testing of bz1094548. To workaround the issue the pam module needs to be disabled.

As the fprint-pam is included in Base install group I propose this bug also as blocker for RHEL6.7.
Comment 11 Dalibor Pospíšil 2015-03-09 16:38:17 UTC 
After consultation I am removing blocker flag.
Comment 12 Bastien Nocera 2015-03-25 21:17:27 UTC 
I don't quite understand why tcsh can't reset the signal mask when it starts.

Apart from this change in the signal mask, which causes problems to tcsh, what problem does it cause?

There's nothing in pam_fprintd itself that changes the signal mask, it's likely something in glib or dbus.
Comment 13 Dan Astoorian 2015-04-06 14:01:56 UTC 
The breakage of piped commands for tcsh users (which is not a trivial issue) is the only specific effect I have observed in practice.  Note that it is not necessarily tcsh that encounters the problem directly, but commands invoked from the resulting shell.

Note that changing tcsh to reset the signal mask may introduce subtle new issues if existing installations implicitly depend on the current behaviour; signal handling in shells tends to be notoriously brittle.

As a design principle, PAM modules should be as transparent as possible and not introduce side effects such as persistent changes to the process signal mask.  The inclusion or not of a PAM module should not result in unrelated user-visible changes at the application level.  Perhaps pam_fprintd should save the signal mask on entry and restore it at cleanup if the underlying source of the issue cannot easily be found/fixed.

(At this site, the problem has been worked around by removing the fprintd, fprintd-pam and gdm-plugin-fingerprint RPMs, as their functionality is not needed.)
Comment 14 Jan Kurik 2017-12-06 11:02:43 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/
Comment 15 Bastien Nocera 2020-06-22 14:03:14 UTC 
Turns out that all this while, glib (in gio/gsocket.c) was responsible for playing with the signal mask.

This problem is fixed in more recent versions of fprintd (from 1.90.1 onwards), which now uses sd-bus instead of dbus-glib.

commit d70f15b5e8fd0f51c882bf4f199036ab503528ef
Author: Bastien Nocera <hadess>
Date:   Tue Jan 14 15:34:06 2020 +0100

    pam: Port to sd-bus
    
    This pam plugin never used GDBus because it transparently uses threads
    which do not work well with a lot of PAM applications. But even settling
    on the "still better to use than plain dbus library" dbus-glib wasn't
    without problems, as any use or initialisation of GIO sockets would
    modify signal handler for signals such as SIGPIPE (see gio/gsocket.c).
    
    Many years later, sd-bus is a more modern alternative to the bare dbus
    library with a better API.
    
    This includes:
    - Removing use of gboolean, guint, g_new0() and many glib string helpers
    - Simplifying debug logging
    - Marking user-facing messages to be translated
Note You need to log in before you can comment on or make changes to this bug.