Description of problem: When unlocking xscreensaver it dies with a SIGPIPE, regardless of whether password was correct or not. This can give unauthorized access to users desktops. We ran gdb on xscreensaver and saw the output below, which indicates the SIGPIPE was getting propogated up from nss_ldap. This seems like an nss_ldap bug for not dealing with the SIGPIPE but xscreensaver was the main client we were having a problem with. I will attach the gdb xscreensaver info and the patch we used to fix xscreensaver. Version-Release number of selected component (if applicable): xscreensaver-4.10-1gg1 nss_ldap-202-5 How reproducible: This seems to depend on some timeout with the connection to the LDAP server so it is not reliably reproduceable. Unlocking my screen 20 times per day may cause it to crash once or twice. Steps to Reproduce: 1. run xscreensaver with pam authentication set to use pam_unix and nsswitch setup to query "files ldap" 2. lock xscreensaver and wait for ldap server to timeout (5 minutes to an hour) 3. try to unlock screen with any password Actual results: xscreensaver crashes and unlocks the screen Expected results: xscreensaver should NEVER unlock the screen due to any signal it got from a client Additional info:
Created attachment 92072 [details] patch to xscreensaver to block/ignore/unblock a sigpipe generated from pam_authenticate call
Created attachment 92073 [details] gdb summary of xscreensaver crashing
We're having exactly the same problem here. We switched from our old(er) OpenLDAP implementation to RH ES 2.1 (openldap-2.0.27-2.7.3), during which we changed "idletimeout 0" to "idletimeout 300" in our slapd.conf file. After this change, xscreensaver seems to semi-randomly crash (just like Jason Wold described). We also use nss_ldap on our HP-UX machines, and the change causes the entire desktop session to crash upon unlocking the screensaver. It happens fairly consistently with particular screensavers on the HP-UX machines, which may also agree with the "client not handling the SIGPIPE correctly" argument. This morning, I set "idletimeout" back to "0" (zero). I'll let everyone know in a few hours if it ends up helping the problem(s).
Red Hat apologizes that these issues have not been resolved yet. We do want to make sure that no important bugs slip through the cracks. Red Hat Linux 7.3 and Red Hat Linux 9 are no longer supported by Red Hat, Inc. They are maintained by the Fedora Legacy project (http://www.fedoralegacy.org/) for security updates only. If this is a security issue, please reassign to the 'Fedora Legacy' product in bugzilla. Please note that Legacy security update support for these products will stop on December 31st, 2006. If this is not a security issue, please check if this issue is still present in a current Fedora Core release. If so, please change the product and version to match, and check the box indicating that the requested information has been provided. If you are currently still running Red Hat Linux 7.3 or 9, please note that Fedora Legacy security update support for these products will stop on December 31st, 2006. You are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Any bug still open against Red Hat Linux 7.3 or 9 at the end of 2006 will be closed 'CANTFIX'. Again, if this bug still exists in a current release, or is a security issue, please change the product as necessary. We thank you for your help, and apologize again that we haven't handled these issues to this point.
Does this bug still exists? If yes, I think just ignoring SIGPIPE is not the right way to fix it, the pam module should not generate this signal. Anyways, ignoring fatal signals might improve xscreensaver's robustness.
I believe this was fixed some time ago, probably before EL4 (this bug was filed against RHL9, which predates EL3). Marking as closed. Please reopen this report if you continue to see the problem in 4.8.