lpalgarvio / pwauth Goto Github PK

What steps will reproduce the problem?
1. #define SHADOW_AIX in config.h
2. compile

What is the expected output? What do you see instead?

gcc -o pwauth -g  main.o auth_aix.o auth_bsd.o auth_hpux.o  auth_mdw.o 
auth_openbsd.o auth_pam.o auth_sun.o fail_log.o  lastlog.o nologin.o snooze.o 
-lcrypt
ld: 0711-317 ERROR: Undefined symbol: .flock
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
collect2: ld returned 8 exit status
make: The error code from the last command is 1.

What version of the product are you using? On what operating system?
pwauth-2.3.8
AIX 6100-06-03-1048

Please provide any additional information below.
Exactly the same error in previous AIX versions as 6100-05-04-1048 or 
5300-07-02-0806.

What steps will reproduce the problem?
1. Enable SLEEP_LOCK
2. compile 

What is the expected output? What do you see instead?
gcc -g  -c  snooze.c
snooze.c: In function `snooze':
snooze.c:51: error: `LOCK_EX' undeclared (first use in this function)
snooze.c:51: error: (Each undeclared identifier is reported only once
snooze.c:51: error: for each function it appears in.)
*** Error code 1
make: Fatal error: Command failed for target `snooze.o'


What version of the product are you using? On what operating system?
pwauth 2.3.8
SunOS 5.11 snv_151a i86pc i386 i86pc

Please provide any additional information below.
It looks like the LOCK_EX macro isn't defined in Solaris, and there isn't an 
easy way to replace it.  The code compiles just fine with SLEEP_LOCK disabled.

What steps will reproduce the problem?
1. make
2. sudo chown root:root pwauth
3. sudo chmod 4111 pwauth
4. ./pwauth

Expect:
Program to function as described.

Actual:
Returns error code 50.

What version of the product are you using? On what operating system?
  pwauth-2.3.8

  Linux version 2.6.9-89.ELsmp ([email protected]) (gcc
version 3.4.6 20060404 (Red Hat 3.4.6-11)) #1 SMP Mon Apr 20 10:34:33 EDT 2009


Please provide any additional information below.

I looked into the problem and saw that main.c is using the real uid instead
of the effective uid. On our system this returns the current user, not
root, even though the SUID bit is set. 

See the sample code in:
http://en.wikipedia.org/wiki/Setuid

I changed line 65 of main.c to be:
uid= geteuid();  // instead of getuid()

I re-compiled, installed, and it works great.

== Reproducing the Issue ==
What steps will reproduce the problem?

1. Modify config.h with the following:
  Uncomment #define FAILLOG_PWAUTH
  Uncomment #define MAX_FAIL_COUNT and change the value from 40 to 3.
  Uncomment #define RESET_FAIL_COUNT

2. Compile with 'make'.


== Expected and Observed Results ==
What is the expected output? What do you see instead?

After giving the wrong password for a user 3 times, I should receive exit 
status 7 when I enter the password correctly.

Instead, pwauth gave me exit status 0.  The MAX_FAIL_COUNT was not working with 
FAILLOG_PWAUTH.  Based on what I saw in the code, I don't think it will work 
with FAILLOG_OPENBSD either, but I did not test that configuration.


== Software Versions ==
What version of the product are you using? On what operating system?

pwauth 2.3.10
ubuntu


== Proposed Solution ==

To make it work, I did the following:

a) In main.c, change line 110 to be:
    #if defined(FAILLOG_JFH) || defined(FAILLOG_OPENBSD) || defined(FAILLOG_PWAUTH)

b) In fail_log.c, change line 132 to be:
    result= (flog.count < MAX_FAIL_COUNT);

c) In fail_log.c, change line 135 to be:
    if (result && flog.count > 0)

steps to reproduce the problem
1. try to compile pwauth-2.3.11 for mac OS X leopard (10.5)
2. configure pwauth for PAM_OLD_OS_X authentication into config.h
3. make clean && make

when linking, le _check_auth symbol is not found by the linker.

solution : 

into pam_auth.c,
replace line 36 
#if defined(PAM_SOLARIS_26) || defined(PAM_SOLARIS) || defined(PAM_OS_X)

with
#if defined(PAM_SOLARIS_26) || defined(PAM_SOLARIS) || defined(PAM_OS_X) || 
defined(PAM_OLD_OS_X)

Best regards,
Patrice Fontaine

What steps will reproduce the problem?
1./etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind

2. /etc/pam.d/pwauth
#%PAM-1.0
auth       sufficient   /lib/security/pam_winbind.so 
account    required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
password   sufficient   /lib/security/pam_smbpass.so
password   required     /lib/security/pam_winbind.so
session    required pam_mkhomedir.so
session    required pam_winbind.so
session    required     /lib/security/pam_unix.so

3. /usb/sbin/pwauth

4. Type samba users or AD domain users credentials

What is the expected output? What do you see instead?
Although it should validate the credential, it core dumps instead.
/etc/var/log/apache_error_log
[Thu Aug 15 11:02:47.867264 2013] [authnz_external:error] [pid 8374] [client 
10.39.17.36:49897] External authenticator died on signal 11
[Thu Aug 15 11:02:47.867329 2013] [authnz_external:error] [pid 8374] [client 
10.39.17.36:49897] AuthExtern pwauth [/usr/sbin/pwauth]: Failed (-2) for user 
admin
[Thu Aug 15 11:02:47.867338 2013] [auth_basic:error] [pid 8374] [client 
10.39.17.36:49897] AH01617: user admin: authentication failure for 
"/webdav/Backups": Password Mismatch

/var/log/messages
Aug 15 10:49:15 vmstore kernel: [ 1361.635185] pwauth[9079]: segfault at 
b75b3eb7 ip b75b3eb7 sp bfb6675c error 4 in libpthread-2.13.so[b75c8000+15000]
Aug 15 10:49:18 vmstore kernel: [ 1364.566193] pwauth[9093]: segfault at 
b7561eb7 ip b7561eb7 sp bfd4ae2c error 4 in libpthread-2.13.so[b7576000+15000]
Aug 15 11:02:47 vmstore kernel: [ 2171.892085] pwauth[10695]: segfault at 
b75b2eb7 ip b75b2eb7 sp bfb96d7c error 4 in libpthread-2.13.so[b75c7000+15000]

What version of the product are you using? On what operating system?
pwauth-2.3.8 (which comes with Debian Wheezy)

Please provide any additional information below.

It seems the problem arises when it finishes the job with one pam module 
(pam_smbpass/pam_winbind) and tries to go to the next. Maybe pwauth corrupted 
pam somehow !

no talloc stackframe at ../source3/param/loadparm.c:4842, leaking memory

Program received signal SIGSEGV, Segmentation fault.
0xb7e21eb7 in ?? ()
(gdb) bt
#0  0xb7e21eb7 in ?? ()
#1  0xb7ba16e1 in _talloc_free_internal (ptr=0x8061a90, location=0xb7ba44c7 
"../lib/talloc/talloc.c:2251") at ../lib/talloc/talloc.c:831
#2  0xb7ba23f0 in _talloc_free_children_internal (tc=0x804c0a8, ptr=0x804c0d8, 
location=0xb7ba44c7 "../lib/talloc/talloc.c:2251") at 
../lib/talloc/talloc.c:1256
#3  0xb7ba1830 in _talloc_free_internal (ptr=0x804c0d8, location=0xb7ba44c7 
"../lib/talloc/talloc.c:2251") at ../lib/talloc/talloc.c:851
#4  0xb7ba2742 in _talloc_free (ptr=0x804c0d8, location=0xb7ba44c7 
"../lib/talloc/talloc.c:2251") at ../lib/talloc/talloc.c:1371
#5  0xb7ba3d82 in talloc_autofree () at ../lib/talloc/talloc.c:2251
#6  0xb7ea05e8 in __cxa_finalize () from /lib/i386-linux-gnu/libc.so.6
#7  0xb7ba0a43 in __do_global_dtors_aux () from 
/usr/local/samba/lib/private/libtalloc.so.2
#8  0xb7ff4e52 in ?? () from /lib/ld-linux.so.2
#9  0xb7ff5947 in ?? () from /lib/ld-linux.so.2
#10 0xb7e6ccc4 in ?? () from /lib/i386-linux-gnu/libdl.so.2
#11 0xb7fefde6 in ?? () from /lib/ld-linux.so.2
#12 0xb7e6d0bc in ?? () from /lib/i386-linux-gnu/libdl.so.2
#13 0xb7e6ccfa in dlclose () from /lib/i386-linux-gnu/libdl.so.2
#14 0xb7fc6f8b in ?? () from /lib/i386-linux-gnu/libpam.so.0
#15 0xb7fc48ff in ?? () from /lib/i386-linux-gnu/libpam.so.0
#16 0xb7fc1da0 in pam_end () from /lib/i386-linux-gnu/libpam.so.0
#17 0x08048bff in check_auth (login=0xbffff4aa "admin", passwd=0xbffff8ab 
"soho") at auth_pam.c:186
#18 0x0804898e in main (argc=1, argv=0xbffffd64) at main.c:94

I set up pwauth with mod_authnz_external
and it works fine pulling id's from pam_mysql using a pretty standard setup and 
restricting users to the web group.

root@marvin:~# cat /etc/pam.d/pwauth
auth    required    pam_succeed_if.so quiet_success user ingroup web
auth    sufficient  pam_mysql.so \
  user=nss-shadow \
  passwd=secret \
  db=nss_mysql \
  table=user \
  usercolumn=user_name \
  passwdcolumn=password \
  crypt=1 \
  verbose=0
auth    requisite   pam_deny.so
auth    required    pam_permit.so
account sufficient  pam_mysql.so \
  user=nss-shadow \
  passwd=secret \
  db=nss_mysql \
  table=user \
  usercolumn=user_name \
  passwdcolumn=password \
  crypt=1 \
  verbose=0
account requisite   pam_deny.so
account required    pam_permit.so

root@marvin:~# pwauth
arjag
secret
root@marvin:~# echo $?
0

Ok, so all good.

If i adjust the file;
root@marvin:~# cat /etc/pam.d/pwauth
# group checking removed for testing
# auth    required    pam_succeed_if.so quiet_success user ingroup web
auth    sufficient  pam_mysql.so \
  user=postfix \
  passwd=secret \
  host=localhost \
  db=postfix \
  table=mailbox \
  usercolumn=username \
  passwdcolumn=password \
  crypt=1 \
  md5=1 \
  verbose=0
auth    sufficient  pam_mysql.so \
  user=nss-shadow \
  passwd=secret \
  db=nss_mysql \
  table=user \
  usercolumn=user_name \
  passwdcolumn=password \
  crypt=1 \
  verbose=0
auth    requisite   pam_deny.so
auth    required    pam_permit.so
account sufficient  pam_mysql.so \
  user=postfix \
  passwd=secret \
  host=localhost \
  db=postfix \
  table=mailbox \
  usercolumn=username \
  passwdcolumn=password \
  crypt=1 \
  md5=1 \
  verbose=0
account sufficient  pam_mysql.so \
  user=nss-shadow \
  passwd=secret \
  db=nss_mysql \
  table=user \
  usercolumn=user_name \
  passwdcolumn=password \
  crypt=1 \
  verbose=0
account requisite   pam_deny.so
account required    pam_permit.so

if I try any of the accounts with "@" in the username (from the postfix 
database) I always get failure;
root@marvin:~# pwauth (this one is just a test to show /etc/init.d/pwauth still 
works)
arjag
secret
root@marvin:~# echo $?
0
root@marvin:~# pwauth
[email protected]
secret
root@marvin:~# echo $?
1
root@marvin:~# pwauth
arjag\@y42.biz
root@marvin:~# echo $?
1

I think this should work as it does not seem to be a pam limitation as on the 
same host I can do;

root@marvin:~# testsaslauthd -u arjag -p secret -f 
/var/spool/postfix/var/run/saslauthd/mux -s pwauth
0: OK "Success."
root@marvin:~# testsaslauthd -u [email protected] -p secret -f 
/var/spool/postfix/var/run/saslauthd/mux -s pwauth
0: OK "Success."

I have set verbose to 1 and it appears pwauth simply refuses to pass on a 
username with @

Thanks for your time, 

R,

Todd

When linking, $(LDFLAGS) should always be used. This allows for the user or the 
package management system to add additional linker flags.

As an example, we are building pwauth with Poky from the Yocto Project. Poky 
specifies -Wl,--hash-style=gnu in LDFLAGS and then proceeds to verify that 
everything that is built actually uses the GNU hash. This causes an error for 
pwauth since it currently does not use $(LDFLAGS) when linking:

ERROR: QA Issue: No GNU_HASH in the elf binary: 
'tmp/work/cortexa9-vfp-neon-poky-linux-gnueabi/pwauth/2.3.11-r0/packages-split/p
wauth/usr/sbin/pwauth'

Please find attached a patch that corrects the Makefile.