NetBSD Problem Report #39313

From oster@scrooge.localdomain  Thu Aug  7 15:40:39 2008
Return-Path: <oster@scrooge.localdomain>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 9697F63BB81
	for <gnats-bugs@gnats.NetBSD.org>; Thu,  7 Aug 2008 15:40:39 +0000 (UTC)
From: oster@netbsd.org
Reply-To: oster@netbsd.org
To: gnats-bugs@gnats.NetBSD.org
Subject: security/pam-ldap shared lib missing functions on 4.99.72
X-Send-Pr-Version: 3.95

>Number:         39313
>Category:       security
>Synopsis:       security/pam-ldap libraries missing functions on 4.99.72
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    lib-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Aug 07 20:00:09 +0000 2008
>Closed-Date:    Thu Apr 30 21:06:30 +0000 2020
>Last-Modified:  Thu Jul 08 19:35:01 +0000 2021
>Originator:     Greg Oster
>Release:        NetBSD 4.99.72
>Organization:
-
>Environment:


System: NetBSD scrooge 4.99.72 NetBSD 4.99.72 (BROADWAY) #0: Sat Aug 2 17:24:05 CST 2008 oster@quad:/u1/builds/build78/src/sys/arch/i386/compile/BROADWAY i386
Architecture: i386
Machine: i386
>Description:
Message-Id: <20080807154038.726C5113E2E@scrooge.localdomain>
Date: Thu,  7 Aug 2008 09:40:38 -0600 (CST)
Status: RO
Content-Length: 2039
Lines: 57

	When compiled with the defaults, the pam-ldap.o and
pam-ldap.so libraries are missing functions.  For example:

Aug  4 14:18:26 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_authenticate()
Aug  4 14:18:28 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_acct_mgmt()
Aug  4 14:18:28 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_setcred()
Aug  4 14:18:28 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_setcred()
Aug  4 14:18:44 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_authenticate()

Looking at the sizes of the .o and .so files, we see:

-rw-r--r--  1 root  wheel   596 Aug  7 09:01 pam_ldap.o
-rwxr-xr-x  1 root  wheel  8194 Aug  7 09:01 pam_ldap.so*

and wonder in amazement how a PAM+LDAP module can be so efficient.
Turns out it can't.  Compiled properly, these files should look 
more like:

-rw-r--r--  1 root  wheel  38904 Aug  4 15:50 pam_ldap.o
-rwxr-xr-x  1 root  wheel  41798 Aug  4 15:50 pam_ldap.so*

(these have all the pam_sm_* functions, and work just fine..)

>How-To-Repeat:
        On a NetBSD/i386 4.99.72 box do:

	cd /usr/pkgsrc/security/pam-ldap
	make package clean
	configure sshd to use pam_ldap.so
	wonder why you can't login via ssh
        look in /var/log/messages and wonder why the pam_sm* functions
         don't exist.

>Fix:

It turns out that the issue is in
src/dist/openpam/include/security/openpam.h where changing some of the
logic resulted in NO_STATIC_MODULES no longer being defined for
NetBSD.  That causes PAM_EXTERN to be defined as:

 #define PAM_EXTERN static

and since the pam_sm_* functions are defined as:

 PAM_EXTERN pam_sm_foo()

this means that 'gcc -O2' is happy to optimize those functions away,
leaving us with an effectively useless .so file.

A workaround is to add:

 CFLAGS+=-DNO_STATIC_MODULES

to the security/pam-ldap package, but that won't solve this problem if
it appears elsewhere...



>Release-Note:

>Audit-Trail:
From: Adam Hoka <adam.hoka@gmail.com>
To: gnats-bugs@gnats.netbsd.org
Cc: 
Subject: Re: security/39313
Date: Fri, 21 Nov 2008 04:28:25 +0100

 I have committed your fix (or workaround?), but there are some really
 odd stuff in that header so I think it's better to leave this bug open.

 The module works as it should for me with pam-ldap-184nb2.

From: Adam Hoka <adam.hoka@gmail.com>
To: gnats-bugs@gnats.netbsd.org
Cc: 
Subject: Re: security/39313
Date: Sun, 8 Feb 2009 10:48:15 +0100

 --Signature=_Sun__8_Feb_2009_10_48_15_+0100_nnElx_PGJ1Txrlux
 Content-Type: text/plain; charset=US-ASCII
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable

 The offending part is in /usr/include/security/openpam.h,
 which has the following comment:

 /*
  * Infrastructure for static modules using GCC linker sets.
  * You are not expected to understand this.
  */
 #if defined(__FreeBSD__) || defined(__NetBSD__)
 # define PAM_SOEXT ".so"
 #else
 # undef NO_STATIC_MODULES
 # define NO_STATIC_MODULES
 #endif
 (...a really ugly hack under this...)

 Do we really need this part?
 What purpose does it serve?

 --Signature=_Sun__8_Feb_2009_10_48_15_+0100_nnElx_PGJ1Txrlux
 Content-Type: application/pgp-signature

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (NetBSD)

 iQEcBAEBAgAGBQJJjqpfAAoJEMPaVQK9vGn517UIAIdQcucESUuZyqArb4jxbf/I
 3tbd2gT7XUGseyJsaJJyg4BLFDn1kulw0zJzJy84LJKJ8q9NHxY+Ddw7UnMJ6+US
 bRPqxfaa3zdNqqCipszWaVZLCxxmcE1uaq8Ii2xLvZYhmYRQv/75BUBC8U1nOdyh
 BePlsiQARqx6VSOKgBDWJWDn/s4HlorTpG+TjyBs8pjc5Fj+J4yXVtPDw0Rr/OM/
 UN1YL/NAgbfWrr2GrlDYoSdFr7z3hWuo3l/iW89Qosy156ERDNHhgAVvpRHdHwYA
 +ppi1tZp5lSFy9rW7Kcm35kXfeNkvSm43OuQ2AnTKS3S0zEFapTtgfQrBOeRla8=
 =tRnn
 -----END PGP SIGNATURE-----

 --Signature=_Sun__8_Feb_2009_10_48_15_+0100_nnElx_PGJ1Txrlux--

From: Adam Hoka <adam.hoka@gmail.com>
To: gnats-bugs@gnats.netbsd.org
Cc: 
Subject: Re: security/39313
Date: Sun, 8 Feb 2009 10:44:29 +0100

 --Signature=_Sun__8_Feb_2009_10_44_29_+0100_v4+KNf=/emmoSWuL
 Content-Type: text/plain; charset=US-ASCII
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable

 security/gnome-keyring has the same issue. I worked it around there too,
 but this should be handled at the root of the problem.

 --Signature=_Sun__8_Feb_2009_10_44_29_+0100_v4+KNf=/emmoSWuL
 Content-Type: application/pgp-signature

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (NetBSD)

 iQEcBAEBAgAGBQJJjql9AAoJEMPaVQK9vGn5jIYH/AhkRDnQYqcrh3St0gfJbZC0
 a52SpXwzc+J9eLZ1sSGUc561gRkbe4hG3RrDJtXpiZKsQHtdzF17zfV3di07Q0HI
 TII8wYuYUNvDMJk9Vcf5m5Jf5bPD5VLmIHdUMSWQs5TRNh0nT1VX1t25MuKQ0iym
 3dBsqHpjxp68b0LMoAYuWyJRlhvkSMRHXVG4ilux9RVYkFIDBNlsazYiZL0n5mQa
 uBzcLHfRJI3rfNOTXOORUIBuSaqjKlA9GK2XHFw19QKvpUoWR4kM6LBjBjpoNU/F
 jxaIX1xmj0Hj5KAPOy9alEEqjNnYZV6s63FTUuXEHP37vyKPCSttvWGTZKoluOc=
 =hf9U
 -----END PGP SIGNATURE-----

 --Signature=_Sun__8_Feb_2009_10_44_29_+0100_v4+KNf=/emmoSWuL--

Responsible-Changed-From-To: security-officer->lib-bug-people
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Thu, 18 Jun 2015 01:50:54 +0000
Responsible-Changed-Why:
this is not a security-officer issue any more (if it ever was)


From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/39313 CVS commit: pkgsrc/security/openpam
Date: Tue, 28 Apr 2020 23:01:26 +0000

 Module Name:	pkgsrc
 Committed By:	riastradh
 Date:		Tue Apr 28 23:01:26 UTC 2020

 Modified Files:
 	pkgsrc/security/openpam: builtin.mk

 Log Message:
 security/openpam: define NO_STATIC_MODULES on NetBSD

 This is a hack to work around a mistake in the NetBSD openpam build
 which leaked into the public header files.  We will fix this in the
 NetBSD build but it's been in the public header files for nearly a
 decade now, with each individual pam module sometimes having this
 workaround, so let's apply the workaround uniformly for now.

 PR security/39313
 PR security/55216


 To generate a diff of this commit:
 cvs rdiff -u -r1.11 -r1.12 pkgsrc/security/openpam/builtin.mk

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/39313 CVS commit: src
Date: Wed, 29 Apr 2020 02:16:57 +0000

 Module Name:	src
 Committed By:	riastradh
 Date:		Wed Apr 29 02:16:57 UTC 2020

 Modified Files:
 	src/external/bsd/openpam/dist/include/security: openpam.h
 	src/lib/libpam: Makefile.inc
 	src/lib/libpam/libpam: Makefile
 	src/lib/libpam/modules: mod.mk

 Log Message:
 Reverse sense of NO_STATIC_MODULES -> OPENPAM_STATIC_MODULES.

 This avoids leaking NO_STATIC_MODULES into the public header, which
 has led to considerable confusion and workarounds in pkgrsc.

 PR security/39313
 PR security/55216

 ok christos


 To generate a diff of this commit:
 cvs rdiff -u -r1.9 -r1.10 \
     src/external/bsd/openpam/dist/include/security/openpam.h
 cvs rdiff -u -r1.18 -r1.19 src/lib/libpam/Makefile.inc
 cvs rdiff -u -r1.23 -r1.24 src/lib/libpam/libpam/Makefile
 cvs rdiff -u -r1.15 -r1.16 src/lib/libpam/modules/mod.mk

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Thu, 30 Apr 2020 21:06:30 +0000
State-Changed-Why:
fixed and worked around


From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org, riastradh@NetBSD.org,
	Adam Hoka <adam.hoka@gmail.com>, oster@netbsd.org
Cc: 
Subject: Re: security/39313 security/pam-ldap shared lib missing functions on
 4.99.72
Date: Tue, 6 Jul 2021 21:19:03 +0200

 Whatever was fixed for this, likely broke at least security/pam-af.
 I just now noticed this because I updated my build sandbox from 9.0 to
 9.2.

 In /var/log/authlog:                                                       

 Jul  5 16:38:31 murthe sshd[10910]: error: PAM: Invalid symbol for rhialto from xxx.xxx.xx.xxx                                                                 

 In /var/log/messages:                                                

 Jul  5 16:38:36 murthe sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_af.so: no pam_sm_authenticate()                       
 Jul  5 16:38:36 murthe sshd: in openpam_check_error_code(): pam_sm_authenticate(): unexpected return value 2           

 For ages, I have a local patch to add -DNO_STATIC_MODULES to the
 compilation (with the note "The bug is described in PR security/39313"),       
 but seemingly that no longer helps.                                     

 What did seem to help was to get these exported (see nm -D):

 0000000000203340 D _pam_module
 0000000000203320 D _pam_name

 which can be done with this hack to pam_af.c:

 @@ -448,5 +456,6 @@ pam_sm_setcred(pamh, flags, argc, argv)
  }

  #ifdef PAM_MODULE_ENTRY
 +#define static
  PAM_MODULE_ENTRY("pam_af");
  #endif

 to neutralize the "static" in the definition of PAM_MODULE_ENTRY.

 -Olaf.
 -- 
 ___ "Buying carbon credits is a bit like a serial killer paying someone else to
 \X/  have kids to make his activity cost neutral." -The BOFH    falu.nl@rhialto

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org, riastradh@NetBSD.org,
	Adam Hoka <adam.hoka@gmail.com>, oster@netbsd.org
Cc: 
Subject: Re: security/39313 security/pam-ldap shared lib missing functions on
 4.99.72
Date: Wed, 7 Jul 2021 18:51:27 +0200

 Curiously, it seems that the change from this PR isn't in 9.2.
 So something else must have broken pam-af... Maybe I can find out.

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org, riastradh@NetBSD.org,
	Adam Hoka <adam.hoka@gmail.com>, oster@netbsd.org
Cc: 
Subject: Re: security/39313 security/pam-ldap shared lib missing functions on
 4.99.72
Date: Thu, 8 Jul 2021 21:00:56 +0200

 I am starting to think that I compiled the pam-af package once without
 my local patch (adding -DNO_STATIC_MODULES), which would explain why it
 didn't work.

 With -DNO_STATIC_MODULES, pam_af.so exports pam_sm_authenticate and
 therefore it works on 9.2.  But this method would fail in -current.

 With this patch,

     #define static	/* giant hack! */
     PAM_MODULE_ENTRY("pam_af");

 it works because pam_af.so exports _pam_module. At least one of those
 should be exported. Here is the code in
 external/bsd/openpam/dist/lib/libpam/openpam_dynamic.c:

         dlmodule = dlsym(module->dlh, "_pam_module");
         for (i = 0; i < PAM_NUM_PRIMITIVES; ++i) {
                 if (dlmodule) {
                         module->func[i] = dlmodule->func[i];
                 } else {
                         module->func[i] = (pam_func_t)dlfunc(module->dlh,
                             pam_sm_func_name[i]);

 which shows that the symbol _pam_module must be exported, or all of
 pam_sm_*.

 Therefore I think that the "static" before _pam_module in the definition
 of PAM_MODULE_ENTRY in <security/openpam.h> is not correct.

 The magic gcc linker sets that are allued to in the comment seem to be
 for the case where the .o file is lined into PAM itself; but since we
 have a dynamic .so file here, that is of no help.

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org, riastradh@NetBSD.org,
	Adam Hoka <adam.hoka@gmail.com>, oster@netbsd.org
Cc: 
Subject: Re: security/39313 security/pam-ldap shared lib missing functions on
 4.99.72
Date: Thu, 8 Jul 2021 21:30:19 +0200

 Why does one realise one's mistake just after sending the mail?
 Thinking it over, the -current version of <security/openpam.h>
 should work; even with either kind of hack that's needed for <= 9.2.

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.