NetBSD Problem Report #39313

From oster@scrooge.localdomain  Thu Aug  7 15:40:39 2008
Return-Path: <oster@scrooge.localdomain>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 9697F63BB81
	for <gnats-bugs@gnats.NetBSD.org>; Thu,  7 Aug 2008 15:40:39 +0000 (UTC)
From: oster@netbsd.org
Reply-To: oster@netbsd.org
To: gnats-bugs@gnats.NetBSD.org
Subject: security/pam-ldap shared lib missing functions on 4.99.72
X-Send-Pr-Version: 3.95

>Number:         39313
>Category:       security
>Synopsis:       security/pam-ldap libraries missing functions on 4.99.72
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    security-officer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Aug 07 20:00:09 +0000 2008
>Last-Modified:  Sun Feb 08 10:10:02 +0000 2009
>Originator:     Greg Oster
>Release:        NetBSD 4.99.72
>Organization:
-
>Environment:


System: NetBSD scrooge 4.99.72 NetBSD 4.99.72 (BROADWAY) #0: Sat Aug 2 17:24:05 CST 2008 oster@quad:/u1/builds/build78/src/sys/arch/i386/compile/BROADWAY i386
Architecture: i386
Machine: i386
>Description:
Message-Id: <20080807154038.726C5113E2E@scrooge.localdomain>
Date: Thu,  7 Aug 2008 09:40:38 -0600 (CST)
Status: RO
Content-Length: 2039
Lines: 57

	When compiled with the defaults, the pam-ldap.o and
pam-ldap.so libraries are missing functions.  For example:

Aug  4 14:18:26 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_authenticate()
Aug  4 14:18:28 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_acct_mgmt()
Aug  4 14:18:28 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_setcred()
Aug  4 14:18:28 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_setcred()
Aug  4 14:18:44 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_authenticate()

Looking at the sizes of the .o and .so files, we see:

-rw-r--r--  1 root  wheel   596 Aug  7 09:01 pam_ldap.o
-rwxr-xr-x  1 root  wheel  8194 Aug  7 09:01 pam_ldap.so*

and wonder in amazement how a PAM+LDAP module can be so efficient.
Turns out it can't.  Compiled properly, these files should look 
more like:

-rw-r--r--  1 root  wheel  38904 Aug  4 15:50 pam_ldap.o
-rwxr-xr-x  1 root  wheel  41798 Aug  4 15:50 pam_ldap.so*

(these have all the pam_sm_* functions, and work just fine..)

>How-To-Repeat:
        On a NetBSD/i386 4.99.72 box do:

	cd /usr/pkgsrc/security/pam-ldap
	make package clean
	configure sshd to use pam_ldap.so
	wonder why you can't login via ssh
        look in /var/log/messages and wonder why the pam_sm* functions
         don't exist.

>Fix:

It turns out that the issue is in
src/dist/openpam/include/security/openpam.h where changing some of the
logic resulted in NO_STATIC_MODULES no longer being defined for
NetBSD.  That causes PAM_EXTERN to be defined as:

 #define PAM_EXTERN static

and since the pam_sm_* functions are defined as:

 PAM_EXTERN pam_sm_foo()

this means that 'gcc -O2' is happy to optimize those functions away,
leaving us with an effectively useless .so file.

A workaround is to add:

 CFLAGS+=-DNO_STATIC_MODULES

to the security/pam-ldap package, but that won't solve this problem if
it appears elsewhere...



>Audit-Trail:
From: Adam Hoka <adam.hoka@gmail.com>
To: gnats-bugs@gnats.netbsd.org
Cc: 
Subject: Re: security/39313
Date: Fri, 21 Nov 2008 04:28:25 +0100

 I have committed your fix (or workaround?), but there are some really
 odd stuff in that header so I think it's better to leave this bug open.

 The module works as it should for me with pam-ldap-184nb2.

From: Adam Hoka <adam.hoka@gmail.com>
To: gnats-bugs@gnats.netbsd.org
Cc: 
Subject: Re: security/39313
Date: Sun, 8 Feb 2009 10:48:15 +0100

 --Signature=_Sun__8_Feb_2009_10_48_15_+0100_nnElx_PGJ1Txrlux
 Content-Type: text/plain; charset=US-ASCII
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable

 The offending part is in /usr/include/security/openpam.h,
 which has the following comment:

 /*
  * Infrastructure for static modules using GCC linker sets.
  * You are not expected to understand this.
  */
 #if defined(__FreeBSD__) || defined(__NetBSD__)
 # define PAM_SOEXT ".so"
 #else
 # undef NO_STATIC_MODULES
 # define NO_STATIC_MODULES
 #endif
 (...a really ugly hack under this...)

 Do we really need this part?
 What purpose does it serve?

 --Signature=_Sun__8_Feb_2009_10_48_15_+0100_nnElx_PGJ1Txrlux
 Content-Type: application/pgp-signature

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (NetBSD)

 iQEcBAEBAgAGBQJJjqpfAAoJEMPaVQK9vGn517UIAIdQcucESUuZyqArb4jxbf/I
 3tbd2gT7XUGseyJsaJJyg4BLFDn1kulw0zJzJy84LJKJ8q9NHxY+Ddw7UnMJ6+US
 bRPqxfaa3zdNqqCipszWaVZLCxxmcE1uaq8Ii2xLvZYhmYRQv/75BUBC8U1nOdyh
 BePlsiQARqx6VSOKgBDWJWDn/s4HlorTpG+TjyBs8pjc5Fj+J4yXVtPDw0Rr/OM/
 UN1YL/NAgbfWrr2GrlDYoSdFr7z3hWuo3l/iW89Qosy156ERDNHhgAVvpRHdHwYA
 +ppi1tZp5lSFy9rW7Kcm35kXfeNkvSm43OuQ2AnTKS3S0zEFapTtgfQrBOeRla8=
 =tRnn
 -----END PGP SIGNATURE-----

 --Signature=_Sun__8_Feb_2009_10_48_15_+0100_nnElx_PGJ1Txrlux--

From: Adam Hoka <adam.hoka@gmail.com>
To: gnats-bugs@gnats.netbsd.org
Cc: 
Subject: Re: security/39313
Date: Sun, 8 Feb 2009 10:44:29 +0100

 --Signature=_Sun__8_Feb_2009_10_44_29_+0100_v4+KNf=/emmoSWuL
 Content-Type: text/plain; charset=US-ASCII
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable

 security/gnome-keyring has the same issue. I worked it around there too,
 but this should be handled at the root of the problem.

 --Signature=_Sun__8_Feb_2009_10_44_29_+0100_v4+KNf=/emmoSWuL
 Content-Type: application/pgp-signature

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (NetBSD)

 iQEcBAEBAgAGBQJJjql9AAoJEMPaVQK9vGn5jIYH/AhkRDnQYqcrh3St0gfJbZC0
 a52SpXwzc+J9eLZ1sSGUc561gRkbe4hG3RrDJtXpiZKsQHtdzF17zfV3di07Q0HI
 TII8wYuYUNvDMJk9Vcf5m5Jf5bPD5VLmIHdUMSWQs5TRNh0nT1VX1t25MuKQ0iym
 3dBsqHpjxp68b0LMoAYuWyJRlhvkSMRHXVG4ilux9RVYkFIDBNlsazYiZL0n5mQa
 uBzcLHfRJI3rfNOTXOORUIBuSaqjKlA9GK2XHFw19QKvpUoWR4kM6LBjBjpoNU/F
 jxaIX1xmj0Hj5KAPOy9alEEqjNnYZV6s63FTUuXEHP37vyKPCSttvWGTZKoluOc=
 =hf9U
 -----END PGP SIGNATURE-----

 --Signature=_Sun__8_Feb_2009_10_44_29_+0100_v4+KNf=/emmoSWuL--

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.