NetBSD Problem Report #39313
From oster@scrooge.localdomain Thu Aug 7 15:40:39 2008
Return-Path: <oster@scrooge.localdomain>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 9697F63BB81
for <gnats-bugs@gnats.NetBSD.org>; Thu, 7 Aug 2008 15:40:39 +0000 (UTC)
From: oster@netbsd.org
Reply-To: oster@netbsd.org
To: gnats-bugs@gnats.NetBSD.org
Subject: security/pam-ldap shared lib missing functions on 4.99.72
X-Send-Pr-Version: 3.95
>Number: 39313
>Category: security
>Synopsis: security/pam-ldap libraries missing functions on 4.99.72
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: lib-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Aug 07 20:00:09 +0000 2008
>Closed-Date: Thu Apr 30 21:06:30 +0000 2020
>Last-Modified: Thu Jul 08 19:35:01 +0000 2021
>Originator: Greg Oster
>Release: NetBSD 4.99.72
>Organization:
-
>Environment:
System: NetBSD scrooge 4.99.72 NetBSD 4.99.72 (BROADWAY) #0: Sat Aug 2 17:24:05 CST 2008 oster@quad:/u1/builds/build78/src/sys/arch/i386/compile/BROADWAY i386
Architecture: i386
Machine: i386
>Description:
Message-Id: <20080807154038.726C5113E2E@scrooge.localdomain>
Date: Thu, 7 Aug 2008 09:40:38 -0600 (CST)
Status: RO
Content-Length: 2039
Lines: 57
When compiled with the defaults, the pam-ldap.o and
pam-ldap.so libraries are missing functions. For example:
Aug 4 14:18:26 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_authenticate()
Aug 4 14:18:28 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_acct_mgmt()
Aug 4 14:18:28 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_setcred()
Aug 4 14:18:28 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_setcred()
Aug 4 14:18:44 scrooge sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_ldap.so: no pam_sm_authenticate()
Looking at the sizes of the .o and .so files, we see:
-rw-r--r-- 1 root wheel 596 Aug 7 09:01 pam_ldap.o
-rwxr-xr-x 1 root wheel 8194 Aug 7 09:01 pam_ldap.so*
and wonder in amazement how a PAM+LDAP module can be so efficient.
Turns out it can't. Compiled properly, these files should look
more like:
-rw-r--r-- 1 root wheel 38904 Aug 4 15:50 pam_ldap.o
-rwxr-xr-x 1 root wheel 41798 Aug 4 15:50 pam_ldap.so*
(these have all the pam_sm_* functions, and work just fine..)
>How-To-Repeat:
On a NetBSD/i386 4.99.72 box do:
cd /usr/pkgsrc/security/pam-ldap
make package clean
configure sshd to use pam_ldap.so
wonder why you can't login via ssh
look in /var/log/messages and wonder why the pam_sm* functions
don't exist.
>Fix:
It turns out that the issue is in
src/dist/openpam/include/security/openpam.h where changing some of the
logic resulted in NO_STATIC_MODULES no longer being defined for
NetBSD. That causes PAM_EXTERN to be defined as:
#define PAM_EXTERN static
and since the pam_sm_* functions are defined as:
PAM_EXTERN pam_sm_foo()
this means that 'gcc -O2' is happy to optimize those functions away,
leaving us with an effectively useless .so file.
A workaround is to add:
CFLAGS+=-DNO_STATIC_MODULES
to the security/pam-ldap package, but that won't solve this problem if
it appears elsewhere...
>Release-Note:
>Audit-Trail:
From: Adam Hoka <adam.hoka@gmail.com>
To: gnats-bugs@gnats.netbsd.org
Cc:
Subject: Re: security/39313
Date: Fri, 21 Nov 2008 04:28:25 +0100
I have committed your fix (or workaround?), but there are some really
odd stuff in that header so I think it's better to leave this bug open.
The module works as it should for me with pam-ldap-184nb2.
From: Adam Hoka <adam.hoka@gmail.com>
To: gnats-bugs@gnats.netbsd.org
Cc:
Subject: Re: security/39313
Date: Sun, 8 Feb 2009 10:48:15 +0100
--Signature=_Sun__8_Feb_2009_10_48_15_+0100_nnElx_PGJ1Txrlux
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
The offending part is in /usr/include/security/openpam.h,
which has the following comment:
/*
* Infrastructure for static modules using GCC linker sets.
* You are not expected to understand this.
*/
#if defined(__FreeBSD__) || defined(__NetBSD__)
# define PAM_SOEXT ".so"
#else
# undef NO_STATIC_MODULES
# define NO_STATIC_MODULES
#endif
(...a really ugly hack under this...)
Do we really need this part?
What purpose does it serve?
--Signature=_Sun__8_Feb_2009_10_48_15_+0100_nnElx_PGJ1Txrlux
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
iQEcBAEBAgAGBQJJjqpfAAoJEMPaVQK9vGn517UIAIdQcucESUuZyqArb4jxbf/I
3tbd2gT7XUGseyJsaJJyg4BLFDn1kulw0zJzJy84LJKJ8q9NHxY+Ddw7UnMJ6+US
bRPqxfaa3zdNqqCipszWaVZLCxxmcE1uaq8Ii2xLvZYhmYRQv/75BUBC8U1nOdyh
BePlsiQARqx6VSOKgBDWJWDn/s4HlorTpG+TjyBs8pjc5Fj+J4yXVtPDw0Rr/OM/
UN1YL/NAgbfWrr2GrlDYoSdFr7z3hWuo3l/iW89Qosy156ERDNHhgAVvpRHdHwYA
+ppi1tZp5lSFy9rW7Kcm35kXfeNkvSm43OuQ2AnTKS3S0zEFapTtgfQrBOeRla8=
=tRnn
-----END PGP SIGNATURE-----
--Signature=_Sun__8_Feb_2009_10_48_15_+0100_nnElx_PGJ1Txrlux--
From: Adam Hoka <adam.hoka@gmail.com>
To: gnats-bugs@gnats.netbsd.org
Cc:
Subject: Re: security/39313
Date: Sun, 8 Feb 2009 10:44:29 +0100
--Signature=_Sun__8_Feb_2009_10_44_29_+0100_v4+KNf=/emmoSWuL
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
security/gnome-keyring has the same issue. I worked it around there too,
but this should be handled at the root of the problem.
--Signature=_Sun__8_Feb_2009_10_44_29_+0100_v4+KNf=/emmoSWuL
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
iQEcBAEBAgAGBQJJjql9AAoJEMPaVQK9vGn5jIYH/AhkRDnQYqcrh3St0gfJbZC0
a52SpXwzc+J9eLZ1sSGUc561gRkbe4hG3RrDJtXpiZKsQHtdzF17zfV3di07Q0HI
TII8wYuYUNvDMJk9Vcf5m5Jf5bPD5VLmIHdUMSWQs5TRNh0nT1VX1t25MuKQ0iym
3dBsqHpjxp68b0LMoAYuWyJRlhvkSMRHXVG4ilux9RVYkFIDBNlsazYiZL0n5mQa
uBzcLHfRJI3rfNOTXOORUIBuSaqjKlA9GK2XHFw19QKvpUoWR4kM6LBjBjpoNU/F
jxaIX1xmj0Hj5KAPOy9alEEqjNnYZV6s63FTUuXEHP37vyKPCSttvWGTZKoluOc=
=hf9U
-----END PGP SIGNATURE-----
--Signature=_Sun__8_Feb_2009_10_44_29_+0100_v4+KNf=/emmoSWuL--
Responsible-Changed-From-To: security-officer->lib-bug-people
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Thu, 18 Jun 2015 01:50:54 +0000
Responsible-Changed-Why:
this is not a security-officer issue any more (if it ever was)
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/39313 CVS commit: pkgsrc/security/openpam
Date: Tue, 28 Apr 2020 23:01:26 +0000
Module Name: pkgsrc
Committed By: riastradh
Date: Tue Apr 28 23:01:26 UTC 2020
Modified Files:
pkgsrc/security/openpam: builtin.mk
Log Message:
security/openpam: define NO_STATIC_MODULES on NetBSD
This is a hack to work around a mistake in the NetBSD openpam build
which leaked into the public header files. We will fix this in the
NetBSD build but it's been in the public header files for nearly a
decade now, with each individual pam module sometimes having this
workaround, so let's apply the workaround uniformly for now.
PR security/39313
PR security/55216
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/security/openpam/builtin.mk
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/39313 CVS commit: src
Date: Wed, 29 Apr 2020 02:16:57 +0000
Module Name: src
Committed By: riastradh
Date: Wed Apr 29 02:16:57 UTC 2020
Modified Files:
src/external/bsd/openpam/dist/include/security: openpam.h
src/lib/libpam: Makefile.inc
src/lib/libpam/libpam: Makefile
src/lib/libpam/modules: mod.mk
Log Message:
Reverse sense of NO_STATIC_MODULES -> OPENPAM_STATIC_MODULES.
This avoids leaking NO_STATIC_MODULES into the public header, which
has led to considerable confusion and workarounds in pkgrsc.
PR security/39313
PR security/55216
ok christos
To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 \
src/external/bsd/openpam/dist/include/security/openpam.h
cvs rdiff -u -r1.18 -r1.19 src/lib/libpam/Makefile.inc
cvs rdiff -u -r1.23 -r1.24 src/lib/libpam/libpam/Makefile
cvs rdiff -u -r1.15 -r1.16 src/lib/libpam/modules/mod.mk
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Thu, 30 Apr 2020 21:06:30 +0000
State-Changed-Why:
fixed and worked around
From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org, riastradh@NetBSD.org,
Adam Hoka <adam.hoka@gmail.com>, oster@netbsd.org
Cc:
Subject: Re: security/39313 security/pam-ldap shared lib missing functions on
4.99.72
Date: Tue, 6 Jul 2021 21:19:03 +0200
Whatever was fixed for this, likely broke at least security/pam-af.
I just now noticed this because I updated my build sandbox from 9.0 to
9.2.
In /var/log/authlog:
Jul 5 16:38:31 murthe sshd[10910]: error: PAM: Invalid symbol for rhialto from xxx.xxx.xx.xxx
In /var/log/messages:
Jul 5 16:38:36 murthe sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_af.so: no pam_sm_authenticate()
Jul 5 16:38:36 murthe sshd: in openpam_check_error_code(): pam_sm_authenticate(): unexpected return value 2
For ages, I have a local patch to add -DNO_STATIC_MODULES to the
compilation (with the note "The bug is described in PR security/39313"),
but seemingly that no longer helps.
What did seem to help was to get these exported (see nm -D):
0000000000203340 D _pam_module
0000000000203320 D _pam_name
which can be done with this hack to pam_af.c:
@@ -448,5 +456,6 @@ pam_sm_setcred(pamh, flags, argc, argv)
}
#ifdef PAM_MODULE_ENTRY
+#define static
PAM_MODULE_ENTRY("pam_af");
#endif
to neutralize the "static" in the definition of PAM_MODULE_ENTRY.
-Olaf.
--
___ "Buying carbon credits is a bit like a serial killer paying someone else to
\X/ have kids to make his activity cost neutral." -The BOFH falu.nl@rhialto
From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org, riastradh@NetBSD.org,
Adam Hoka <adam.hoka@gmail.com>, oster@netbsd.org
Cc:
Subject: Re: security/39313 security/pam-ldap shared lib missing functions on
4.99.72
Date: Wed, 7 Jul 2021 18:51:27 +0200
Curiously, it seems that the change from this PR isn't in 9.2.
So something else must have broken pam-af... Maybe I can find out.
From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org, riastradh@NetBSD.org,
Adam Hoka <adam.hoka@gmail.com>, oster@netbsd.org
Cc:
Subject: Re: security/39313 security/pam-ldap shared lib missing functions on
4.99.72
Date: Thu, 8 Jul 2021 21:00:56 +0200
I am starting to think that I compiled the pam-af package once without
my local patch (adding -DNO_STATIC_MODULES), which would explain why it
didn't work.
With -DNO_STATIC_MODULES, pam_af.so exports pam_sm_authenticate and
therefore it works on 9.2. But this method would fail in -current.
With this patch,
#define static /* giant hack! */
PAM_MODULE_ENTRY("pam_af");
it works because pam_af.so exports _pam_module. At least one of those
should be exported. Here is the code in
external/bsd/openpam/dist/lib/libpam/openpam_dynamic.c:
dlmodule = dlsym(module->dlh, "_pam_module");
for (i = 0; i < PAM_NUM_PRIMITIVES; ++i) {
if (dlmodule) {
module->func[i] = dlmodule->func[i];
} else {
module->func[i] = (pam_func_t)dlfunc(module->dlh,
pam_sm_func_name[i]);
which shows that the symbol _pam_module must be exported, or all of
pam_sm_*.
Therefore I think that the "static" before _pam_module in the definition
of PAM_MODULE_ENTRY in <security/openpam.h> is not correct.
The magic gcc linker sets that are allued to in the comment seem to be
for the case where the .o file is lined into PAM itself; but since we
have a dynamic .so file here, that is of no help.
From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org, riastradh@NetBSD.org,
Adam Hoka <adam.hoka@gmail.com>, oster@netbsd.org
Cc:
Subject: Re: security/39313 security/pam-ldap shared lib missing functions on
4.99.72
Date: Thu, 8 Jul 2021 21:30:19 +0200
Why does one realise one's mistake just after sending the mail?
Thinking it over, the -current version of <security/openpam.h>
should work; even with either kind of hack that's needed for <= 9.2.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.