NetBSD Problem Report #40599
From dholland@eecs.harvard.edu Tue Feb 10 02:41:48 2009
Return-Path: <dholland@eecs.harvard.edu>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id DF5E463B400
for <gnats-bugs@gnats.NetBSD.org>; Tue, 10 Feb 2009 02:41:47 +0000 (UTC)
Message-Id: <20090210024145.66AC5F78F@tanaqui.eecs.harvard.edu>
Date: Mon, 9 Feb 2009 21:41:45 -0500 (EST)
From: dholland@eecs.harvard.edu
Reply-To: dholland@eecs.harvard.edu
To: gnats-bugs@gnats.NetBSD.org
Subject: MKKERBEROS=no without MKPAM=no yields a broken system
X-Send-Pr-Version: 3.95
>Number: 40599
>Category: lib
>Synopsis: MKKERBEROS=no without MKPAM=no yields a broken system
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Feb 10 02:45:00 +0000 2009
>Last-Modified: Mon Aug 22 02:40:02 +0000 2011
>Originator: David A. Holland
>Release: NetBSD 5.99.7 (20090209)
>Organization:
>Environment:
System: NetBSD tanaqui 5.99.7 NetBSD 5.99.7 (TANAQUI) #24: Mon Feb 9 11:19:51 EST 2009 root@tanaqui:/usr/src/sys/arch/i386/compile/TANAQUI i386
Architecture: i386
Machine: i386
>Description:
Building a system with MKKERBEROS=no without also setting MKPAM=no
yields a completely broken system, in which all logins are rejected
because pam_krb5.so is missing. The only recourse appears to be to
cycle the power and recompile in single-user mode.
Furthermore, in this configuration xdm leaves xdm.core in /, which is
clearly not acceptable.
>How-To-Repeat:
build.sh
>Fix:
First, make things not fail miserably; that is, the pam libraries
should survive modules being missing without dumping core. This is
pretty basic.
Then, either the ritualized standard invocations in /etc/pam.d should
be installed without Kerberos when MKKERBEROS=no, or they should be
constructed robustly so that they will skip Kerberos if Kerberos is
not installed, without at the same time failing open under other
failure conditions. The second of these is obviously preferable, but
my (perhaps limited) understanding is that it is beyond the ability of
PAM.
I do not think it reasonable to expect the user to edit the muck in
/etc/pam.d to build a system without Kerberos; but in any event it is
certainly unreasonable to expect it when the need to do so is not, as
far as I can tell, documented.
The real (and more controversial) fix of course is to remove PAM and
replace it with something that works.
>Release-Note:
>Audit-Trail:
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: lib/40599: MKKERBEROS=no without MKPAM=no yields a broken
system
Date: Sun, 15 Feb 2009 09:18:05 +0000
On Tue, Feb 10, 2009 at 02:45:00AM +0000, dholland@eecs.harvard.edu wrote:
> >Fix:
>
> First, make things not fail miserably; that is, the pam libraries
> should survive modules being missing without dumping core. This is
> pretty basic.
This appears to be a lack of error-checking in xdm.
> Then, either the ritualized standard invocations in /etc/pam.d should
> be installed without Kerberos when MKKERBEROS=no, or they should be
> constructed robustly so that they will skip Kerberos if Kerberos is
> not installed, without at the same time failing open under other
> failure conditions. The second of these is obviously preferable, but
> my (perhaps limited) understanding is that it is beyond the ability of
> PAM.
>
> I do not think it reasonable to expect the user to edit the muck in
> /etc/pam.d to build a system without Kerberos; but in any event it is
> certainly unreasonable to expect it when the need to do so is not, as
> far as I can tell, documented.
After discussing this with jnemeth, it appears the best approach is
probably to change things around so that a missing module is replaced
with a builtin module that always fails. This cannot make the
configuration *more* permissive so can't be construed as failing open,
but in practice will make missing kerberos modules harmless without
any need to edit /etc/pam.d.
It isn't that difficult a patch, either.
I will run this by tech-security.
> The real (and more controversial) fix of course is to remove PAM and
> replace it with something that works.
Coming up with something clearly enough better to gain traction (since
PAM has become pretty much standard) will be difficult.
In case anyone disposed to think about it is reading this, I have two
observations to make:
(1) Having the process that faces an unauthenticated user be
maximally privileged, or for that matter privileged at all, is
not desirable. But rearranging the world so this isn't
necessary is a big step.
(2) One of the less obvious problems with PAM is that it is based
on a specific mechanism, that is, stringing together chains of
modules, and you configure it by manipulating the mechanism
rather than by specifying a policy you want it to implement.
(It is somewhat like System V init in this regard.) Exposing
the mechanism like this makes it unnecessarily difficult to
work with.
--
David A. Holland
dholland@netbsd.org
Responsible-Changed-From-To: lib-bug-people->dholland
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Sun, 15 Feb 2009 09:23:39 +0000
Responsible-Changed-Why:
I will look after it.
Responsible-Changed-From-To: dholland->lib-bug-people
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Mon, 15 Jun 2009 08:21:25 +0000
Responsible-Changed-Why:
What I'd been suggesting as a fix is apparently not acceptable for subtle
PAM reasons that I don't fully understand.
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/40599 CVS commit: src/share/man/man5
Date: Mon, 22 Aug 2011 02:37:15 +0000
Module Name: src
Committed By: dholland
Date: Mon Aug 22 02:37:15 UTC 2011
Modified Files:
src/share/man/man5: mk.conf.5
Log Message:
Until someone figures out a fix for PR 40599, document that MKKERBEROS=no
will break the system without either MKPAM=no or a customized PAM config.
As suggested by Ian D. Leroux on current-users and in PR 45263, but with
different text.
To generate a diff of this commit:
cvs rdiff -u -r1.56 -r1.57 src/share/man/man5/mk.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.