NetBSD Problem Report #45877
From gcw@primenet.com.au Fri Jan 27 06:58:06 2012
Return-Path: <gcw@primenet.com.au>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 6D82563D5E6
for <gnats-bugs@gnats.NetBSD.org>; Fri, 27 Jan 2012 06:58:06 +0000 (UTC)
Message-Id: <20120127053546.995.qmail@g.primenet.com.au>
Date: 27 Jan 2012 16:35:46 +1100
From: gcw@primenet.com.au
Reply-To: gcw@primenet.com.au
To: gnats-bugs@gnats.NetBSD.org
Subject: openpam modules are not installed root but are required to be at runtime
X-Send-Pr-Version: 3.95
>Number: 45877
>Category: lib
>Synopsis: openpam modules are not installed root but are required to be at runtime
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: jnemeth
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jan 27 07:00:00 +0000 2012
>Closed-Date: Fri Jan 27 22:24:19 +0000 2012
>Last-Modified: Fri Jan 27 22:24:19 +0000 2012
>Originator: Geoff C. Wing
>Release: NetBSD 5.99.60
>Organization:
>Environment:
System: NetBSD g.primenet.com.au 5.99.60 NetBSD 5.99.60 (G) #0: Thu Jan 19 17:36:04 EST 2012 gcw@g.primenet.com.au:/usr/netbsd/src/sys/arch/i386/compile/G i386
Architecture: i386
Machine: i386
>Description:
Files in /usr/lib/security are required by
openpam_check_path_owner_perms() to be owned by root and
not writable by group/other. If this is not true, then
pam will fail (and you can't login).
(See external/bsd/openpam/dist/lib/openpam_check_owner_perms.c)
They are not explicitly installed as root, which can give a
installation which won't allow any authentication, etc.
>How-To-Repeat:
Use "BINOWN?=somethingelse" in your /etc/mk.conf (or set otherwise)
>Fix:
Index: lib/libpam/Makefile.inc
===================================================================
RCS file: /cvsroot/src/lib/libpam/Makefile.inc,v
retrieving revision 1.14
diff -u -r1.14 Makefile.inc
--- lib/libpam/Makefile.inc 27 Dec 2011 16:53:24 -0000 1.14
+++ lib/libpam/Makefile.inc 27 Jan 2012 01:59:21 -0000
@@ -50,3 +50,6 @@
# version, and we need these variables early for module install rules.
SHLIB_MAJOR= 3
SHLIB_MINOR= 0
+
+# openpam requires the files to be owned by root
+BINOWN= root
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: lib-bug-people->jnemeth
Responsible-Changed-By: jnemeth@NetBSD.org
Responsible-Changed-When: Fri, 27 Jan 2012 08:58:14 +0000
Responsible-Changed-Why:
I fixed it.
State-Changed-From-To: open->pending-pullups
State-Changed-By: jnemeth@NetBSD.org
State-Changed-When: Fri, 27 Jan 2012 08:58:14 +0000
State-Changed-Why:
This has been fixed in -current, but it should be pulled up to the release
branches. Thanks for the PR!
From: "John Nemeth" <jnemeth@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45877 CVS commit: src/lib/libpam
Date: Fri, 27 Jan 2012 08:45:11 +0000
Module Name: src
Committed By: jnemeth
Date: Fri Jan 27 08:45:10 UTC 2012
Modified Files:
src/lib/libpam: Makefile.inc
Log Message:
PR/45877 - Geoff C. Wing -- openpam modules need to be owned by root
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 src/lib/libpam/Makefile.inc
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/45877 (openpam modules are not installed root but are
required to be at runtime)
Date: Fri, 27 Jan 2012 16:06:33 -0500
On Fri, 27 Jan 2012 08:58:15 +0000 (UTC)
jnemeth@NetBSD.org wrote:
> Synopsis: openpam modules are not installed root but are required to be at runtime
>
> Responsible-Changed-From-To: lib-bug-people->jnemeth
> Responsible-Changed-By: jnemeth@NetBSD.org
> Responsible-Changed-When: Fri, 27 Jan 2012 08:58:14 +0000
> Responsible-Changed-Why:
> I fixed it.
>
>
> State-Changed-From-To: open->pending-pullups
> State-Changed-By: jnemeth@NetBSD.org
> State-Changed-When: Fri, 27 Jan 2012 08:58:14 +0000
> State-Changed-Why:
> This has been fixed in -current, but it should be pulled up to the release
> branches. Thanks for the PR!
I've not seen this problem on netbsd-5, interestingly... perhaps a
-current regression?
--
Matt
From: Geoff Wing <gcw@pobox.com>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/45877 (openpam modules are not installed root but are
required to be at runtime)
Date: Sat, 28 Jan 2012 08:28:44 +1100
On Friday 2012-01-27 21:10 +0000, Matthew Mondor output:
: I've not seen this problem on netbsd-5, interestingly... perhaps a
: -current regression?
The file doing the user and access checking seems to be new with the openpam
version brought into -current on 2011/12/25, and I didn't see the problem a
couple of months prior to that. Thus it seems linked to the current openpam
version.
Regards,
Geoff
State-Changed-From-To: pending-pullups->closed
State-Changed-By: jnemeth@NetBSD.org
State-Changed-When: Fri, 27 Jan 2012 22:24:19 +0000
State-Changed-Why:
The issue is due to a change in the latest version of openpam and doesn't
affect the branches, so no pullup needed.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.