NetBSD Problem Report #46577
From rhialto@falu.nl Sun Jun 10 19:47:20 2012
Return-Path: <rhialto@falu.nl>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id 731B963B882
for <gnats-bugs@gnats.NetBSD.org>; Sun, 10 Jun 2012 19:47:20 +0000 (UTC)
Message-Id: <201206101947.q5AJlDeu005976@radl.falu.nl>
Date: Sun, 10 Jun 2012 21:47:13 +0200 (CEST)
From: rhialto@falu.nl
Reply-To: rhialto@falu.nl
To: gnats-bugs@gnats.NetBSD.org
Cc: rhialto@falu.nl
Subject: Old PAM problem with -DNO_STATIC_MODULES has come back.
X-Send-Pr-Version: 3.95
>Number: 46577
>Category: pkg
>Synopsis: Old PAM problem with -DNO_STATIC_MODULES has come back.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jun 10 19:50:00 +0000 2012
>Originator: Rhialto
>Release: NetBSD 5.1
>Organization:
>Environment:
System: NetBSD radl.falu.nl 5.1 NetBSD 5.1 (Radl-s_Pervasion_of_the_Incorrect_Chord) #0: Mon Jan 24 20:25:13 CET 2011 root@vargaz.falu.nl:/usr/src/sys/arch/amd64/compile/RADL5.1 amd64
Architecture: x86_64
Machine: amd64
>Description:
Since I last updated to pkgsrc-2012Q1, I am seeing this in my syslog
very often:
Jun 10 20:48:31 radl sshd: in openpam_dispatch(): /usr/pkg/lib/security/pam_af.so: no pam_sm_setcred()
This is apparentklty from the security/pam-af package.
Strangely enough, it seems it was updated a pkgsrc stable branch
earlier, but I only see this effect now.
Apparently this problem happened before, and was "fixed" by adding
-DNO_STATIC_MODULES to CFLAGS:
http://mail-index.netbsd.org/current-users/2009/08/05/msg010266.html
and followup
but it is back.
Somehow the -DNO_STATIC_MODULES disappears; I can't see a trace of it
in the build output:
===> configure-message [pam-af-1.0.2nb1] ===> Configuring for pam-af-1.0.2nb1
=> Checking for portability problems in extracted files
=> replace hard-coded paths
===> build-message [pam-af-1.0.2nb1] ===> Building for pam-af-1.0.2nb1
if [ "`uname -s`" = "FreeBSD" -o "`uname -s`" = "NetBSD" -o "`uname -s`" = "OpenBSD" -o "`uname -s`" = "DragonFly" ]; then /usr/bin/make CFLAGS="-I./common/ -DPIC -O2 -Wall -Werror -Wno-format-y2k -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wchar-subscripts -Winline -Wnested-externs -fPIC -D_HAVE_PATHS_H_ -D_HAVE_ERR_H_ -D_HAVE_GETPROGNAME_ -D_USE_MODULE_ENTRY_ -D_HAVE_SALEN_" LD=ld LDFLAGS=" -s --shared -lpam -lcrypt" ./pam_af.so; /usr/bin/make CFLAGS="-I./common/ -DPIC -O2 -Wall -Werror -Wno-format-y2k -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wchar-subscripts -Winline -Wnested-externs -fPIC -D_HAVE_PATHS_H_ -D_HAVE_ERR_H_ -D_HAVE_GETPROGNAME_ -D_USE_MODULE_ENTRY_ -D_HAVE_SALEN_" LDFLAGS="" ./pam_af_tool/pam_af_tool; elif [ "`uname -s`" = "Linux" ]; then /usr/bin/make CFLAGS="-I./common/ -DPIC -O2 -Wall -Werror -Wno-format-y2k -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch !
-Wshadow -Wchar-subscripts -Winline -Wnested-externs -fPIC -D_GNU_SOURCE -D_HAVE_PATHS_H_ -D_HAVE_ERR_H_ -D_HAVE_FLOCK_ -D_HAVE_SYS_FILE_H_" LD=ld LDFLAGS="-lgdbm -lgdbm_compat -s --shared -lpam -lcrypt" ./pam_af.so; /usr/bin/make CFLAGS="-I./common/ -DPIC -O2 -Wall -Werror -Wno-format-y2k -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wchar-subscripts -Winline -Wnested-externs -fPIC -D_GNU_SOURCE -D_HAVE_PATHS_H_ -D_HAVE_ERR_H_ -D_HAVE_FLOCK_ -D_HAVE_SYS_FILE_H_" LDFLAGS="-lgdbm -lgdbm_compat" ./pam_af_tool/pam_af_tool; elif [ "`uname -s`" = "SunOS" ]; then /usr/bin/make CFLAGS="-I./common/ -DPIC -fPIC -O2 -D_SUN_PAM_ -D_HAVE_USERDEFS_H_" LD=ld LDFLAGS="-lnsl -lsocket -s -G -lpam -lcrypt" ./pam_af.so; /usr/bin/make CFLAGS="-I./common/ -DPIC -fPIC -O2 -D_SUN_PAM_ -D_HAVE_USERDEFS_H_" LDFLAGS="-lnsl -lsocket" ./pam_af_tool/pam_af_tool; elif [ "`uname -s`" = "HP-UX" ]; then /usr/bin/make CFLAGS="-Ae +w1 +W 474,486,542 +z +O!
2" LD=ld LDFLAGS=" -s -b -lpam -lsec" ./pam_af.so; /usr/bin!
/make CFLAGS="-I./common/ -DPIC -Ae +w1 +W 474,486,542 +z +O2" LDFLAGS="" ./pam_af_tool/pam_af_tool; else /usr/bin/make ./pam_af.so; /usr/bin/make ./pam_af_tool/pam_af_tool; fi
cc -I./common/ -DPIC -O2 -Wall -Werror -Wno-format-y2k -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wchar-subscripts -Winline -Wnested-externs -fPIC -D_HAVE_PATHS_H_ -D_HAVE_ERR_H_ -D_HAVE_GETPROGNAME_ -D_USE_MODULE_ENTRY_ -D_HAVE_SALEN_ -c ./pam_af.c -o ./pam_af.o
cc -I./common/ -DPIC -O2 -Wall -Werror -Wno-format-y2k -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wchar-subscripts -Winline -Wnested-externs -fPIC -D_HAVE_PATHS_H_ -D_HAVE_ERR_H_ -D_HAVE_GETPROGNAME_ -D_USE_MODULE_ENTRY_ -D_HAVE_SALEN_ -DPAM_AF_DEFS -c ./common/subr.c -o ./subr.o
ld -s --shared -lpam -lcrypt ./pam_af.o ./subr.o -o ./pam_af.so
cc -I./common/ -DPIC -O2 -Wall -Werror -Wno-format-y2k -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wchar-subscripts -Winline -Wnested-externs -fPIC -D_HAVE_PATHS_H_ -D_HAVE_ERR_H_ -D_HAVE_GETPROGNAME_ -D_USE_MODULE_ENTRY_ -D_HAVE_SALEN_ -c ./pam_af_tool/pam_af_tool.c -o ./pam_af_tool/pam_af_tool.o
cc -I./common/ -DPIC -O2 -Wall -Werror -Wno-format-y2k -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wchar-subscripts -Winline -Wnested-externs -fPIC -D_HAVE_PATHS_H_ -D_HAVE_ERR_H_ -D_HAVE_GETPROGNAME_ -D_USE_MODULE_ENTRY_ -D_HAVE_SALEN_ -c ./common/subr.c -o ./pam_af_tool/subr.o
cc ./pam_af_tool/pam_af_tool.o ./pam_af_tool/subr.o -o ./pam_af_tool/pam_af_tool
=> Unwrapping files-to-be-installed.
radl.4:.../pkgsrc/security/pam-af$
>How-To-Repeat:
Install security/pam-af to protect against bulk ssh intrusions.
See notices that make you think it doesn't work.
>Fix:
As a workaround, I changed the provided patches of the
security/pam-af/work.x86_64/pam_af-1.0.2/Makefile so that it adds this
line:
CFLAGS_BSD += -DNO_STATIC_MODULES
This seems to make it work for me, but it is probably too drastic in
general.
The email thread alludes to a proper fix that there is to be made.
-Olaf.
--
___ Olaf 'Rhialto' Seibert -- There's no point being grown-up if you
\X/ rhialto/at/xs4all.nl -- can't be childish sometimes. -The 4th Doctor
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home