Package: libpam-ssh Version: 1.92-7 Severity: important Hi,
pam_ssh.so segfaults in pam_sm_open_session if there is no
controlling terminal. You can reproduce this with at:
Make sure there is
auth optional pam_ssh.so use_first_pass
session optional pam_ssh.so
in the relevant files in /etc/pam.d, then attach gdb to atd and
schedule a job for immediate execution:
# gdb /usr/sbin/atd <pid>
(gdb) set follow-fork-mode child
$ echo echo foo | at now
The child created by at will now segfault:
[New Thread 0x7fb011fde6f0 (LWP 26525)] Program received signal
SIGSEGV, Segmentation fault. [Switching to Thread 0x7fb011fde6f0
(LWP 26525)] 0x00007fb0118f5210 in strlen () from /lib/libc.so.6
(gdb) bt #0 0x00007fb0118f5210 in strlen () from /lib/libc.so.6
#1 0x00007fb0118f4f46 in strdup () from /lib/libc.so.6 #2
0x00007fb00fda6760 in pam_sm_open_session (pamh=0x1b78330,
flags=32768, argc=0, argv=0x0) at pam_ssh.c:933 #3
0x00007fb011bcfc2a in ?? () from /lib/libpam.so.0 #4
0x000000000040218f in run_file (filename=0x1b76f0b
"a00024013df45f", uid=<value optimized out>, gid=1) at atd.c:387
#5 0x0000000000402aa9 in run_loop () at atd.c:648 #6
0x0000000000402e07 in main (argc=1, argv=0x7fff4308ca78) at
atd.c:797
The relevant lines from pam_ssh.c are:
925 if ((retval = pam_get_item(pamh, PAM_TTY, 926
(const void **)(void *)&tty_raw)) != PAM_SUCCESS) { 927
openpam_restore_cred(pamh); 928 return retval;
929 } 930 931 /* set tty_nodir to the tty
with / replaced by _ */ 932 933 if (!(tty_nodir =
strdup(tty_raw))) {
But the call to pam_get_item may store NULL in tty_raw. At least
a quick glance at pam_securetty.so from the pam package shows an
explicit check for this[1]:
retval = pam_get_item(pamh, PAM_TTY, &void_uttyname); uttyname
= void_uttyname; if (retval != PAM_SUCCESS || uttyname ==
NULL) { pam_syslog (pamh, LOG_WARNING, "cannot determine
user's tty"); return PAM_SERVICE_ERR; }
Maybe pam_ssh can use "pid12345" instead of the tty name in case
there is no controlling terminal.
Regards,
Ansgar
[1] see modules/pam_securetty/pam_securetty.c in pam-1.0.1
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-ssh depends on:
ii libc6 2.9-23 GNU C Library: Shared libraries
ii libpam0g 1.0.1-10 Pluggable Authentication Modules l
ii libssl0.9.8 0.9.8k-3 SSL shared libraries
Versions of packages libpam-ssh recommends:
ii openssh-client [ssh-client] 1:5.1p1-6 secure shell client, an rlogin/rsh
libpam-ssh suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
