pam wedges, preventing user login, when homedir is openafs mounted and unreadable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
Expired
|
Low
|
Unassigned |
Bug Description
Been trying to track down a problem with my new ubuntu 7.04 install for a week or two. The issue manifests when I come in to work each morning. At that point my workstation is typically showing a screensaver. The screensaver is running and the machine is not hung. However usually when I try to unlock the screensaver and return to my user session that process wedges.
What is a real bummer is that though I can switch to another VT and try to login there, that *also* wedges if I try to login as myself.
Logging in as root on a VT does work, but if as root I try to su to my normal user, that too wedges. Stracing such an attempt finally led me to a hint: the strace showed that the process wedged exactly while trying to stat64 .pam_environment in my homedir. Boo. Likely my homedir is not readable at this point as my AFS tokens have very well expired.
This appears to be due to a recent patch in pam, "Patch 100 (renumbered from 060): Look at ~/.pam_environment too". I couldn't find user (admin) documentation for this code, but reading the source I see that there should be an option user_read_env which if set to zero should prevent PAM from trying to read the offending file. It appears that the default configuration did NOT have this set, so it was trying to read the file. And wedging. I adjusted every call to pam_env.so in /etc/pam.d/* to have user_read_env=0.
I'm typing this before I've actually waited 24 hours to verify that the problem is solved (remember, it typically only manifests when I arrive in the morning...). I'll append to the bug report if I come in tomorrow and the problem persists.
Changed in pam: | |
assignee: | keescook → nobody |
importance: | Undecided → Low |
status: | In Progress → Confirmed |
Changed in pam (Ubuntu): | |
status: | Incomplete → Confirmed |
status: | Confirmed → Incomplete |
pam (0.99.7. 1-4ubuntu1~ ppa1) gutsy; urgency=low
* Resynchronise with Debian (LP: #43169, #14505, #80431). Remaining changes: local/common- session{ ,md5sums} : use foreground for session management. libpam- modules. postinst: Add PATH to /etc/environment if it's not pam_env. conf. patches- applied/ ubuntu- fix_standard_ types: Use standard u_int8_t patches- applied/ ubuntu- rlimit_ nice_correction : Explicitly libpam- runtime. postinst: check for ancient pam (expired with patches- applied/ ubuntu- user_defined_ environment: Look at /.pam_environme nt too, with the same format as etc/security/ pam_env. conf. (Originally patch 100; converted to quilt.)
- debian/control, debian/
libpam-
- debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
The nis package handles overriding this as necessary.
- debian/
present there or in /etc/security/
- debian/
type rather than __u8.
- debian/
initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
RLIMIT_NICE from below as well as from above. Fix off-by-one error when
converting RLIMIT_NICE to the range of values used by the kernel.
(Originally patch 101; converted to quilt.)
* Dropped:
- debian/rules: bashism fixes (merged upstream).
- debian/control: Conflict on ancient nis (expired with Breezy).
- debian/
Breezy).
- debian/
~
/
Left out of "series" for now (LP: #113586).
pam (0.99.7.1-4) unstable; urgency=low
* libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted ignore_ garbage. patch: fix pam_env to really skip over pam_limits_ capabilities; this code should really be Hurd-safe at listfile_ quiet: per discussion with upstream, don't suppress issue_double_ free, not required for the unix_cracklib_ dictpath, which is not needed now that limits_ chr...
to fix the library skew, only reloaded; special-case this daemon in the
postinst and remove the mention of it from the debconf template, also
tightening the language of the debconf template in the process.
Closes: #440074.
* Add courier-authdaemon to the list of services that need to be
restarted; thanks to Micah Anderson for reporting.
* New patch pam_env_
garbage lines in /etc/environment and log an error, instead of failing
with an obscure error; and ignore any PAM_BAD_ITEM values returned
by pam_putenv(), since this is the expected error return when trying
to delete a non-existent var. Closes: #439984.
* Yet another thinko in hurd_no_setfsuid and in
029_
last...
* getline() returns -1 on EOF, not 0; check this appropriately, to fix
an infinite loop in pam_rhosts_auth. Thanks to Stephan Springl
<email address hidden> for the fix. Closes: #440019.
* Use ${misc:Depends} for libpam0g, so we get a proper dependency on
debconf.
* 019_pam_
errors about missing files or files with wrong permissions; these are
real errors that should not be buried.
* Drop the remainder of 061_pam_
original bugfix.
* Drop patch 064_pam_
we define CRACKLIB_DICTS in debian/rules.
* Drop patch 063_paswd_segv, superseded by a different upstream fix
* Split 047_pam_