libpam-runtime uninitialized values

Bug #270328 reported by Munzir Taha (منذر طه)
2
Affects Status Importance Assigned to Milestone
auth-client-config (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
pam (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

$ sudo dpkg-reconfigure libpam-runtime
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 394, <INPUT> line 27.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 394, <INPUT> line 28.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 394, <INPUT> line 29.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 394, <INPUT> line 30.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 394, <INPUT> line 31.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 296, <INPUT> line 27.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 27.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 27.
Use of uninitialized value $val in string eq at /usr/sbin/pam-auth-update line 320, <INPUT> line 27.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 27.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 27.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 296, <INPUT> line 28.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 28.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 28.
Use of uninitialized value $val in string eq at /usr/sbin/pam-auth-update line 320, <INPUT> line 28.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 28.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 28.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 296, <INPUT> line 29.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 29.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 29.
Use of uninitialized value $val in string eq at /usr/sbin/pam-auth-update line 320, <INPUT> line 29.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 29.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 29.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 296, <INPUT> line 30.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 30.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 30.
Use of uninitialized value $val in string eq at /usr/sbin/pam-auth-update line 320, <INPUT> line 30.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 30.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 30.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 296, <INPUT> line 31.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 31.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 31.
Use of uninitialized value $val in string eq at /usr/sbin/pam-auth-update line 320, <INPUT> line 31.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 31.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 31.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 394, <INPUT> line 37.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 394, <INPUT> line 38.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 394, <INPUT> line 39.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 296, <INPUT> line 37.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 37.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 37.
Use of uninitialized value $val in string eq at /usr/sbin/pam-auth-update line 320, <INPUT> line 37.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 37.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 37.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 296, <INPUT> line 38.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 38.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 38.
Use of uninitialized value $val in string eq at /usr/sbin/pam-auth-update line 320, <INPUT> line 38.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 38.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 38.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 296, <INPUT> line 39.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 39.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 39.
Use of uninitialized value $val in string eq at /usr/sbin/pam-auth-update line 320, <INPUT> line 39.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 39.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 39.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 394, <INPUT> line 29.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 394, <INPUT> line 30.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 394, <INPUT> line 31.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 394, <INPUT> line 32.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 296, <INPUT> line 29.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 29.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 29.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 29.
Use of uninitialized value $val in string eq at /usr/sbin/pam-auth-update line 320, <INPUT> line 29.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 29.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 29.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 29.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 296, <INPUT> line 30.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 30.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 30.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 30.
Use of uninitialized value $val in string eq at /usr/sbin/pam-auth-update line 320, <INPUT> line 30.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 30.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 30.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 30.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 296, <INPUT> line 31.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 31.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 31.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 31.
Use of uninitialized value $val in string eq at /usr/sbin/pam-auth-update line 320, <INPUT> line 31.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 31.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 31.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 31.
Use of uninitialized value $pattern in regexp compilation at /usr/sbin/pam-auth-update line 296, <INPUT> line 32.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 32.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 32.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 304, <INPUT> line 32.
Use of uninitialized value $val in string eq at /usr/sbin/pam-auth-update line 320, <INPUT> line 32.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 32.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 32.
Use of uninitialized value $val in string ne at /usr/sbin/pam-auth-update line 327, <INPUT> line 32.

Related branches

Steve Langasek (vorlon)
Changed in pam:
status: New → In Progress
Steve Langasek (vorlon)
Changed in pam:
status: In Progress → Fix Committed
Revision history for this message
Munzir Taha (منذر طه) (munzirtaha) wrote :

I also need to provide my password twice whether in CLI or GUI!
The status is changed to "Fix Committed", where is this fix please?

Revision history for this message
Munzir Taha (منذر طه) (munzirtaha) wrote :

May be related to bug #262910

Revision history for this message
Steve Langasek (vorlon) wrote :

Committed in the pam bzr package branch at lp:~ubuntu-core-dev/pam/ubuntu/

Double-prompting for passwords is not directly related to this bug. Please follow up (here or to bug #262910) showing the contents of your /etc/pam.d/common-auth file for analysis of that issue.

Revision history for this message
Munzir Taha (منذر طه) (munzirtaha) wrote :

$ cat common-auth |grep -v '#'

auth [success=1 default=ignore] pam_unix.so nullok_secure
auth optional pam_ecryptfs.so unwrap
auth [success=done default=ignore] pam_unix.so nullok_secure debug
auth [authinfo_unavail=ignore success=1 default=2] pam_krb5.so use_first_pass debug
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update

Revision history for this message
Steve Langasek (vorlon) wrote :

Please post the /full/ common-auth file, with comments intact; your file is definitely quite broken, but omitting comments leaves me without much of the context needed to figure out how it got that way.

Certainly, only the first two lines appear to be managed via the pam-auth-update framework. Did you add the other lines by hand?

Revision history for this message
Munzir Taha (منذر طه) (munzirtaha) wrote :

I didn't make any manual edits to the file but I have installed ecryptfs-utils which I now believe broke the file. Here is the file:

$ cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-4, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
# pre_auth-client-config # auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# pre_auth-client-config # auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
# end of pam-auth-update config
auth [success=done default=ignore] pam_unix.so nullok_secure debug
auth [authinfo_unavail=ignore success=1 default=2] pam_krb5.so use_first_pass debug
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update

Revision history for this message
Munzir Taha (منذر طه) (munzirtaha) wrote :

I just removed ecryptfs-utils to see whether the problem would be fixed. I rebooted and now I cannot even log to the system. I got Authentication Failed.

From single-user I tried
passwd mylogin
passwd: Authentication token manipulation error
passwd: password unchanged

I tried dpkg-reconfigure libpam-runtime and dpkg-reconfigure -a but nothing changed. I tried both kdm and gdm but still. Please I need any hint to recover my system as soon as possible.

TIA

Revision history for this message
Munzir Taha (منذر طه) (munzirtaha) wrote :

To solve my problem, I booted from a live CD, chrooted my root and reinstalled the ecryptfs-utils and the system magically works. I am not going to set up this ecryptfs again. Better not to have a file system in cipher than to live with a system that's a mere cipher ;)

Revision history for this message
Steve Langasek (vorlon) wrote :

what version of ecryptfs-utils were you using? The current version in intrepid does not use auth-client-config. Further, these lines:

 auth [authinfo_unavail=ignore success=1 default=2] pam_krb5.so use_first_pass debug
 auth [default=done] pam_ccreds.so action=validate use_first_pass
 auth [default=done] pam_ccreds.so action=store
 auth [default=bad] pam_ccreds.so action=update

did not come from ecryptfs-utils. It looks like they may have come from the kerberos_example profile in auth-client-config instead - do you remember having done something to enable this profile?

The sequence of events here seems to have been that you upgraded to the current version of libpam-runtime, and then afterwards ran auth-client-config, which broke the configuration. Do you recall having run auth-client-config by hand at all?

Revision history for this message
Munzir Taha (منذر طه) (munzirtaha) wrote :

My current ecryptfs-utils version is 53-1ubuntu8
I didn't try to enable the kerberos_example profile or run auth-client-config manually.
Now, after reinstalling that ecryptfs-utils package, I managed to log again to my system which is why I believe it's related somewho to the problem. More important, now my common-auth is different. It conains:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-5, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
# end of pam-auth-update config

But dpkg-reconfigure libpam-runtime still gives the same errors

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking auth-client-config task as Invalid as this is not a bug in it. Clearly, auth-client-config was run on the system at some point, but this had to be done manually (ie, not via packaging). Please reopen if you find this to be in error. Thanks.

Changed in auth-client-config:
status: New → Invalid
Revision history for this message
Steve Langasek (vorlon) wrote :

53-1ubuntu8 is the correct version of ecryptfs-utils with pam-auth-update integration for intrepid. So the only issue here is that somewhere along the line, the kerberos_example profile from auth-client-config was enabled. If this can be traced back to a package enabling it for you without your knowledge, then that should be treated as a bug on that package. You may want to check for references to auth-client-config in the /var/lib/dpkg/info directory on your system?

The issue with dpkg-reconfigure giving errors will be fixed with the next pam upload, which is still pending.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I have reopened the bug in auth-client-config as at this time there is no reliable way to detect user changes by pam-auth-update if the sentinels are still in the files. I will try to get a fix in before beta.

Changed in auth-client-config:
assignee: nobody → jdstrand
status: Invalid → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.0.1-4ubuntu4

---------------
pam (1.0.1-4ubuntu4) intrepid; urgency=low

  * Fix a bug in the parser that caused spewing of errors when there
    were more lines in the config file following the managed block.
    LP: #270328.

 -- Steve Langasek <email address hidden> Tue, 23 Sep 2008 06:34:56 +0000

Changed in pam:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package auth-client-config - 0.9

---------------
auth-client-config (0.9) intrepid; urgency=low

  * update acc-default kerberos_example so it works better with kerberos
    principals that have a local account with the same name. Thanks to
    Adam Sommer and Steve Langasek.
  * update ldap_example profile comments to mention that libpam-cracklib is
    required
  * update auth-client config to comment out sentinels required by Debian
    and Ubuntu's pam-auth-update (LP: #270328)
  * add tests for pam-auth-update specific tests

 -- Jamie Strandboge <email address hidden> Fri, 11 Jul 2008 17:05:37 -0400

Changed in auth-client-config:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.