pam-auth-update does not correctly process a valid profile file

Bug #295441 reported by Daniel Richard G. on 2008-11-08
10
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
High
Steve Langasek
Intrepid
Medium
Steve Langasek

Bug Description

Binary package hint: libpam-runtime

Working with libpam-runtime 1.0.1-4ubuntu5 in intrepid.

I've put together a profile for pam-auth-update to use. For some reason, it doesn't like the session-related fields I have, despite them appearing to be well-formed. Attached is a (somewhat) minimal example that triggers the bug.

When I run pam-auth-update to enable the new profile, I get this mess (after returning from the debconf dialog):

# pam-auth-update
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 237, <INPUT> line 23.
Use of uninitialized value $modline in substitution (s///) at /usr/sbin/pam-auth-update line 239, <INPUT> line 23.
Use of uninitialized value $mod in substitution (s///) at /usr/sbin/pam-auth-update line 242, <INPUT> line 23.
Use of uninitialized value $mod in hash element at /usr/sbin/pam-auth-update line 243, <INPUT> line 23.
Use of uninitialized value $mod in hash element at /usr/sbin/pam-auth-update line 244, <INPUT> line 23.
Use of uninitialized value $modline in concatenation (.) or string at /usr/sbin/pam-auth-update line 258, <INPUT> line 23.
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 237, <INPUT> line 23.
Use of uninitialized value $modline in substitution (s///) at /usr/sbin/pam-auth-update line 239, <INPUT> line 23.
Use of uninitialized value $mod in substitution (s///) at /usr/sbin/pam-auth-update line 242, <INPUT> line 23.
Use of uninitialized value $mod in hash element at /usr/sbin/pam-auth-update line 243, <INPUT> line 23.
Use of uninitialized value $mod in hash element at /usr/sbin/pam-auth-update line 244, <INPUT> line 23.
Use of uninitialized value $modline in concatenation (.) or string at /usr/sbin/pam-auth-update line 258, <INPUT> line 23.
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 237, <INPUT> line 23.
Use of uninitialized value $modline in substitution (s///) at /usr/sbin/pam-auth-update line 239, <INPUT> line 23.
Use of uninitialized value $mod in substitution (s///) at /usr/sbin/pam-auth-update line 242, <INPUT> line 23.
Use of uninitialized value $mod in hash element at /usr/sbin/pam-auth-update line 243, <INPUT> line 23.
Use of uninitialized value $mod in hash element at /usr/sbin/pam-auth-update line 244, <INPUT> line 23.
Use of uninitialized value $modline in concatenation (.) or string at /usr/sbin/pam-auth-update line 258, <INPUT> line 23.

Unfortunately, /etc/pam.d/common-session turns out incorrectly generated. Here is the last part of the file, after the above operation:

# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_krb5.so minimum_uid=20000
session
session
session
# end of pam-auth-update config

Then, when I go to disable the profile, the below comes up just before the debconf dialog:

# pam-auth-update
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 607, <CURRENT> line 26.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 615, <CURRENT> line 26.
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 607, <CURRENT> line 27.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 615, <CURRENT> line 27.
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 607, <CURRENT> line 28.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 615, <CURRENT> line 28.

Daniel Richard G. (skunk) wrote :
Steve Langasek (vorlon) on 2008-11-13
Changed in pam:
assignee: nobody → vorlon
importance: Undecided → High
status: New → Fix Committed
Steve Langasek (vorlon) on 2008-11-13
Changed in pam:
assignee: nobody → vorlon
importance: Undecided → Medium
status: New → Confirmed
Colin Whittaker (colin-netech) wrote :

what is the fix for this? Will it be added to intrepid-updates?

Steve Langasek (vorlon) wrote :

This bug was fixed in the upload of pam 1.0.1-5ubuntu1. Changes:

pam (1.0.1-5ubuntu1) jaunty; urgency=low

  * Merge from Debian unstable
  * Remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf. (should send to Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
      type rather than __u8.
    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
      module option 'missingok' which will suppress logging of errors by
      libpam if the module is not found.
    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
      password on bad username.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/ubuntu-user_defined_environment: Look at
      ~/.pam_environment too, with the same format as
      /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/local/pam-auth-update (et al): new interface for managing
      /etc/pam.d/common-*, using drop-in config snippets provided by module
      packages.
    - debian/local/common-password, debian/pam-configs/unix: switch from
      "md5" to "sha512" as password crypt default.
  * Bump the version numbers referenced in the config files, again, as pam
    has revved in Debian and moved the bar.
  * pam-auth-update: If /var/lib/pam/seen is absent, treat this the same
    as a present but empty file; thanks to Greg Price for the patch.
    LP: #294513.
  * pam-auth-update: Ignore removed profiles when detecting an empty set
    of currently-enabled modules. Thanks to Greg Price for this as well.
  * debian/control: libpam-runtime needs a versioned dependency on
    debconf, because it uses the x_loadtemplatefile extension that's
    not supported by debconf versions before hardy. LP: #295135.
  * pam-auth-update: trim leading whitespace from multiline fields when
    parsing PAM profiles. LP: #295441.
  * pam-auth-update: factor out the duplicate code used for returning
    the lines for a given module

  [ Jonathan Marsden ]
  * debian/patches/027_pam_limits_better_init_allow_explicit_root:
    Add to patch, documenting how to set limits for root user.
    Include an example. Alters limits.conf, limits.conf.5.xml,
    and limits.conf.5 . (LP: #65244)

Changed in pam:
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

Accepted into intrepid-proposed; please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in pam:
status: Confirmed → Fix Committed
Martin Pitt (pitti) wrote :

Whoops, sorry. Rejecting:

FAILED: pam (The source pam - 1.0.1-4ubuntu5.4 is already accepted in ubuntu/jaunty and you cannot upload the same version within the same distribution. You have to modify the source version and re-upload.)

Please bump version and reupload.

Changed in pam:
status: Fix Committed → Triaged

On Fri, Mar 13, 2009 at 06:03:25PM -0000, Martin Pitt wrote:
> FAILED: pam (The source pam - 1.0.1-4ubuntu5.4 is already accepted in
> ubuntu/jaunty and you cannot upload the same version within the same
> distribution. You have to modify the source version and re-upload.)

> Please bump version and reupload.

Gah. :( Reuploaded.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Martin Pitt (pitti) wrote :

Accepted into intrepid-proposed; please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in pam (Ubuntu Intrepid):
status: Triaged → Fix Committed
tags: added: verification-needed
Daniel Richard G. (skunk) wrote :

pam-auth-update(8) from intrepid-proposed is no longer generating invalid PAM config files, but it still prints a spew of Perl warnings when invoked:

# /usr/sbin/pam-auth-update
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 607, <CURRENT> line 27.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 615, <CURRENT> line 27.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 27.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 27.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 27.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 27.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 27.
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 607, <CURRENT> line 28.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 615, <CURRENT> line 28.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 28.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 28.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 28.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 28.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 28.
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 607, <CURRENT> line 29.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 615, <CURRENT> line 29.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 29.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 29.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 29.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 637, <CURRENT> line 29.

For reference purposes, I am attaching my modified copy of the (old) pam-auth-update script, that works correctly and does not produce warnings.

Please get a fix for this into Jaunty ASAP.

Martin Pitt (pitti) wrote :

Can anyone test the intrepid-proposed version, please?

Chaskiel Grundman (cg2v) wrote :

I installed this update today (I did not previously have the problem, or if I did, I fixed it by adjusting my profile)
After upgrading, I downloaded the test case, installed it in /usr/share/pam-configs, and ran pam-auth-update. There were no perl warnings, and the correct adjustment to /etc/pam.d/common-session occurred:
diff -r /tmp/pam-save/common-session /etc/pam.d/common-session
25a26,29
> session optional pam_krb5.so minimum_uid=20000
> session optional pam_afs_session.so
> session optional pam_exec.so /etc/athena/scratchdir
> session optional pam_exec.so /etc/athena/session

disabling the service also worked without any perl warnings. I can confirm that if I have libpam-runtime=1.0.1-4ubuntu5.3
installed, then pam-auth-update with the test case behaves as in the original report.

Martin Pitt (pitti) on 2009-04-20
tags: added: verification-done
removed: verification-needed
Daniel Richard G. (skunk) wrote :

Martin, I have libpam-runtime 1.0.1-4ubuntu5.5 on Intrepid here. My report from 2009-03-25 still stands. Can you please fix those Perl warnings?

Martin Pitt (pitti) wrote :

Daniel, can you please open a new bug for the warnings?

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.0.1-4ubuntu5.5

---------------
pam (1.0.1-4ubuntu5.5) intrepid-proposed; urgency=low

  * pam-auth-update: trim leading whitespace from multiline fields when
    parsing PAM profiles. LP: #295441.

 -- Steve Langasek <email address hidden> Mon, 09 Mar 2009 23:02:31 -0700

Changed in pam (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Daniel Richard G. (skunk) wrote :

Bug #364665 created: "pam-auth-update spews Perl warnings while processing a valid profile file"

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers