Bug#745082: PAM fails in a fakechroot environment : insufficient permissions for audit

Thu, 09 Jul 2015 01:07:11 -0700 

Hi,

chfn doesn't only give an error in a fakechroot environment, but passwd - 
and possibly every PAM invocation - too. The culprit seems to be libaudit1
linked to libpam. I was mistaken blaming a setuid executable.

The symptoms : chfn outputs an error line
chfn: PAM: System error
and there is no change in/etc/passwd
passwd outputs :
passwd: System error
passwd: password unchanged

after password update in /etc/shadow

The possible causes : chfn fails in function pam_authenticate and
passwd fails in function do_pam_passwd (which calls pam_chauthtok)

There appears a line in /var/log/auth.log :
... chfn[27952]: PAM audit_log_acct_message() failed: Operation not permitted
or
... passwd[3417]: PAM audit_log_acct_message() failed: Operation not permitted

The lines 49 in pam_auth.c 
    retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags);
and 61 in pam_password.c (pam version 1.1.8-3.1)
    retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags);
both return -1.
(_pam_auditlog calls _pam_audit_writelog which calls audit_log_acct_message)

The ultimate cause is function check_ack returning -EPERM (line 244 of file 
lib/netlink.c in audit version 1:4.2.2-1)

There is no error with the following workaround : with a file 
"fake_audit_log_acct_message.c"
----------->8--------------------------->8------------------
int audit_log_acct_message(int audit_fd, int type, const char *pgname,
        const char *op, const char *name, unsigned int id, 
        const char *host, const char *addr, const char *tty, int result)
{
        return 0;
}
----------->8--------------------------->8------------------

$ gcc -c -fPIC fake_audit_log_acct_message.c
$ gcc -shared -Wl,-soname,libfakeaudit.so.0 -o libfakeaudit.so.0.0 \
 fake_audit_log_acct_message.o -lc

$ export LD_LIBRARY_PATH=$(readlink -f .)
$ export LD_PRELOAD=libfakeaudit.so.0.0
$ fakechroot fakeroot -s .fakeroot.state debootstrap --variant=fakechroot \
sid mychroot http://ftp.us.debian.org/debian
[ ... ]
$ echo $?
0
$ fakechroot fakeroot -i .fakeroot.state -s .fakeroot.state chroot mychroot
# adduser someone
# echo $?
0
# passwd someone
...
passwd: password updated successfully
# echo $?
0

I hope it helps !

Regards,
JH Chatenet


-- 
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150709100827.GA2536@debirf-dominicain

Reply via email to