Bug#726661: login fails with pam_loginuid(sshd:session): set_loginuid failed
- To: Simon McVittie <smcv@debian.org>, 726661@bugs.debian.org
- Cc: Andrea Lusuardi <uovobw@gmail.com>, Darren Tucker <dtucker@zip.com.au>, Colin Watson <cjwatson@debian.org>, Carlos Alberto Lopez Perez <clopez@igalia.com>, Olivier Berger <olivier.berger@telecom-sudparis.eu>, Thijs Kinkhorst <thijs@debian.org>, Michael Biebl <biebl@debian.org>, Laurent Bigonville <bigon@debian.org>, pam@packages.debian.org
- Subject: Bug#726661: login fails with pam_loginuid(sshd:session): set_loginuid failed
- From: Evgeni Golov <evgeni@debian.org>
- Date: Sun, 17 Apr 2016 21:03:57 +0200
- Message-id: <[🔎] 20160417190357.GA22460@nana.phantasia.die-welt.net>
- Reply-to: Evgeni Golov <evgeni@debian.org>, 726661@bugs.debian.org
- In-reply-to: <20141113103935.GA31483@reptile.pseudorandom.co.uk>
- References: <1411826799.756399.172393089.4C63DF8E@webmail.messagingengine.com> <CALDDTe2zALR-hyxzVxQ7qA_aHujz0wDr1PmZNBZJb3Knu5e=8A@mail.gmail.com> <20131017205615.15469.57420.reportbug@nl-01> <20141108223417.GA5963@reptile.pseudorandom.co.uk> <20141113091942.GA30028@reptile.pseudorandom.co.uk> <20141113103935.GA31483@reptile.pseudorandom.co.uk>
Ohai,
On Thu, Nov 13, 2014 at 10:39:35AM +0000, Simon McVittie wrote:
> I cannot reproduce this bug on a (somewhat outdated) jessie system with
> sysvinit. I would like some more information from the people who are
> affected by it:
>
> * Are you using a non-Debian kernel?
> * Does your kernel have AUDIT_LOGINUID_IMMUTABLE set in its configuration?
> * What init system are you using? (sysvinit? systemd? Upstart? something else?)
I can reproduce this bug on a Debian Jessie system with LXC 2.0 (from Stretch).
Host: jessie with systemd as pid1, lxc and lxcfs from stretch
Guest: jessie with sysvinit as pid1 (systemd gives me headaches in containers yet)
I think the crucial part here is that I run my containers unprivileged in an user namespace.
# cat /proc/self/loginuid
4294967295
same value is returned for the sshd process
> Possible workarounds include:
>
> * Remove pam_loginuid.so from the ssh configuration (confirmed to work,
> but it would reopen #677440 and doesn't seem a great idea distro-wide)
> * Use a modern init system that starts system services via IPC to pid 1,
> i.e. systemd or Upstart
> - The restarted openssh-server has loginuid -1
> - The transition from -1 to 4321 succeeds
> - Everything's fine
> * Use a Debian kernel without AUDIT_LOGINUID_IMMUTABLE (?)
> * Drop pam_loginuid.so from required to optional in the ssh configuration (?)
There are PAM patches at [1][2][3], maybe they just need backporting to Jessie?
Greets
Evgeni
[1] https://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_loginuid/pam_loginuid.c?id=5825450540e6620ac331c64345b42fdcbb1d6e87
[2] https://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_loginuid/pam_loginuid.c?id=24f3a88e7de52fbfcb7b8a1ebdae0cdbef420edf
[3] https://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_loginuid/pam_loginuid.c?id=2e62d5aea3f5ac267cfa54f0ea1f8c07ac85a95a
Reply to: