Bug#745082: PAM fails in a fakechroot environment : insufficient permissions for audit

To: 745082@bugs.debian.org
Subject: Bug#745082: PAM fails in a fakechroot environment : insufficient permissions for audit
From: jhcha54008 <jhcha54008@free.fr>
Date: Thu, 9 Jul 2015 10:08:27 +0000
Message-id: <[🔎] 20150709100827.GA2536@debirf-dominicain>
Reply-to: jhcha54008 <jhcha54008@free.fr>, 745082@bugs.debian.org

Hi,

chfn doesn't only give an error in a fakechroot environment, but passwd - 
and possibly every PAM invocation - too. The culprit seems to be libaudit1
linked to libpam. I was mistaken blaming a setuid executable.

The symptoms : chfn outputs an error line
chfn: PAM: System error
and there is no change in/etc/passwd
passwd outputs :
passwd: System error
passwd: password unchanged

after password update in /etc/shadow

The possible causes : chfn fails in function pam_authenticate and
passwd fails in function do_pam_passwd (which calls pam_chauthtok)

There appears a line in /var/log/auth.log :
... chfn[27952]: PAM audit_log_acct_message() failed: Operation not permitted
or
... passwd[3417]: PAM audit_log_acct_message() failed: Operation not permitted

The lines 49 in pam_auth.c 
    retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags);
and 61 in pam_password.c (pam version 1.1.8-3.1)
    retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags);
both return -1.
(_pam_auditlog calls _pam_audit_writelog which calls audit_log_acct_message)

The ultimate cause is function check_ack returning -EPERM (line 244 of file 
lib/netlink.c in audit version 1:4.2.2-1)

There is no error with the following workaround : with a file 
"fake_audit_log_acct_message.c"
----------->8--------------------------->8------------------
int audit_log_acct_message(int audit_fd, int type, const char *pgname,
        const char *op, const char *name, unsigned int id, 
        const char *host, const char *addr, const char *tty, int result)
{
	return 0;
}
----------->8--------------------------->8------------------

$ gcc -c -fPIC fake_audit_log_acct_message.c
$ gcc -shared -Wl,-soname,libfakeaudit.so.0 -o libfakeaudit.so.0.0 \
 fake_audit_log_acct_message.o -lc

$ export LD_LIBRARY_PATH=$(readlink -f .)
$ export LD_PRELOAD=libfakeaudit.so.0.0
$ fakechroot fakeroot -s .fakeroot.state debootstrap --variant=fakechroot \
sid mychroot http://ftp.us.debian.org/debian
[ ... ]
$ echo $?
0
$ fakechroot fakeroot -i .fakeroot.state -s .fakeroot.state chroot mychroot
# adduser someone
# echo $?
0
# passwd someone
...
passwd: password updated successfully
# echo $?
0

I hope it helps !

Regards,
JH Chatenet

Reply to:

Prev by Date: Bug#764587: installation-reports: After successful installation from usb stick the stick is not recognised on reboot.
Next by Date: Bug#790941: [PATCH] Support additional arguments to mdadm DOC
Previous by thread: Bug#764587: installation-reports: After successful installation from usb stick the stick is not recognised on reboot.
Next by thread: Bug#790941: [PATCH] Support additional arguments to mdadm DOC
Index(es):
- Date
- Thread