[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#791810: marked as done (pam-shield: not recognizing whitelisted IP ranges (hostnames OK))



Your message dated Fri, 09 Feb 2024 18:16:55 +0000
with message-id <[🔎] E1rYVQl-00EJYH-2s@fasolo.debian.org>
and subject line Bug#1061204: Removed package(s) from unstable
has caused the Debian Bug report #791810,
regarding pam-shield: not recognizing whitelisted IP ranges (hostnames OK)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
791810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791810
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: pam-shield
Version: 0.9.6-1.1
Severity: important

This package provides a configuration file called shield.conf. Within
this file, lines may be added of this form:

  allow 127.0.0.1/255.0.0.0

or of this form:

  allow hostname.and.domain.name

Such a line causes pam-shield to ignore failed login attempts from the
named host or network, whereas it would usually track such failed login
attempts and eventually blackhole traffic originating from that host or
network.

However, the first form does not work correctly, in that attempts from a
matching host or network ARE tracked and eventually blocked despite the
"allow" line. This can be seen with the attached configuration file by
repeatedly attempting to SSH into the local machine. The
/var/log/auth.log file reports the following information during each
connection attempt:

  PAM-shield[<pid>]: allowing from 127.0.0.1/255.0.0.0

But eventually, further attempts are locked out. With the provided
configuration file, this happens after five attempts. Inspection of the
source code shows that the following line should also be appearing in
/var/log/auth.log:

  PAM-shield[<pid>]: whitelist match: 127.0.0.1 127.0.0.1 255.0.0.0

I took a very close look at the match_ipv4_list() function in
pam_shield_lib.c, and noticed something strange. After building the
package, the for loop on line 121 totally disappeared! By "disappeared,"
I mean that there was no assembler code emitted to implement the for
loop, and instead the compiler just assumed that it would fail to match
one IP address to another.

After playing around with compiler options, I discovered that this was
happening due to overzealous optimization by gcc. The offending
optimization flag was -ftree-vrp, which is turned on by default when
using the -O2 optimization level.

Quite frankly, I have no clue why this option causes the for loop to be
optimized away -- if I did, I would propose a code change for pam-shield
or file a bug against gcc as appropriate. But since I'm stumped on that
front, the best suggestion I have is to change the build sequence for
pam-shield to include a new CFLAGS entry: -fno-tree-vrp. I verified that
including this flag results in a working build.

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message ---
Version: 0.9.6-1.3+rm

Dear submitter,

as the package pam-shield has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1061204

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)

--- End Message ---

Reply to: