--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: pam-shield: not recognizing whitelisted IP ranges (hostnames OK)
- From: Louis Wust <louiswust@fastmail.fm>
- Date: Wed, 08 Jul 2015 12:16:01 -0400
- Message-id: <20150708161601.6472.35910.reportbug@electron.local>
Source: pam-shield
Version: 0.9.6-1.1
Severity: important
This package provides a configuration file called shield.conf. Within
this file, lines may be added of this form:
allow 127.0.0.1/255.0.0.0
or of this form:
allow hostname.and.domain.name
Such a line causes pam-shield to ignore failed login attempts from the
named host or network, whereas it would usually track such failed login
attempts and eventually blackhole traffic originating from that host or
network.
However, the first form does not work correctly, in that attempts from a
matching host or network ARE tracked and eventually blocked despite the
"allow" line. This can be seen with the attached configuration file by
repeatedly attempting to SSH into the local machine. The
/var/log/auth.log file reports the following information during each
connection attempt:
PAM-shield[<pid>]: allowing from 127.0.0.1/255.0.0.0
But eventually, further attempts are locked out. With the provided
configuration file, this happens after five attempts. Inspection of the
source code shows that the following line should also be appearing in
/var/log/auth.log:
PAM-shield[<pid>]: whitelist match: 127.0.0.1 127.0.0.1 255.0.0.0
I took a very close look at the match_ipv4_list() function in
pam_shield_lib.c, and noticed something strange. After building the
package, the for loop on line 121 totally disappeared! By "disappeared,"
I mean that there was no assembler code emitted to implement the for
loop, and instead the compiler just assumed that it would fail to match
one IP address to another.
After playing around with compiler options, I discovered that this was
happening due to overzealous optimization by gcc. The offending
optimization flag was -ftree-vrp, which is turned on by default when
using the -O2 optimization level.
Quite frankly, I have no clue why this option causes the for loop to be
optimized away -- if I did, I would propose a code change for pam-shield
or file a bug against gcc as appropriate. But since I'm stumped on that
front, the best suggestion I have is to change the build sequence for
pam-shield to include a new CFLAGS entry: -fno-tree-vrp. I verified that
including this flag results in a working build.
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---