Bug#726661: login fails with pam_loginuid(sshd:session): set_loginuid failed
- To: Simon McVittie <firstname.lastname@example.org>, email@example.com
- Cc: Andrea Lusuardi <firstname.lastname@example.org>, Darren Tucker <email@example.com>, Colin Watson <firstname.lastname@example.org>, Carlos Alberto Lopez Perez <email@example.com>, Olivier Berger <firstname.lastname@example.org>, Thijs Kinkhorst <email@example.com>, Michael Biebl <firstname.lastname@example.org>, Laurent Bigonville <email@example.com>, firstname.lastname@example.org
- Subject: Bug#726661: login fails with pam_loginuid(sshd:session): set_loginuid failed
- From: Evgeni Golov <email@example.com>
- Date: Sun, 17 Apr 2016 21:03:57 +0200
- Message-id: <[🔎] 20160417190357.GA22460@nana.phantasia.die-welt.net>
- Reply-to: Evgeni Golov <firstname.lastname@example.org>, email@example.com
- In-reply-to: <20141113103935.GA31483@reptile.pseudorandom.co.uk>
- References: <1411826799.756399.172393089.4C63DF8E@webmail.messagingengine.com> <CALDDTe2zALR-hyxzVxQ7qA_aHujz0wDr1PmZNBZJb3Knu5e=8A@mail.gmail.com> <20131017205615.15469.57420.reportbug@nl-01> <20141108223417.GA5963@reptile.pseudorandom.co.uk> <20141113091942.GA30028@reptile.pseudorandom.co.uk> <20141113103935.GA31483@reptile.pseudorandom.co.uk>
On Thu, Nov 13, 2014 at 10:39:35AM +0000, Simon McVittie wrote:
> I cannot reproduce this bug on a (somewhat outdated) jessie system with
> sysvinit. I would like some more information from the people who are
> affected by it:
> * Are you using a non-Debian kernel?
> * Does your kernel have AUDIT_LOGINUID_IMMUTABLE set in its configuration?
> * What init system are you using? (sysvinit? systemd? Upstart? something else?)
I can reproduce this bug on a Debian Jessie system with LXC 2.0 (from Stretch).
Host: jessie with systemd as pid1, lxc and lxcfs from stretch
Guest: jessie with sysvinit as pid1 (systemd gives me headaches in containers yet)
I think the crucial part here is that I run my containers unprivileged in an user namespace.
# cat /proc/self/loginuid
same value is returned for the sshd process
> Possible workarounds include:
> * Remove pam_loginuid.so from the ssh configuration (confirmed to work,
> but it would reopen #677440 and doesn't seem a great idea distro-wide)
> * Use a modern init system that starts system services via IPC to pid 1,
> i.e. systemd or Upstart
> - The restarted openssh-server has loginuid -1
> - The transition from -1 to 4321 succeeds
> - Everything's fine
> * Use a Debian kernel without AUDIT_LOGINUID_IMMUTABLE (?)
> * Drop pam_loginuid.so from required to optional in the ssh configuration (?)
There are PAM patches at , maybe they just need backporting to Jessie?