[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#726661: login fails with pam_loginuid(sshd:session): set_loginuid failed


On Thu, Nov 13, 2014 at 10:39:35AM +0000, Simon McVittie wrote:

> I cannot reproduce this bug on a (somewhat outdated) jessie system with
> sysvinit. I would like some more information from the people who are
> affected by it:
> * Are you using a non-Debian kernel?
> * Does your kernel have AUDIT_LOGINUID_IMMUTABLE set in its configuration?
> * What init system are you using? (sysvinit? systemd? Upstart? something else?)

I can reproduce this bug on a Debian Jessie system with LXC 2.0 (from Stretch).

Host: jessie with systemd as pid1, lxc and lxcfs from stretch
Guest: jessie with sysvinit as pid1 (systemd gives me headaches in containers yet)

I think the crucial part here is that I run my containers unprivileged in an user namespace.

# cat /proc/self/loginuid

same value is returned for the sshd process

> Possible workarounds include:
> * Remove pam_loginuid.so from the ssh configuration (confirmed to work,
>   but it would reopen #677440 and doesn't seem a great idea distro-wide)
> * Use a modern init system that starts system services via IPC to pid 1,
>   i.e. systemd or Upstart
>   - The restarted openssh-server has loginuid -1
>   - The transition from -1 to 4321 succeeds
>   - Everything's fine
> * Use a Debian kernel without AUDIT_LOGINUID_IMMUTABLE (?)
> * Drop pam_loginuid.so from required to optional in the ssh configuration (?)

There are PAM patches at [1][2][3], maybe they just need backporting to Jessie?


[1] https://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_loginuid/pam_loginuid.c?id=5825450540e6620ac331c64345b42fdcbb1d6e87
[2] https://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_loginuid/pam_loginuid.c?id=24f3a88e7de52fbfcb7b8a1ebdae0cdbef420edf
[3] https://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_loginuid/pam_loginuid.c?id=2e62d5aea3f5ac267cfa54f0ea1f8c07ac85a95a

Reply to: