Bug 604

Summary: AUTHENTICATION ERROR MESSAGES COULD BE FOUND IN /VAR/ADM/MESSAGES
Product: Sudo Reporter: Gyorgy Aszalos <gyorgy.aszalos>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: high    
Priority: normal    
Version: 1.7.4   
Hardware: Sun   
OS: Solaris 2.x   
Attachments: 'sudo -V' output
truss output
LD_DEBUG

Description Gyorgy Aszalos 2013-06-04 04:13:15 MDT 
Automatic installation of sudo was enabled during update installation, sudo was updated to version 1.7.4p6.
 
Since this update sudo complains about the missing symbol in the module pam_login_limit.so.1
"
Oct  8 03:13:55 fxsnsrm1n1 sudo: [ID 702911 auth.notice]    rtp99 : TTY=unknown ; PWD=/export/home/rtp99 ; USER=root ; COMMAND=/opt/SUNWstkcam/bin/sscs list alarm
Oct  8 03:13:55 fxsnsrm1n1 sudo[23909]: [ID 401707 auth.error] open_module: /usr/lib/security/pam_login_limit.so.1 failed: ld.so.1: sudo: fatal: relocation error: file /usr/lib/security/pam_login_limit.so.1: symbol main: referenced symbol not found
Oct  8 03:13:55 fxsnsrm1n1 sudo[23909]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_login_limit.so.1 
"

The check of the file /usr/lib/security/pam_login_limit.so.1 which was noted as incompatible for the start of sudo, is existing and has the correct permission set.
 
This problem was neutralised by disabling this module in pam.conf:
(These lines were commented out from /etc/pam_conf
other   auth requisite          pam_login_limit.so.1 execute_first timeout_account=30 count_limit=5
other   auth required           pam_login_limit.so.1 timeout_account=30 count_limit=5)
 
 
The problem is reproducible:
Used command:
LD_DEBUG=all,output=sudo-linker.out /usr/local/bin/sudo /opt/SUNWstkcam/bin/sscs list alarm

Using the account rtp99 did not produce a sudo-linker.out. As user “root” the alarm output was generated.


Taken from /var/log/authlog:
May 14 11:25:36 fxsnsrm1n1 sudo: [ID 702911 auth.notice]     root : TTY=pts/5 ; PWD=/dump/Indizien/N25186 ; USER=root ; COMMAND=/opt/SUNWstkcam/bin/sscs list alarm
May 14 11:25:36 fxsnsrm1n1 sudo[22674]: [ID 401707 auth.error] open_module: /usr/lib/security/pam_login_limit.so.1 failed: ld.so.1: sudo: fatal: relocation error: file /usr/lib/security/pam_login_limit.so.1: symbol main: referenced symbol not found
May 14 11:25:36 fxsnsrm1n1 sudo[22674]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_login_limit.so.1

They switched off the workaround and had been activated  pam_login_limit, while a couple of messages became obviously:

May 14 11:25:15 fxsnsrm1n1 sshd[21720]: [ID 342432 auth.error] pam_login_limit(auth): unknown option '#N25186'

The unknown option seems to be configured in pam.conf, where they have entered a comment why they deactivate pam_login_limit.so.1 

other  auth requisite          pam_login_limit.so.1 execute_first timeout_account=30 count_limit=5 #N25186
other  auth required           pam_login_limit.so.1 timeout_account=30 count_limit=5 #N25186

But it is really a special problem of sudo, because sshd has not a problem with pam_login_limit

Note:
The problem can be reproduced with the latest sudo versions as well:
1.8.1p2-sol10 and sudo-1.8.6p8
Comment 1 Gyorgy Aszalos 2013-06-05 09:28:35 MDT 
Created attachment 369 [details]
'sudo -V' output
Comment 2 Gyorgy Aszalos 2013-06-05 09:29:54 MDT 
Created attachment 370 [details]
truss output
Comment 3 Gyorgy Aszalos 2013-06-05 09:34:53 MDT 
Created attachment 371 [details]
LD_DEBUG

Hello, 

please find some symptoms about the issue.

Thank you.

Best regards, 

Gyorgy
Comment 4 Todd C. Miller 2013-06-10 05:59:11 MDT 
This sounds like a problem with pam_login_limit.so, not sudo.
If you run:

    nm -o /usr/lib/security/pam_login_limit.so.1|grep main

do you see a reference to main?  If so, then pam_login_limit.so.1
is the problem.

The pam_login_limit.so module is not shipped as a standard part of
Solaris as far as I can tell.  I've seen this exact problem when a
shared module is built with gcc but the final linking is done without
using the -shared flag.
Comment 5 Gyorgy Aszalos 2013-06-10 07:52:40 MDT 
Hello Todd,

first of all thank you for your feedback. This could be the reason, because
both sudo and pam_login_limit.so.1 were installed during the same installation
procedure, not only sudo. 

According to the output the pam_login_limit.so.1 contains a reference to main. 

$  /usr/ccs/bin/nm  -o ./pam_login_limit.so.1 | grep main
[88]    |000000000000|000000000000|NOTY |GLOB |0    |UNDEF  |main

Just a question remained unanswered for me. 
$ ls -l /usr/local/bin/sudo.1.*
---s--x--x   1 root     root      205396 Jun  7 08:36 /usr/local/bin/sudo.1.7.4p4
---s--x--x   1 root     root      207090 Feb  4  2011 /usr/local/bin/sudo.1.7.4p6

If ran the following two commands on a test machine for the same pam_login_limit.so.1, 
I have the following output:

1. Using the older sudo version.
$ /usr/local/bin/sudo.1.7.4p4 vi /etc/passwd
Password:
Sorry, try again.
Password:
sudo.1.7.4p4: 1 incorrect password attempt

Note: The correct password is not accepted

2. Using sudo installed during the latest update

$  /usr/local/bin/sudo.1.7.4p6 vi /etc/passwd
sudo.1.7.4p6: pam_authenticate: Dlopen failure

$ tail /var/adm/messages

Jun 10 15:39:10 blnfce066 sudo: [ID 702911 auth.alert]    rtp99 : 1 incorrect password attempt ; TTY=pts/42 ; PWD=/usr/local/bin ; USER=root ; COMMAND=/usr/bin/vi /etc/passwd
Jun 10 15:39:36 blnfce066 sudo.1.7.4p6[1597]: [ID 401707 auth.error] open_module: /usr/lib/security/pam_login_limit.so.1 failed: ld.so.1: sudo.1.7.4p6: fatal: relocation error: file /usr/lib/security/pam_login_limit.so.1: symbol main: referenced symbol not found
Jun 10 15:39:36 blnfce066 sudo.1.7.4p6[1597]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_login_limit.so.1
Jun 10 15:39:36 blnfce066 sudo: [ID 702911 auth.alert]    rtp99 : pam_authenticate: Dlopen failure ; TTY=pts/42 ; PWD=/usr/local/bin ; USER=root ; COMMAND=/usr/bin/vi /etc/passwd
[rtp99@blnfce066:/usr/local/bin]

$ date
Monday, June 10, 2013  3:40:03 PM MEST

I am confused, why the behaviour of two sudo versions are different with the same pam_login_limit.so.1.

Regards, 

Gyorgy
Comment 6 Gyorgy Aszalos 2013-06-14 03:36:44 MDT 
Hello,

my colleague found that the build script is using gcc –G option: 
 gcc -G ../CR0096243/PAM/pam_login_limit.c -lpam -lc -o ../CR0096243/PAM/pam_login_limit.so.1

The recompiled pam_login_limit.so.1 with 'gcc -shared -DPIC -fPIC -G pam_login_limit.c -lpam -lc -o pam_login_limit.so.1' seems to be solved the problem. 

Thank you once again your help.

Regards, 

Gyorgy
Comment 7 Todd C. Miller 2013-06-16 05:01:19 MDT 
Submitter confirmed that pam_login_limit.so was the problem.