[Bug 476069] Re: segfault

[Russ Allbery]

Alex Mauer <hawke at hawkesnest.net> writes:

> Nope, su'ing to the current user. 'su - $USER', using the environment
> variable.  It does the same if I put the literal username, obviously.

> File modes are 0600

Ah, hm.

I seem to vaguely remember running into this before, where su calls part
of the PAM stack as root and other parts as the target user, which causes
issues like incorrect file ownership.  I don't recall when I saw this,
though, or what the solution was.

That doesn't explain the segfault, although I suspect the LDAP NSS module
for that given the log messages that you're seeing and given how sensitive
it is to shared library conflicts and similar issues.

Hm.  If the NSS lookup of the target user fails, then pam_setcred will
fail to chown the ticket cache to the target user, and you'll get that
incorrect ownership error.  But I actually don't recall seeing a setcred
call in your trace.  I wonder if su is auth'ing as root, and then changing
users to the target user and calling the account hook.  But if so, I'm not
entirely sure how that could ever work, since the account hook assumes the
ticket cache credentials are already correct, and that doesn't match the
behavior I'm seeing elsewhere.

For whatever it's worth, this appears to be either specific to the LDAP
NSS module or to Ubuntu; su - $USER works fine with pam-krb5 in Debian on
a system that doesn't use any special NSS modules.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

-- 
segfault
https://bugs.launchpad.net/bugs/476069
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.