334559 – sshd audit_log_acct_message() failed

Bug 334559 - sshd audit_log_acct_message() failed

Summary: sshd audit_log_acct_message() failed

Status:	VERIFIED FIXED

Alias:	None

Product:	openSUSE 10.3
Classification:	openSUSE
Component:	Basesystem (show other bugs)
Version:	Final
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Anna Maresova
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2007-10-17 13:43 UTC by Forgotten User WWATXcldtK
Modified:	2009-04-28 11:25 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
starce pid 25659 (4.57 KB, text/plain) 2007-10-18 18:49 UTC, Forgotten User WWATXcldtK	Details
starce pid 25662 (8.60 KB, text/plain) 2007-10-18 18:50 UTC, Forgotten User WWATXcldtK	Details
pam-0.99.8.1-audit-no-log.patch (894 bytes, patch) 2007-12-14 11:25 UTC, Michael Calmer	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Forgotten User WWATXcldtK 2007-10-17 13:43:16 UTC

Have some such entries in /var/log/messages:
Oct 17 16:37:24 yuro sshd[5303]: PAM audit_log_acct_message() failed: Operation not permitted

Comment 1 Anna Maresova 2007-10-18 15:52:21 UTC

Could you please add strace of sshd running into this problem?

Comment 2 Forgotten User WWATXcldtK 2007-10-18 17:26:13 UTC

(In reply to comment #1 from Anna Bernathova)
> Could you please add strace of sshd running into this problem?
> 
Can't reproduse it now, but can see this message not only on one host + it is repeated.

Comment 3 Anna Maresova 2007-10-18 17:43:18 UTC

I am sorry but I also cannot reproduce it. If you show me strace, I might be at least able to determine what is wrong. I probably cannot fix it without your input, at least not without a great chance to encounter this bug too.

If you can, just wait for the bug to start appearing and strace sshd then, please.

Comment 4 Forgotten User WWATXcldtK 2007-10-18 18:49:11 UTC

(In reply to comment #3 from Anna Bernathova)
> I am sorry but I also cannot reproduce it. If you show me strace, I might be at
> least able to determine what is wrong. I probably cannot fix it without your
> input, at least not without a great chance to encounter this bug too.
> 
> If you can, just wait for the bug to start appearing and strace sshd then,
> please.
> 
Got such situation:
root     25659  3540  0 21:41 ?        00:00:00 sshd: moovieu [priv]
moovieu  25662 25659  0 21:41 ?        00:00:00 sshd: moovieu@pts/11
moovieu  25663 25662  2 21:41 pts/11   00:00:00 -bash

strace'd both 25659 and 25662

syslog entries:
Oct 18 21:41:57 moovid sshd[25659]: Accepted keyboard-interactive/pam for moovieu from AAA.BBB.CCC.DDD port 55806 ssh2
Oct 18 21:43:03 moovid sshd[25662]: PAM audit_log_acct_message() failed: Operation not permitted

strace outputs in attached files.

Comment 5 Forgotten User WWATXcldtK 2007-10-18 18:49:59 UTC

Created attachment 179299 [details]
starce pid 25659

Comment 6 Forgotten User WWATXcldtK 2007-10-18 18:50:45 UTC

Created attachment 179300 [details]
starce pid 25662

Comment 7 Anna Maresova 2007-10-19 09:29:12 UTC

I have managed to reproduce the bug, going to take a look at it. Thanks.

Comment 8 Anna Maresova 2007-10-19 11:41:04 UTC

Actually the bug seems to appear on most of 10.3 installations, so reproducing it is no big issue.

Anyway, audit_log_acct_message() is coming from audit package. Although it is called from pam and pam does also logging, pam relies only on its return code. Reassigning to audit maintainer, adding pam maintainer and myself to CC.

Comment 9 Michael Calmer 2007-10-19 14:20:35 UTC

JFYI: It happens if you logout from a ssh session.

Comment 13 Michael Calmer 2007-12-14 11:24:36 UTC

Found the Fedora patch for this problem and a short test shows, that the message does not appear anymore.

Thorsten: This patch is not upstream. Please take care.

(I will attach the patch)

Comment 14 Michael Calmer 2007-12-14 11:25:36 UTC

Created attachment 187621 [details]
pam-0.99.8.1-audit-no-log.patch

Comment 17 Thorsten Kukuk 2007-12-14 11:57:41 UTC

(In reply to comment #13 from Michael Calmer)
> Found the Fedora patch for this problem and a short test shows, that the
> message does not appear anymore.
> 
> Thorsten: This patch is not upstream. Please take care.

The patch is not upstream because it is wrong. And I think Fedora had good reasons why they did not submit it with their latest audit fixes.

The problem is, that Fedora uses a special configuration, where this will work. But this is not the upstream default and will break audit logging on other distributions (like openSUSE).

The problem is: Why does ssh call PAM with wrong permissions?

I don't get this message on my openSUSE installations.

So to fix the problem correct, we need to find out why ssh closes the session with user rights, not root. And fix that problem. Because if ssh does not close the session with correct user privilegs, not only auditing, but also some other PAM modules will fail.

Comment 18 Michael Calmer 2007-12-14 12:17:06 UTC

I set "UsePrivilegeSeparation no" in sshd_config and the messages was gone.
I aggree with Thorsten that PrivilegeSeparation in sshd is broken and should be fixed.

Assigning back to ssh maintainer.

Comment 19 Jon Schewe 2007-12-14 12:42:38 UTC

(In reply to comment #17 from Thorsten Kukuk)
> The problem is: Why does ssh call PAM with wrong permissions?
> 
I see the same problem with imapd.  Being a software engineer I find it hard to believe that two separate projects would end up causing the same error at the same time on the same library without it having something to do with a change in the library.  Did the audit library change around this call, perhaps get more strict about how it's to be called since 10.2?  Neither sshd nor imapd logged this message in 10.2, but they both log it in 10.3.

Comment 20 Thorsten Kukuk 2007-12-14 12:47:02 UTC

(In reply to comment #19 from Jon Schewe)
> (In reply to comment #17 from Thorsten Kukuk)
> > The problem is: Why does ssh call PAM with wrong permissions?
> > 
> I see the same problem with imapd.  Being a software engineer I find it hard to
> believe that two separate projects would end up causing the same error at the
> same time on the same library without it having something to do with a change
> in the library. 

I don't find it hard to belive. ssh is well known to introduce this bug again and again with a new release, they do this since several years. And to call PAM functions with wrong privilegs is a common mistake in a lot of projects. I wonder that it are this time only two projects which did it wrong.

Comment 21 Anna Maresova 2007-12-14 23:20:08 UTC

At the end, this is quite funny bug. Not only closing the session, but also opening is done in the wrong process. Opening works just because it is done immediately after the fork and before dropping the privileges. Ooops :-)

Fortunately, upstream is already aware about this issue. Although they have not released their fix yet, their bugzilla contains the patch that looks to fix the bug properly. (I got it here: https://bugzilla.mindrot.org/attachment.cgi?id=1216.)
I have ported it for our openssh in stable and tested. 

Submitted for stable.

Comment 22 Wilfred van Velzen 2009-04-27 14:52:47 UTC

Hasn't this fix been integrated into the stable rpm's yet?
I just installed the latest openssh for 10.3 (openssh-4.6p1-58.6)
But still see the "PAM audit_log_acct_message() failed:" messages in the logs...

Comment 23 Anna Maresova 2009-04-28 11:25:24 UTC

It was fixed just for the factory distribution, we have not done a maintenance update for 10.3 that was already released at the time of fix.

But it looks that there is even package with openssh 5.1 for 10.3 available in openSUSE buildservice, you might find a help there.