Bug 1186602

Summary: latest pam_mount affects zypper and sudo su
Product: [openSUSE] openSUSE Tumbleweed Reporter: Martin Jedamzik <martin.jedamzik>
Component: libzyppAssignee: E-mail List <zypp-maintainers>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: ma, martin.jedamzik
Version: Current   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE Tumbleweed   
Whiteboard:
Found By: Field Engineer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: supportconfig
Patch in case a PTF is needed

Description Martin Jedamzik 2021-05-28 13:01:01 UTC 
I have noticed a strange behavior with the latest version of pam_mount.
On my system I do have this entry in /etc/sudoers:

testuser ALL=(root) NOPASSWD:/usr/bin/su

This way I can become root user without entering the password.
However, a few weeks ago zypper stopped working after issuing "sudo su":

testuser@tumble:~> sudo su
tumble:/home/testuser # zypper lr
^C ( hanging, as you can see with strace )
tumble:/home/testuser # rpm -e pam_mount
tumble:/home/testuser # zypper lr
Repository priorities are without effect. All enabled repositories share the same priority.

# | Alias               | Name                        | Enabled | GPG Check | Refresh
--+---------------------+-----------------------------+---------+-----------+--------
1 | openSUSE-20200805-0 | openSUSE-20200805-0         | Yes     | (r ) Yes  | No
2 | repo-debug          | openSUSE-Tumbleweed-Debug   | No      | ----      | ----
3 | repo-non-oss        | openSUSE-Tumbleweed-Non-Oss | Yes     | (r ) Yes  | Yes
4 | repo-oss            | openSUSE-Tumbleweed-Oss     | Yes     | (r ) Yes  | Yes
5 | repo-source         | openSUSE-Tumbleweed-Source  | No      | ----      | ----
6 | repo-update         | openSUSE-Tumbleweed-Update  | Yes     | (r ) Yes  | Yes

Anything I am missing ?
Comment 1 Martin Jedamzik 2021-05-28 13:09:08 UTC 
Some more information:

tumble:/home/testuser # pam-config --service su-l -a --mount
tumble:/home/testuser # zypper lr
^C
( hangs )
tumble:/home/testuser # pam-config --service su-l -d --mount
tumble:/home/testuser # zypper lr
Repository priorities are without effect. All enabled repositories share the same priority.

# | Alias               | Name                        | Enabled | GPG Check | Refresh
--+---------------------+-----------------------------+---------+-----------+--------
1 | openSUSE-20200805-0 | openSUSE-20200805-0         | Yes     | (r ) Yes  | No
2 | repo-debug          | openSUSE-Tumbleweed-Debug   | No      | ----      | ----
3 | repo-non-oss        | openSUSE-Tumbleweed-Non-Oss | Yes     | (r ) Yes  | Yes
4 | repo-oss            | openSUSE-Tumbleweed-Oss     | Yes     | (r ) Yes  | Yes
5 | repo-source         | openSUSE-Tumbleweed-Source  | No      | ----      | ----
6 | repo-update         | openSUSE-Tumbleweed-Update  | Yes     | (r ) Yes  | Yes
Comment 2 Martin Jedamzik 2021-05-28 13:34:36 UTC 
Installing pam_mount-2.16-7.22.x86_64 from SLES15 SP2 makes it work again.
Comment 3 Josef Möllers 2021-06-07 13:34:07 UTC 
Hm, I just tried this on a TW VM and could not reproduce! I did a "zypper dup" this morning, so it should be quite up-to-date.

Can you please attach the supportconfig file here?
Also, please list the names of files in "/etc/pam.d" and in "/usr/etc/pam.d" here.

I'm also wondering whether pam-config gave any error messages, as "su-l" (from util-linux-2.36.2-1.18.x86_64) is now in "/usr/etc/pam.d" rather than "/etc/pam.d", and "pam-config" still has some issues with that.
Comment 4 Martin Jedamzik 2021-06-07 15:21:02 UTC 
@Josef: No problem, I was able to narrow down the problem even further:
Fresh Tumbleweed, minimal server installation:

zypper in pam_mount supportutils
echo 'testuser  ALL=(ALL) NOPASSWD: /usr/bin/su' >> /etc/sudoers
cp /usr/etc/pam.d/su-l /etc/pam.d/
https://en.opensuse.org/openSUSE:Packaging_UsrEtc
pam-config --service su-l -a --mount

As testuser: 

sudo su
zypper lr ( fails )
pam-config --service su-l -d --mount
zypper lr ( works )
 

Trying the same on SLES15 SP2 works. 
Supportconfig will follow.
Comment 5 Martin Jedamzik 2021-06-07 15:23:04 UTC 
Created attachment 849981 [details]
supportconfig
Comment 6 Josef Möllers 2021-06-08 06:45:00 UTC 
Thanks, Martin.

I'm wondering why this works:
    pam-config --service su-l -a --mount

The problem is that pam-config has a bug:
Initially, the PAM config file for "su -l" is "/usr/etc/pam.d/su-l" and "/etc/pam.d/su-l" does not exist. This is on purpose and "/usr/etc" is read-only  on MicroOS and Transactional Server.
When you call "pam-config", it will read the config file from "/usr/etc/pam.d/su-l" but tries to write the modified file to "/etc/pam.d/su-l".
However, just before writing, it checks the readability of "/etc/pam.d/su-l", fails and exits. Thorsten Kukuk cannot remember why this check was ever there and who put it there, but we both agree it's definitely wrong.

Anyways ... I'll try this on a fresh TW and see what I can see ;-)
Comment 7 Josef Möllers 2021-06-08 09:59:28 UTC 
(In reply to Josef Möllers from comment #6)
> Thanks, Martin.
> 
> I'm wondering why this works:
>     pam-config --service su-l -a --mount


Ah, sorry, I didn't see the "cp /usr/etc/pam.d/su-l /etc/pam.d/" :-(
Comment 8 Josef Möllers 2021-06-08 10:35:25 UTC 
Hello Michael,

Can you please look into this?

What I have found out so far is:
"zypper lr" invokes "/usr/bin/su -c umask -l root" which invokes PAM.
The "su"-process eventually hangs within pam_mount.so which tries to obtain the "pam_mount password:" from stdin.
Fd 0, however, is one side of a pipe, the other side is owned by zypper.
As zypper is apparently unaware of "su" wanting anything, so the "su" hangs there forever.

Feel free to re-assign back to me if you think that PAM can do anything about this.
Comment 10 Martin Jedamzik 2021-08-31 08:05:26 UTC 
SLES15 SP3 now shows the same behavior.
Comment 11 Michael Andres 2021-08-31 08:44:02 UTC 
I will check it.
Comment 12 Michael Andres 2021-08-31 12:31:47 UTC 
Created attachment 852183 [details]
Patch in case a PTF is needed

Will be fixed in zypper 1.14.49
Comment 14 Michael Andres 2021-08-31 13:23:18 UTC 
.
Comment 17 Swamp Workflow Management 2021-10-22 13:18:24 UTC 
openSUSE-RU-2021:3501-1: An update that has 15 recommended fixes and contains two features can now be installed.

Category: recommended (moderate)
Bug References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815
CVE References: 
JIRA References: ECO-2911,SLE-16862
Sources used:
openSUSE Leap 15.3 (src):    libsolv-0.7.20-9.2, libzypp-17.28.5-15.2, protobuf-3.9.2-4.9.1, zypper-1.14.49-16.1
Comment 18 Swamp Workflow Management 2021-10-22 13:23:16 UTC 
SUSE-RU-2021:3501-1: An update that has 15 recommended fixes and contains two features can now be installed.

Category: recommended (moderate)
Bug References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815
CVE References: 
JIRA References: ECO-2911,SLE-16862
Sources used:
SUSE MicroOS 5.1 (src):    libsolv-0.7.20-9.2, libzypp-17.28.5-15.2, protobuf-3.9.2-4.9.1, zypper-1.14.49-16.1
SUSE MicroOS 5.0 (src):    libsolv-0.7.20-9.2, libzypp-17.28.5-15.2, protobuf-3.9.2-4.9.1, zypper-1.14.49-16.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    libsolv-0.7.20-9.2, protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    libsolv-0.7.20-9.2, protobuf-3.9.2-4.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libsolv-0.7.20-9.2, libzypp-17.28.5-15.2, protobuf-3.9.2-4.9.1, zypper-1.14.49-16.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libsolv-0.7.20-9.2, libzypp-17.28.5-15.2, protobuf-3.9.2-4.9.1, zypper-1.14.49-16.1
SUSE Linux Enterprise Installer 15-SP2 (src):    libsolv-0.7.20-9.2, libzypp-17.28.5-15.2, protobuf-3.9.2-4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2021-11-24 02:22:02 UTC 
SUSE-RU-2021:3780-1: An update that has 31 recommended fixes and contains one feature can now be installed.

Category: recommended (moderate)
Bug References: 1153687,1182372,1183268,1183589,1184326,1184399,1184997,1185325,1186447,1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190356,1190465,1190712,1190815,1191286,1191324,1191370,1191609,1192337,1192436
CVE References: 
JIRA References: SLE-18858
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    libsolv-0.7.20-3.48.1, libzypp-17.28.8-3.78.1, zypper-1.14.50-3.60.1
SUSE Linux Enterprise Server 15-LTSS (src):    libsolv-0.7.20-3.48.1, libzypp-17.28.8-3.78.1, zypper-1.14.50-3.60.1
SUSE Linux Enterprise Installer 15 (src):    libsolv-0.7.20-3.48.1, libzypp-17.28.8-3.78.1, zypper-1.14.50-3.60.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libsolv-0.7.20-3.48.1, libzypp-17.28.8-3.78.1, zypper-1.14.50-3.60.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libsolv-0.7.20-3.48.1, libzypp-17.28.8-3.78.1, zypper-1.14.50-3.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2021-11-24 02:31:29 UTC 
SUSE-RU-2021:3781-1: An update that has 31 recommended fixes and contains one feature can now be installed.

Category: recommended (moderate)
Bug References: 1153687,1182372,1183268,1183589,1184326,1184399,1184997,1185325,1186447,1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190356,1190465,1190712,1190815,1191286,1191324,1191370,1191609,1192337,1192436
CVE References: 
JIRA References: SLE-18858
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1
SUSE Linux Enterprise Installer 15-SP1 (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1
SUSE Enterprise Storage 6 (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1
SUSE CaaS Platform 4.0 (src):    libsolv-0.7.20-4.3.1, libzypp-17.28.8-3.61.1, zypper-1.14.50-3.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.