Linux-PAM and saslauthd process reaping conflict

Jov jov at able.be
Tue Jan 6 08:35:09 EST 2009


Hello,

my apologies for crossposting. I am unsure which project this should be
fixed in, if not both.

When you use saslauthd with pam_exec.so, a process reaping race is
created. pam_exec.c uses a fork/waitpid combination to run it's child
process and saslauthd has a signal handler for SIGCHLD. If the process
terminates before the waitpid is entered, the SIGCHLD is handled by
saslauthd and pam_exec returns with an error to the pam stack.

I tried fixing it in PAM by restoring the default sighandler but this
did not seem to work (see patch). Perhaps I made a silly mistake or it
has something to do with MT signal handling, I do not know. In any case,
it seems a bad idea for PAM to assume there is no SIGCHLD handler
installed in the parent process.

Eventually, I fixed it by disabling automatic process reaping in
saslautd with the pam authentication mechanism. Afaict, this handler is
not used anyway.

Regards,

Johan Verrept


--
NEW on aXs GUARD: SSL VPN !! (contact your reseller for more info)

---------------------------------------------------
aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087
RPR Mechelen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam-sigact.patch
Type: text/x-patch
Size: 1084 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20090106/f66bfa65/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: saslauthd-nopamreap.patch
Type: text/x-patch
Size: 1208 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20090106/f66bfa65/attachment-0001.bin 


More information about the Cyrus-sasl mailing list