Bug 11462 - pam_winbind segfaults when incorrectly configured
Summary: pam_winbind segfaults when incorrectly configured
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.1.17
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2015-08-24 01:54 UTC by geoffc
Modified: 2016-12-14 00:16 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description geoffc 2015-08-24 01:54:54 UTC
If you mistakenly configure your pam stack to have 'minimum_uid=1000' (in my case, as a cut and paste error) as an option to the pam_winbind.so module, some things segfault instead of giving you an error message or log:

geoffc@test-files02: ~/debs/samba-4.1.17+dfsg/nsswitch  2015-08-24 11:35:33
$ sudo ls
Segmentation fault

I think this is because on line 2905 of nsswitch/pam_winbind.c the call to _PAM_LOG_FUNCTION_LEAVE passes in an un-initialised ctx variable. It looks like _pam_winbind_init_context is returning PAM_SYSTEM_ERR correctly, but pam_sm_open_session() doesn't check for that return code.

I found this in the Debian Wheezy backport of 4.1.17, but looking at git.samba.org suggests this is still the case in more recent versions of samba.

I'm not much of a C coder, but I imagine adding a comparison of ret to PAM_SYSTEM_ERR in pam_sm_open_session() just after the 'out' label would probably fix this.
Comment 1 Volker Lendecke 2015-08-24 08:58:38 UTC
This really looks like to be fixed with 6f4ec0c041677204, dated 2013. I don't really get why 4.1.17 does not have it.

Is there a way that you can test the mentioned patch from master?
Comment 2 geoffc 2015-08-25 02:21:05 UTC
(In reply to Volker Lendecke from comment #1)

I've got the source code of 4.1.17 from the debian source package, and I've refreshed the 6f4ec0c041677204 diff against it. I've built it, and installed it.

I can confirm this patch does remove the segfault with 4.1.17. It looks like this fix is not present in the v4-1-stable head.
Comment 3 Björn Jacke 2016-12-14 00:16:01 UTC
true unfortunately, but 6f4ec0c041677204 is in later versions of Samba. For 4.1 this will not be fixed anymore.