foundry27 : Post

Forum Topic - PAM Issues: (7 Items)

View: as

Tim Sowden(deleted)

01/12/2018 11:01 AM

post118371

I'm trying to get a QNX 7 system up and running and I'm having problems that I can only assume are PAM related (my last 
O/S build was 6.3 before PAM existed).

I've got everything installed and booting just fine but all the commands now controlled by PAM (login, passwd, su) don't
 work (everything else does).

If for example I type 'passwd root' I get 'passwd: system error' (I get similar messages with su/login).

I've checked *everything* here (past 2 days on just this issue) in the troubleshooting section and it's all set 
accordingly.
http://www.qnx.com/developers/docs/7.0.0/index.html#com.qnx.doc.security.dev_guide/topic/authctrl.html

Yet I am unable to get those commands to work. Which makes me think it's something else not right (a library). 

Can anyone tell me what I might be doing wrong or can someone peek in the code and see when those errors are generated. 
QNX could really use a 'checkPam' utility that validates PAM and prints out anything that's not correct.

TIA,

Tim

Jeff Baker

01/12/2018 11:46 AM

post118372

Re: PAM Issues

The steps under troubleshooting on that page should show the issues that cause that warning.  The framework will ensure 
that the files and containing directories will have acceptable ownership and permissions all the way up to the root.  
Most often when people have issues internally it's due to one of the lower level directories such as /usr or /etc having
 write permission.

Tim Sowden(deleted)

01/12/2018 1:30 PM

post118373

Re: PAM Issues

Here's the file perms 

/etc
-rw-rw-rw-   1 root      root           4125 Oct 04 20:47 services
-rw-rw-rw-   1 root      root             98 Oct 04 20:47 hosts
drwxrwxrwx   3 root      root           4096 Oct 04 20:48 system
-rw-rw-rw-   1 root      root            401 Oct 04 20:48 ftpusers
-rw-rw-rw-   1 root      root            477 Oct 04 20:49 dhclient.conf
-rw-------   1 root      root            339 Jan 08 19:18 shadow
-rw-r--r--   1 root      root            131 Jan 08 19:18 passwd
-rw-rw-rw-   1 root      root            142 Jan 08 19:18 inetd.conf
-rw-r--r--   1 root      root             42 Jan 08 19:18 group
-rw-rw-rw-   1 root      root             49 Jan 08 19:18 ftpd.conf
drwxrwxrwx   2 root      root           4096 Jan 08 21:18 config
drwxr-xr-x   2 root      root           4096 Jan 08 21:30 pam.d
drwxrwxrwx   2 root      root           4096 Jan 08 21:39 samba
drwxrwxrwx   2 root      root           4096 Jan 08 21:40 rc.d
drwxrwxrwx   2 root      root           4096 Jan 08 21:44 ssh
-rw-rw-rw-   1 root      root            212 Jan 08 21:51 ntp.conf
-rw-rw-rw-   1 root      root             37 Jan 08 21:52 networks
-rw-rw-rw-   1 root      root              5 Jan 08 21:53 qversion
-rw-rw-rw-   1 root      root             14 Jan 12 11:31 syslog.conf

/etc/pam.d
-rw-r--r--   1 root      root            278 Oct 04 20:50 su
-rw-r--r--   1 root      root            173 Oct 04 20:50 passwd
-rw-r--r--   1 root      root            171 Oct 04 20:50 on
-rw-r--r--   1 root      root            171 Oct 04 20:50 login
-rw-r--r--   1 root      root            170 Oct 04 20:50 ftpd

/
drwxrwxrwx   2 root      root             10 Oct 04 20:48 lib
drwxrwxrwx   2 root      root           4096 Jan 08 18:51 home
drwxrwxrwx   6 root      root           4096 Jan 12 10:44 x86
drwxr-xr-x   9 root      root           4096 Jan 12 12:51 etc
-rw-rw-rw-   1 root      root            702 Jan 12 12:51 tim2
dr-xr-xr-x   2 root      root      2168971264 Jan 12 12:52 proc
dr-xr-xr-x   2 root      root              0 Jan 12 12:52 dev
drwxr-xr-x   2 root      root             10 Jan 12 15:42 usr
drwxr-xr-x   2 root      root             10 Jan 12 15:42 bin
drwxrwxrwx   2 root      root           4096 Oct 10  2018 root
drwxrwxrwx   3 root      root           4096 Oct 10  2018 boot

Utilities
-rwsr-xr-x  1 root      root         71240 Jan 08 19:16 /x86/usr/bin/passwd
-rwsr-xr-x  1 root      root         61440 Jan 08 19:04 /x86/bin/login
-rwsr-xr-x  1 root      root         56276 Jan 08 19:04 /x86/bin/su
-rwxr-xr-x  1 root      root       1024168 Jan 08 20:09 /x86/usr/sbin/sshd

Everything here is exactly according to the troubleshooting section. Yet I am unable to get those commands to work.

The contents of the files in pam.d (in fact the whole /etc directory) were copied verbatim from the bootable USB image I
 used to install the files that has working users (root/qnxuser) and working passwd/login/su utilities. Some thing went 
wrong when I brought all the libraries and commands from my windows host (target/qnx7/x86) to my harddrive.

Dare I ask if there is .noPam option similar to the .noPhoton option under 6.3 to turn off PAM? We don't need it and 
honestly at this moment I'd be happy to have the source code to the 6.3 versions of login, passwd, su that don't use PAM
 because our system doesn't need it. My boss is getting impatient with the time being spent on what looks like a black 
hole with no end in sight and no logical way to proceed because there is no error message saying what's wrong.

Tim

Jeff Baker

01/15/2018 2:10 PM

post118381

Re: PAM Issues

For completeness, can you also confirm that ownership and permissions of /usr/lib itself and /usr/lib/pam_*?

Tim Sowden(deleted)

01/15/2018 2:26 PM

post118382

Re: PAM Issues

Usr directory
drwxr-xr-x  2 root      root         71240 Jan 12 16:12 lib

My Pam libraries are actually in /x86/usr/lib (that's where I got them from on my Windows Host) and that directory is in
 the path for libraries because I copied everything from there for the other commands.
-rwxr-xr-x   root      root         pam_*  (all PAM files)

What's interesting to me is that technically none of these are needed because if I do a 'ldd /bin/login' it says it only
 depends on libc.so.4. Other commands like ssh properly show all dependencies. So if the pam_ libraries are required ldd
 doesn't know about it.

Tim

Jeff Baker

01/15/2018 2:47 PM

post118383

Re: PAM Issues

PAM will not look in /x86 on the target.  Try putting them in /usr/lib and see if that makes a difference.

Tim Sowden(deleted)

01/15/2018 3:08 PM

post118384

Re: PAM Issues

I created softlinks in /usr/lib to the x86 files and it works!

VERY bad code to look in fixed locations (this can be spoofed by mounting something over top of /usr/lib). Even worse is
 that ldd doesn't even know about those library dependencies so there isn't any reason to even check them.

At least I'm finally able to login!

Thanks for your help,

Tim

Return

The text you entered is not a valid object ID
More Information
Object IDs begin with an object prefix and end with a number. For example, if you enter
artf2345
the application will jump directly to an artifact with the ID artf2345. Some valid object prefixes are:
artf	for an artifact
doc	for a document
page	for a project page
topc	for a discussion topic
wiki	for a wiki page