1

I want to be able to execute a custom script when pam does the authentication but I get an error out that I can't seem to pass:

Feb 20 17:39:47 DC03R07DS25-08 sockd[2874]: pam_exec(sockd:auth): send password to child
Feb 20 17:39:47 DC03R07DS25-08 sockd[2893]: pam_exec(sockd:auth): Calling /tmp/test.sh ...
Feb 20 17:39:47 DC03R07DS25-08 sockd[2874]: pam_exec(sockd:auth): waitpid returns with -1: No child processes

That's a very basic script that just prints out a 0 to allow everthing.

#!/bin/bash
# read the users password from stdin (pam_exec.so gives the provided password
# if invoked with expose_authtok)

read password
echo $password > /tmp/a.txt

exit 0

And here's my pam.d config:

auth required pam_exec.so debug expose_authtok /tmp/test.sh
account required    pam_permit.so

I really need expose_authtok so I can have access to the password in that script.

I am using Ubuntu 14.04.

Flimzy
  • 2,375
  • 17
  • 26
Romeo Mihalcea
  • 502
  • 1
  • 6
  • 24

1 Answers1

1

It seems to be a reaping race. calling process (sockd ?) sets SIGCHLD handler, which reapes test.sh instead of pam_exec. see https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2009-January/001627.html

Edit: sorry, let me explain what you can find on the link above: when I came across this bug, I had to recompile pam_exec.so with some modification in pam_exec.c. Set SIGCHLD handler to default before fork(), and reset it after waitpid() and after fork failed (pid==-1 branch). Something like:

set:

struct sigaction newact, oldact;
newact.sa_handler = SIG_DFL;
newact.sa_flags = 0;
sigfillset(&newact.sa_mask);
sigaction (SIGCHLD, &newact, &oldact);

reset:

sigaction (SIGCHLD, &oldact, NULL);
bandie
  • 111
  • 5
  • Hi there! Welcome to Server Fault. It's considered polite here to include the contents of a link (or a rewording thereof if you can) instead of just linking. That way if the link target goes away your answer stays relevant! In this case, a little more information about how you would go about "disabling automatic process reaping" (from the link) would be super helpful. – Bill Weiss Feb 21 '16 at 22:15
  • Any solutions to this? Not very good at sys-admin stuff tbh. – Romeo Mihalcea Feb 22 '16 at 23:25
  • I see a lot of examples on the internet using similar to what I use. I don't think everyone is facing the same situation. Monkeypatching `pam_exec` is probably a solution but I doubt this is the real issue. Could it be the order of directives in `/etc/pam.d/` file that I added (I only added one `auth` line)? Maybe another directive is needed in front? – Romeo Mihalcea Feb 24 '16 at 20:03