Deadlock when PAM_TEXT_INFO is used

Binary package hint: policykit

Hi all,
I've configured my system with kerberos password authentication (since my machine is inside an AD domain).

With sudo/gksudo no problems at all, but when using a policykit unlock dialog (like in user-admin), typing my kerberos password results in a freezed window.

Hi,

Could you please attach strace to the /usr/bin/polkit-gnome-authorization
process before you enter your password so that we can have some
idea of what it is doing when it freezes?

  https://wiki.ubuntu.com/Strace (Section 2)

Also, does it freeze permanently, or just for a few seconds?

Thanks,

James

Hi James,
attached there is an strace of polkit-gnome-manager (hope this is the correct process to monitor).
In line '13:01:23.119686' I masked my password.

On Fri, 2009-04-03 at 11:09 +0000, Gianfranco Liporace wrote:
> Hi James,
> attached there is an strace of polkit-gnome-manager (hope this is the correct process to monitor).
> In line '13:01:23.119686' I masked my password.

Thanks, that's a good start.

[pid 9032] 13:01:23.119736 read(25, "PAM_TEXT_INFO Warning: Your
passw"..., 4096) = 60
[pid 9032] 13:01:23.143472 write(1, "(polkit-gnome-manager:9032): Poli"..., 109) = 109
[pid 9032] 13:01:23.143531 read(25, <unfinished ...>

so pam gives a warning about your password. I wonder what that is, have you seen it
elsewhere?

The next thing is polkit-gnome-manager writing out a warning. Could you look
in ~/.xsession-errors to see if the warning is in there. This file is not
appended to after a while, so logging out and back in again, then reproducing
may help you find it there.

The last bit is it hanging on a read from an fd, the same fd that the pam
warning came from.

My guess is that the message is that your password will expire soon, but I'm not
sure why that would cause it to hang.

If we know what is going on in the PAM process then we can have some idea of what
it may be waiting for.

Easier than searching for the messages may be to strace again, but with
"strace -f -s 255", which should give enough information in the file itself
about what the warnings are.

Thanks,

James

Hi James,
yes, the warning message is 'Your password will expire in 6 days', probably from PAM and I get it whenever I have to autenthicate myself (GDM, lock screen).

Thank you!

On Fri, 2009-04-03 at 12:02 +0000, Gianfranco Liporace wrote:
> Hi James,
> yes, the warning message is 'Your password will expire in 6 days', probably from PAM and I get it whenever I have to autenthicate myself (GDM, lock screen).

Thanks, it's easy to reproduce with this information. I know what's
going on now as well.

Thanks,

James

Hi,

I've attached this patch to the upstream bug, but the code has
been completely re-written in git, so it's not clear whether he
will be interested.

I think this may be appropriate to fix for Jaunty, or older releases,
but perhaps it should be in an SRU. Release team, what do you
think?

Thanks,

James

This looks fine for an SRU.

Moved subscribers to ubuntu-sru. James, if this applies to hardy as well, we should IMHO fix it there as well. Thanks for looking into this!

(Please note that you can already upload to jaunty-proposed)

On Wed, 2009-04-15 at 20:52 +0000, Martin Pitt wrote:
> Moved subscribers to ubuntu-sru. James, if this applies to hardy as
> well, we should IMHO fix it there as well. Thanks for looking into this!

I will investigate.

> (Please note that you can already upload to jaunty-proposed)

(not for packages in main I assume)

Thanks,

James

James Westby [2009-04-15 21:31 -0000]:
> > (Please note that you can already upload to jaunty-proposed)
>
> (not for packages in main I assume)

Sure you can. They just won't get accepted until after Jaunty is
released.

same problem.
if you have likewise-open installed and the relate service is not running the likewise pam module output a message and the policykit dialog hangs

I'm not sure if this is somewhat related but since I upgraded from 8.10 to 9.04 I cannot use anything that uses the newer authentication system.

I get an issue when I try to edit a network connection via the new network manager or edit a user.
Taking the network manager example, I added a strace session to the authenticate dialogue box , entered my password and watched the output... which wasn't much - I've masked the password.

17:42:06.448553 read(0, "********\n"..., 4096) = 9
17:42:15.951992 write(9, "********\n"..., 9) = 9
17:42:15.952043 read(10, "PAM_TEXT_INFO Could not locate an"..., 4096) = 90
17:42:16.221059 write(1, "PAM_TEXT_INFO Could not locate an"..., 90) = 90
17:42:16.221115 read(0,

and that's it. it just hangs, I can't close the dialogue I can't do anything... short of killing the process.
My system isn't using an AD authentication it should just be a stock standard install of 8.10 upgraded to 9.04

cdmdotnet,

It sounds like you're describing the same basic issue here. You may be able to get more useful information out of the error if you run strace with '-s 128', so that you can see the full message - that won't get you to a fix for this bug, but you might find out what extra information PAM is trying to give you, and address that if it points to another problem.

Hi Steve

Thanks alot for that switch "-s 128".

I had started to play with my old fingerprint reader since upgrading, which is reporting an information warning message "Could not locate any suitable fingerprints matched with available hardware". That's another issue which I'll take care of outside of here.

 I guess it does emphasise how information messages may cause a few issues. In my case it wasn't an information message about password expiry. No idea if it will help you guys.

Cheers

On Sat, 2009-05-02 at 20:13 +0000, cdmdotnet wrote:
> Hi Steve
>
> Thanks alot for that switch "-s 128".
>
> I had started to play with my old fingerprint reader since upgrading,
> which is reporting an information warning message "Could not locate any
> suitable fingerprints matched with available hardware". That's another
> issue which I'll take care of outside of here.
>
> I guess it does emphasise how information messages may cause a few
> issues. In my case it wasn't an information message about password
> expiry. No idea if it will help you guys.

Thanks for the information.

Your problem should be fixed by the same patch. I'm waiting a few days
for a reaction from the author, but either way there should be a package
to test in a few days. We would be grateful if you could test that
package when it is available and report your findings here.

Thanks,

James

Hi Steve

I've got no problems doing some testing.

I've fixed the problem I had, but it's not hard to reproduce the situation I had before.
In saying that fixing the notification message for the fingerprint reader software brings up another prompt - a notification message is raised requesting a finger be scanned before the authentication is complete ( the package makes the finger print additional to the username / password, and not a replacement ) , so the patch will be interesting to see in action.

Matt

This bug was fixed in the package policykit - 0.9-3ubuntu2

---------------
policykit (0.9-3ubuntu2) karmic; urgency=low

    * Add debian/patches/polkit-deadlock.patch.
      - Fix deadlock when PAM_TEXT_INFO is used (LP: #354378). Kudos to James
        Westby.

 -- Iulian Udrea <email address hidden> Wed, 06 May 2009 08:30:20 +0000

Hi James

stupid question, but now that a patch is released what steps do I take to obtain and apply it so I can give you some feedback?

On Mon, 2009-05-11 at 09:10 +0000, cdmdotnet wrote:
> Hi James
>
> stupid question, but now that a patch is released what steps do I take
> to obtain and apply it so I can give you some feedback?

Hi,

That was fixing it for Karmic, I'll work on a fix for Jaunty in the next
few days.

Thanks,

James

This still appears to be broken in Jaunty, any chance it will be patched?