/lib/security/pam_cap.so: undefined symbol: pam_get_item

Bug #582769 reported by Fabien Tassin
34
This bug affects 5 people
Affects Status Importance Assigned to Milestone
libcap2 (Debian)
Fix Released
Unknown
libcap2 (Ubuntu)
Fix Released
High
Serge Hallyn
Lucid
Fix Released
High
Unassigned
Maverick
Invalid
Undecided
Unassigned
Natty
Won't Fix
High
Unassigned

Bug Description

===========================================================
SRU Justification:
1. Impact: imap fails
2. Development fix: add -lpam to LDLIBS
3. Stable fix: same as development fix
4. Test case:
   a. install libcap2-bin (apt-get install libcap2-bin)
   b. add an entry to /etc/security/capabilities.conf for a user, before the 'none *' entry, i.e.
       cap_dac_override serge
   c. install courier-imap-ssl and mutt (apt-get install courier-imap-ssl mutt)
   d. as user serge, create '~/Maildir' (maildirmake ~/Maildir)
   d. reboot, and try to connect with mutt to localhost
      mutt -f imap://serge@localhost/
   e. without the fix, /var/log/auth.log will have an entry like:
 Nov 8 13:12:46 l-libcap authdaemond: PAM unable to dlopen(/lib/security/pam_cap.so): /lib/security/pam_cap.so: undefined symbol: pam_get_item
 Nov 8 13:12:46 l-libcap authdaemond: PAM adding faulty module: /lib/security/pam_cap.so
5. Regression potential: this is in use in debian and oneiric/precise, and should cause no issues.
===========================================================
Binary package hint: libcap2

Each time i login (using evolution) on my IMAP server (courier-imap-ssl), the server auth.log shows:

May 19 11:50:35 srv authdaemond: PAM unable to dlopen(/lib/security/pam_cap.so): /lib/security/pam_cap.so: undefined symbol: pam_get_item
May 19 11:50:35 srv authdaemond: PAM adding faulty module: /lib/security/pam_cap.so

it happens only at LOGIN time.
May 19 11:50:35 srv imapd-ssl: LOGIN, user=foo, ip=[::ffff:x.x.x.x], port=[xxxxx], protocol=IMAP

$ objdump -T /lib/security/pam_cap.so | grep pam_get_item
0000000000000000 D *UND* 0000000000000000 pam_get_item

both the client & server are running Lucid and are up-to-date.

ii libcap2-bin 1:2.17-2ubuntu1
ii courier-authdaemon 0.62.4-1
ii courier-imap-ssl 4.6.0-2.1ubuntu1
ii courier-ssl 0.63.0-2.1ubuntu1

Revision history for this message
Andrew Straw (astraw) wrote :

I had a similar problem and fixed it by rebuilding libcap2 with the attached patch.

tags: added: patch
Revision history for this message
Fabien Tassin (fta) wrote :

the patch doesn't work for me. I've applied it and i'm still getting the error in my logs.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

@Fabien,

Please let me know if you are still having this problem.

Changed in libcap2 (Ubuntu):
assignee: nobody → Serge Hallyn (serge-hallyn)
importance: Undecided → High
status: New → Incomplete
Revision history for this message
Fabien Tassin (fta) wrote :

It's gone, using Natty.

Changed in libcap2 (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Fabien Tassin (fta) wrote :

well, in fact, it's far from "fix released". I forgot that I blacklisted the message in logcheck because it basically made logcheck too verbose for so long (defeating its "alerting" purpose).

It's still happening a lot in Natty:

$ zgrep -ch "PAM adding faulty module: pam_cap.so" /var/log/auth.log
79

/var/log/messages:
Mar 28 17:03:09 srv authdaemond: pam_sm_authenticate: Called
Mar 28 17:03:09 srv authdaemond: pam_sm_authenticate: username = [fta]

/var/log/auth.log:
Mar 28 17:03:09 srv authdaemond: PAM unable to dlopen(pam_cap.so): /lib/security/pam_cap.so: undefined symbol: pam_get_item
Mar 28 17:03:09 srv authdaemond: PAM adding faulty module: pam_cap.so

/var/log/syslog:
Mar 28 17:03:07 srv imapd-ssl: Connection, ip=[::ffff:x.y.z.t]
Mar 28 17:03:09 srv authdaemond: pam_sm_authenticate: Called
Mar 28 17:03:09 srv authdaemond: pam_sm_authenticate: username = [fta]
Mar 28 17:03:09 srv imapd-ssl: LOGIN, user=fta, ip=[::ffff:x.y.z.t], port=[tttt], protocol=IMAP

of course, my IMAPs works fine.

Changed in libcap2 (Ubuntu):
status: Fix Released → Confirmed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Hi,

I've been trying to reproduce this. I installed libcap2-bin, added an entry for 'serge' to get cap_dac_override to /etc/security/capabilities.conf, verified through strace that ssh was causing capabilities.conf to be read. Installed courier-imap-ssl. Then continued to do both 'ssh localhost -l serge' and, as user serge, 'mutt -f imap://serge@localhost'. But while mutt failed to open my Maildir (bc it did not exist), I saw no complaints from login.

Can you tell me what 'grep pam_cap /etc/pam.d/*' gives you? What is in your /etc/security/capability.conf? Is there anything else which you can see I should be doing to reproduce this?

Changed in libcap2 (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Fabien Tassin (fta) wrote :

My /etc/security/capability.conf doesn't have anything special, it's all default.

Nothing special on the imap-s side either.
The client is evolution:
server type: IMAP
server: srv
username: fta
security: SSL encryption
auth type: password

$ grep pam_cap /etc/pam.d/*
/etc/pam.d/common-auth:auth optional pam_cap.so

nothing fancy here either.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

D'oh, I see. Andrew's patch was right on I think. I'll push a patch upstream, thanks.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Confirmed that adding -lpam to LDLIBS in pam_cap/Makefile makes the error message go away.

Changed in libcap2 (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

We will push the fix for this bug as soon as o-series opens up.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Debdiff against latest libcap, which fixes it for me. I've forwarded it to debian and am hoping they pull it in soon so we can just sync rather than push a temporary fix for oneiric.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

(Oops, the debdiff was on another machine. Here it actually is :)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libcap2 - 1:2.21-1

---------------
libcap2 (1:2.21-1) unstable; urgency=low

  * New upstream release.
  * debian/patches/0001-fix-Makefiles.patch: link pam_cap against -lpam.
    (Closes: #591410) (LP: #582769)
 -- Ubuntu Archive Auto-Sync <email address hidden> Mon, 23 May 2011 09:54:41 +0000

Changed in libcap2 (Ubuntu):
status: Triaged → Fix Released
Changed in libcap2 (Debian):
status: Unknown → Fix Released
Revision history for this message
SaveTheRbtz (savetherbtz) wrote :

Is it going to be backported to LTS?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

@SaveTheRbtz - I will propose it for SRU to lucid.

description: updated
description: updated
description: updated
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

maverick actually does not need this patch, as it was applied in debian at that time. Natty does, because the patch was mistakenly dropped.

Revision history for this message
SaveTheRbtz (savetherbtz) wrote :

I think it has even greater impact: pam module is not working so we can't set per-user inheritable capabilities via /etc/security/capability.conf in common-auth

Changed in libcap2 (Ubuntu Maverick):
status: New → Invalid
Changed in libcap2 (Ubuntu Lucid):
status: New → In Progress
Changed in libcap2 (Ubuntu Natty):
status: New → In Progress
importance: Undecided → High
Changed in libcap2 (Ubuntu Lucid):
importance: Undecided → High
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Fabien, or anyone else affected,

Accepted libcap2 into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in libcap2 (Ubuntu Natty):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Martin Pitt (pitti) wrote :

Hello Fabien, or anyone else affected,

Accepted libcap2 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in libcap2 (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote : Verification still needed

The fix for the this bug has been awaiting testing feedback in the -proposed repository for lucid for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now the package will be removed from the -proposed repository.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Verified for lucid. (natty is EOL)

tags: added: verification-done
removed: verification-needed
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Changed in libcap2 (Ubuntu Natty):
status: Fix Committed → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libcap2 - 1:2.17-2ubuntu1.1

---------------
libcap2 (1:2.17-2ubuntu1.1) lucid-proposed; urgency=low

  * debian/patches/0002-link-pam.patch: link pam_cap against -lpam.
    (Closes: #591410) (LP: #582769)
 -- Serge Hallyn <email address hidden> Tue, 08 Nov 2011 12:39:56 -0600

Changed in libcap2 (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.