#1953 closed defect (fixed)
Segmentation fault on Ubuntu AMD64 with VRDP external authentication -> Fixed in 1.6.6
| Reported by: | leo | Owned by: | |
|---|---|---|---|
| Component: | RDP | Version: | VirtualBox 1.6.4 |
| Keywords: | VRDP PAM segmentation fault external | Cc: | |
| Guest type: | Linux | Host type: | Linux |
Description
I'm running VBox 1.6.4 on Ubuntu desktop 8.04.1 AMD64 updated @ Aug 13 2008.
I've enabled auth logging with export VRDP_AUTH_DEBUG_FILENAME=/home/vbox/log
I started VM with VBoxHeadless -s dev & and in log I obtained:
u[vbox], d[dev2.lan], p[4] vrdpauth_pam_init: dlopen libpam.so failed vrdpauth_pam_init failed 4
I made ln -s /lib/libpam.so.0 /lib/libpam.so, and it worked
u[vbox], d[dev2.lan], p[4] init ok Using PAM service: vrdpauth start ok conv: num 1 u[vbox] p[4] conv: 0 returning password [4] auth ok access granted vrdpauth_pam_close completed
After this I tried unhautorized userid/pwd, and I got segmentation faults [1]+ Segmentation fault VBoxHeadless -s dev in all casese below:
u[leo], d[], p[0] init ok Using PAM service: vrdpauth start ok conv: num 1 u[leo] p[0] conv: 0 returning password [0]
u[leo], d[], p[6] init ok Using PAM service: vrdpauth start ok conv: num 1 u[leo] p[6] conv: 0 returning password [6]
u[vbox], d[], p[0] init ok Using PAM service: vrdpauth start ok conv: num 1 u[vbox] p[0] conv: 0 returning password [0]
In other words , if user is allowed, all is ok, but if user si NOT allowed the VM crashes with segmenattion fault.
It looks a Virtualbox bug.
p.s. I rebooted whole system, and now I get segfault even for authorized userid/passwords.
Attachments (1)
Change History (18)
follow-up: 2 comment:1 by , 16 years ago
comment:2 by , 16 years ago
I have the core dump and the logs, once compressed archive is 25 Mbytes. Please give instructions on how you prefer I send you this archive. Thank you in advance.
comment:3 by , 16 years ago
Please send it to http://www.yousendit.com/ and send me the URL by private E-mail to frank dot mehnert _at_ sun dot com -- thanks.
comment:5 by , 16 years ago
Thanks for the dump. Does the crash occur when the logging is disabled, that is when the VRDP_AUTH_DEBUG_FILENAME env var does not exist?
comment:6 by , 16 years ago
It seems you hit. If I unset -v VRDP_AUTH_DEBUG_FILENAME the segfault does not occur.
But it seems that there's anyway a problem with AUTH EXTERNAL.
I activated log because I was not able to succeed with authentication.
When log is active, before segfault it seems that auth is OK ...
vbox@dev2:~$ cat log
u[vbox], d[], p[4]
init ok
Using PAM service: login
start ok
conv: num 1 u[vbox] p[4]
conv: 0 returning password [4]
auth ok
... but if I repeat the same acces with log file disabled the connection does not succeed even if segfault does not occur.
Looks we have two bugs:
- segfault when log is active
- authentication external not working, even if log reports that auth succeeded.
comment:7 by , 16 years ago
The segfault happens in a debug log statement, which logs a failure of pam_acct_mgmt function. The pam_acct_mgmt usually fails if /etc/shadow is not readable by the user which runs VBox. Also SELinux settings may affect this, for example on Fedora Core 6 it was necessary to change the "SELinux Setting" from "Disabled" to "Permissive".
comment:9 by , 16 years ago
I've uploaded a new version of VRDPAuth.so (for Ubuntu 8.04, AMD64) which should have fixed this crash. Please could you replace the existing file of your installation with the new one and check if the segfault still occurs?
comment:10 by , 16 years ago
Confirm working new version of VRDPAuth.so (for Ubuntu 8.04, AMD64) on Debian Lenny AMD64 too! Many thanks for pached version!
comment:11 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
| Summary: | Segmentation fault on Ubuntu AMD64 with VRDP external authentication → Segmentation fault on Ubuntu AMD64 with VRDP external authentication -> Fixed in 1.6.6 |
follow-up: 13 comment:12 by , 16 years ago
Hi Frank, sorry, I was back from holiday just today. I confirm that segfault does not occur with patched library. Thank you very much.
####
If you can, I would need a small help. The /etc/shadow has following permissions
root@dev2:/home/vbox# ls -l /etc/shadow
-rw-r----- 1 root shadow 1029 2008-08-07 19:24 /etc/shadow
root@dev2:/home/vbox#
I'm trying to login from rdp client with user=vbox pwd=vbox, the same with which I can log on host system, but regardless I add vbox user into shadow group the autentication fails.
With vbox part of shadow group:
u[vbox], d[], p[4]
init ok
Using PAM service: login
start ok
conv: num 1 u[vbox] p[4]
conv: 0 returning password [4]
auth ok
pam_acct_mgmt failed 9. Authentication service cannot retrieve authentication info
vrdpauth_pam_close completed
With vbox out of the shadow group.
u[vbox], d[], p[4]
init ok
Using PAM service: login
start ok
conv: num 1 u[vbox] p[4]
conv: 0 returning password [4]
auth ok
pam_acct_mgmt failed 9. Authentication service cannot retrieve authentication info
vrdpauth_pam_close completed
I'm hot able to get the authentication working. I tried to follow manual instructions ... but unsuccessfully.
Would you be so kind to give me some help?
Thank you in advance
Leo
comment:13 by , 16 years ago
Replying to leoniman:
The /etc/shadow has following permissions
root@dev2:/home/vbox# ls -l /etc/shadow
-rw-r----- 1 root shadow 1029 2008-08-07 19:24 /etc/shadow
root@dev2:/home/vbox#
I'm trying to login from rdp client with user=vbox pwd=vbox, the same with which I can log on host system, but regardless I add vbox user into shadow group the autentication fails.
The VBox VM process (VBoxHeadless for example) must be able to read the shadow file. Which user runs VBox?
comment:14 by , 16 years ago
Which user runs VBox?
It's run by user "vbox", which is also in group "vboxusers".
Summary:
- on host system I have user "vbox" with pwd "vbox"
- VM is started by user "vbox"
- I enabled "external" authentication
The VBox VM process (VBoxHeadless for example) must be able to read the shadow file.
I made following experiment:
vbox@dev2:~$ ls -l /etc/shadow
-rw-r----- 1 root shadow 1029 2008-08-07 19:24 /etc/shadow
vbox@dev2:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
vbox@dev2:~$ sudo usermod -a -G shadow vbox
[sudo] password for vbox:
vbox@dev2:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
vbox@dev2:~$ id
uid=1001(vbox) gid=1001(vbox) groups=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),44(video),46(plugdev),105(scanner),107(fuse),109(lpadmin),115(admin),124(vboxusers),1001(vbox)
vbox@dev2:~$
It seems that even if I added user "vbox" to group "shadow", it was not actually added :-( hmmm... maybe I have to logout and login again.
follow-up: 17 comment:15 by , 16 years ago
wow, logout/login was necessary :-O
Now the "id" shows the group "shadow" and finally external auth works.
vbox@dev2:~$ id
uid=1001(vbox) gid=1001(vbox) groups=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),42(shadow),44(video),46(plugdev),105(scanner),107(fuse),109(lpadmin),115(admin),124(vboxusers),1001(vbox)
vbox@dev2:~$
It's the first time that I realise that a logout/login is required to activate the insertion into a secondary group :-O
Thank you for your patience and your help.
btw, any idea for the 1.6.6 release date?
comment:17 by , 16 years ago
Replying to leoniman:
wow, logout/login was necessary :-O
Now the "id" shows the group "shadow" and finally external auth works.
There's a better way. Check out my post... http://forums.virtualbox.org/viewtopic.php?p=22619#22619
Can you provide a core dump(http://www.virtualbox.org/wiki/Core_dump)?