VirtualBox

Ticket #1953 (closed defect: fixed)

Opened 6 years ago

Last modified 6 years ago

Segmentation fault on Ubuntu AMD64 with VRDP external authentication -> Fixed in 1.6.6

Reported by: leoniman Owned by:
Priority: major Component: RDP
Version: VirtualBox 1.6.4 Keywords: VRDP PAM segmentation fault external
Cc: Guest type: Linux
Host type: Linux

Description

I'm running VBox 1.6.4 on Ubuntu desktop 8.04.1 AMD64 updated @ Aug 13 2008.

I've enabled auth logging with export VRDP_AUTH_DEBUG_FILENAME=/home/vbox/log

I started VM with VBoxHeadless -s dev & and in log I obtained:

u[vbox], d[dev2.lan], p[4] vrdpauth_pam_init: dlopen libpam.so failed vrdpauth_pam_init failed 4

I made ln -s /lib/libpam.so.0 /lib/libpam.so, and it worked

u[vbox], d[dev2.lan], p[4] init ok Using PAM service: vrdpauth start ok conv: num 1 u[vbox] p[4] conv: 0 returning password [4] auth ok access granted vrdpauth_pam_close completed

After this I tried unhautorized userid/pwd, and I got segmentation faults [1]+ Segmentation fault VBoxHeadless -s dev in all casese below:

u[leo], d[], p[0] init ok Using PAM service: vrdpauth start ok conv: num 1 u[leo] p[0] conv: 0 returning password [0]

u[leo], d[], p[6] init ok Using PAM service: vrdpauth start ok conv: num 1 u[leo] p[6] conv: 0 returning password [6]

u[vbox], d[], p[0] init ok Using PAM service: vrdpauth start ok conv: num 1 u[vbox] p[0] conv: 0 returning password [0]

In other words , if user is allowed, all is ok, but if user si NOT allowed the VM crashes with segmenattion fault.

It looks a Virtualbox bug.

p.s. I rebooted whole system, and now I get segfault even for authorized userid/passwords.

Attachments

VRDPAuth.so Download (19.1 KB) - added by frank 6 years ago.
Fixed VRDPAuth.so for Ubuntu 8.04 AMD64

Change History

comment:1 follow-up: ↓ 2 Changed 6 years ago by sunlover

Can you provide a core dump( http://www.virtualbox.org/wiki/Core_dump)?

comment:2 in reply to: ↑ 1 Changed 6 years ago by leoniman

I have the core dump and the logs, once compressed archive is 25 Mbytes. Please give instructions on how you prefer I send you this archive. Thank you in advance.

comment:3 Changed 6 years ago by frank

Please send it to  http://www.yousendit.com/ and send me the URL by private E-mail to frank dot mehnert _at_ sun dot com -- thanks.

comment:4 Changed 6 years ago by frank

We got the core dump, investigating.

comment:5 Changed 6 years ago by sunlover

Thanks for the dump. Does the crash occur when the logging is disabled, that is when the VRDP_AUTH_DEBUG_FILENAME env var does not exist?

comment:6 Changed 6 years ago by leoniman

It seems you hit. If I unset -v VRDP_AUTH_DEBUG_FILENAME the segfault does not occur.

But it seems that there's anyway a problem with AUTH EXTERNAL.
I activated log because I was not able to succeed with authentication.

When log is active, before segfault it seems that auth is OK ...

vbox@dev2:~$ cat log
u[vbox], d[], p[4]
init ok
Using PAM service: login
start ok
conv: num 1 u[vbox] p[4]
conv: 0 returning password [4]
auth ok

... but if I repeat the same acces with log file disabled the connection does not succeed even if segfault does not occur.

Looks we have two bugs:

  • segfault when log is active
  • authentication external not working, even if log reports that auth succeeded.

comment:7 Changed 6 years ago by sunlover

The segfault happens in a debug log statement, which logs a failure of pam_acct_mgmt function. The pam_acct_mgmt usually fails if /etc/shadow is not readable by the user which runs VBox. Also SELinux settings may affect this, for example on Fedora Core 6 it was necessary to change the "SELinux Setting" from "Disabled" to "Permissive".

comment:8 Changed 6 years ago by frank

Though it should not segfault of course ...

Changed 6 years ago by frank

Fixed VRDPAuth.so for Ubuntu 8.04 AMD64

comment:9 Changed 6 years ago by frank

I've uploaded a new version of VRDPAuth.so (for Ubuntu 8.04, AMD64) which should have fixed this crash. Please could you replace the existing file of your installation with the new one and check if the segfault still occurs?

comment:10 Changed 6 years ago by Murz

Confirm working new version of VRDPAuth.so (for Ubuntu 8.04, AMD64) on Debian Lenny AMD64 too! Many thanks for pached version!

comment:11 Changed 6 years ago by sunlover

  • Status changed from new to closed
  • Resolution set to fixed
  • Summary changed from Segmentation fault on Ubuntu AMD64 with VRDP external authentication to Segmentation fault on Ubuntu AMD64 with VRDP external authentication -> Fixed in 1.6.6

comment:12 follow-up: ↓ 13 Changed 6 years ago by leoniman

Hi Frank, sorry, I was back from holiday just today. I confirm that segfault does not occur with patched library. Thank you very much.

####

If you can, I would need a small help. The /etc/shadow has following permissions

root@dev2:/home/vbox# ls -l /etc/shadow
-rw-r----- 1 root shadow 1029 2008-08-07 19:24 /etc/shadow
root@dev2:/home/vbox#

I'm trying to login from rdp client with user=vbox pwd=vbox, the same with which I can log on host system, but regardless I add vbox user into shadow group the autentication fails.

With vbox part of shadow group:
u[vbox], d[], p[4]
init ok
Using PAM service: login
start ok
conv: num 1 u[vbox] p[4]
conv: 0 returning password [4]
auth ok
pam_acct_mgmt failed 9. Authentication service cannot retrieve authentication info vrdpauth_pam_close completed

With vbox out of the shadow group.
u[vbox], d[], p[4]
init ok
Using PAM service: login
start ok
conv: num 1 u[vbox] p[4]
conv: 0 returning password [4]
auth ok
pam_acct_mgmt failed 9. Authentication service cannot retrieve authentication info vrdpauth_pam_close completed

I'm hot able to get the authentication working. I tried to follow manual instructions ... but unsuccessfully.

Would you be so kind to give me some help?

Thank you in advance
Leo

comment:13 in reply to: ↑ 12 Changed 6 years ago by sunlover

Replying to leoniman:

The /etc/shadow has following permissions

root@dev2:/home/vbox# ls -l /etc/shadow
-rw-r----- 1 root shadow 1029 2008-08-07 19:24 /etc/shadow
root@dev2:/home/vbox#

I'm trying to login from rdp client with user=vbox pwd=vbox, the same with which I can log on host system, but regardless I add vbox user into shadow group the autentication fails.

The VBox VM process (VBoxHeadless for example) must be able to read the shadow file. Which user runs VBox?

comment:14 Changed 6 years ago by leoniman

Which user runs VBox?

It's run by user "vbox", which is also in group "vboxusers".

Summary:

  • on host system I have user "vbox" with pwd "vbox"
  • VM is started by user "vbox"
  • I enabled "external" authentication

The VBox VM process (VBoxHeadless for example) must be able to read the shadow file.

I made following experiment:

vbox@dev2:~$ ls -l /etc/shadow
-rw-r----- 1 root shadow 1029 2008-08-07 19:24 /etc/shadow
vbox@dev2:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
vbox@dev2:~$ sudo usermod -a -G shadow vbox
[sudo] password for vbox:
vbox@dev2:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
vbox@dev2:~$ id
uid=1001(vbox) gid=1001(vbox) groups=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),44(video),46(plugdev),105(scanner),107(fuse),109(lpadmin),115(admin),124(vboxusers),1001(vbox)
vbox@dev2:~$

It seems that even if I added user "vbox" to group "shadow", it was not actually added :-( hmmm... maybe I have to logout and login again.

comment:15 follow-up: ↓ 17 Changed 6 years ago by leoniman

wow, logout/login was necessary :-O

Now the "id" shows the group "shadow" and finally external auth works.

vbox@dev2:~$ id
uid=1001(vbox) gid=1001(vbox) groups=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),42(shadow),44(video),46(plugdev),105(scanner),107(fuse),109(lpadmin),115(admin),124(vboxusers),1001(vbox)
vbox@dev2:~$

It's the first time that I realise that a logout/login is required to activate the insertion into a secondary group :-O
Thank you for your patience and your help.

btw, any idea for the 1.6.6 release date?

comment:16 Changed 6 years ago by frank

Just released, please go to  http://www.virtualbox.org/wiki/Downloads

comment:17 in reply to: ↑ 15 Changed 6 years ago by jhowk

Replying to leoniman:

wow, logout/login was necessary :-O

Now the "id" shows the group "shadow" and finally external auth works.

There's a better way. Check out my post...  http://forums.virtualbox.org/viewtopic.php?p=22619#22619

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use