[Nsspampgsql-devel] Bug#556732: libnss-pgsql2: hangs after authentication in _nss_pgsql_getpwuid_r

Bram Senders bram at luon.net
Tue Nov 17 15:57:49 UTC 2009 

Package: libnss-pgsql2
Version: 1.4.0debian-2
Severity: normal

I'm trying to set up libnss-pgsql2 as per the example configuration, but
the library hangs while waiting for a mutex after the authentication is done.
I've added one user, "foo", and the following happens when trying to su to
that user:

=== 8< ===
bram at rabarber% su - foo                                                                                           ~
LOG:  duration: 15.001 ms
LOG:  duration: 3.566 ms
LOG:  execute <unnamed>: SELECT username, passwd, gecos, homedir, shell, uid, gid FROM passwd_table WHERE username = $1
DETAIL:  parameters: $1 = 'foo'
LOG:  duration: 1.997 ms
Password: 
LOG:  duration: 14.956 ms
LOG:  duration: 3.639 ms
LOG:  execute <unnamed>: SELECT username, passwd, gecos, homedir, shell, uid, gid FROM passwd_table WHERE username = $1
DETAIL:  parameters: $1 = 'foo'
LOG:  duration: 1.304 ms
LOG:  duration: 17.226 ms
LOG:  duration: 5.118 ms
LOG:  execute <unnamed>: SELECT * FROM shadow_table WHERE username = $1
DETAIL:  parameters: $1 = 'foo'
LOG:  duration: 1.339 ms
LOG:  duration: 20.307 ms
LOG:  duration: 3.581 ms
LOG:  execute <unnamed>: SELECT username, passwd, gecos, homedir, shell, uid, gid FROM passwd_table WHERE username = $1
DETAIL:  parameters: $1 = 'foo'
LOG:  duration: 1.212 ms
LOG:  duration: 13.044 ms
LOG:  duration: 5.120 ms
LOG:  execute <unnamed>: SELECT * FROM shadow_table WHERE username = $1
DETAIL:  parameters: $1 = 'foo'
LOG:  duration: 1.355 ms
LOG:  duration: 15.603 ms
LOG:  duration: 6.739 ms
LOG:  execute <unnamed>: SELECT usergroups.gid FROM passwd_table JOIN usergroups USING (uid) where username = $1 and usergroups.gid <> $2
DETAIL:  parameters: $1 = 'foo', $2 = '2001'
LOG:  duration: 1.399 ms

=== >8 ===

I've configured PostgreSQL to display all queries, hence the debug
output.  After this output, the process hangs.  This is after the
authentication is complete, which can be seen here:

=== 8< ===
root at rabarber# ps ax|grep su
  584 ?        S<     0:00 [ksuspend_usbd]
 1343 pts/14   S+     0:00 su - foo
 1350 pts/14   S+     0:00 -su
root at rabarber# ls -l /proc/1350/exe
lrwxrwxrwx 1 foo foo 0 2009-11-17 16:10 /proc/1350/exe -> /bin/bash
=== >8 ===

The hanging process is already the shell of the new user.  Making a
backtrace of this process yields the following information:
=== 8< ===
root at rabarber# gdb -p 1350                                                   ~
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
Attaching to process 1350
Reading symbols from /bin/bash...(no debugging symbols found)...done.
[--- snip reading debugging symbols ---]
0xb7fc0424 in __kernel_vsyscall ()
(gdb) bt full
#0  0xb7fc0424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb7c9fc99 in __lll_lock_wait () from /lib/i686/cmov/libpthread.so.0
No symbol table info available.
#2  0xb7c9b0c4 in _L_lock_89 () from /lib/i686/cmov/libpthread.so.0
No symbol table info available.
#3  0xb7c9a9f2 in pthread_mutex_lock () from /lib/i686/cmov/libpthread.so.0
No symbol table info available.
#4  0xb7f149c6 in pthread_mutex_lock () from /lib/i686/cmov/libc.so.6
No symbol table info available.
#5  0xb7cad540 in _nss_pgsql_getpwuid_r (uid=2003, result=0xbfbc4160, 
    buffer=0xbfbc2160 "ntp", buflen=8192, errnop=0xb7e2568c)
    at interface.c:103
	retval = NSS_STATUS_TRYAGAIN
	localerrno = <value optimized out>
#6  0xb7ec0ed2 in getpwuid_r () from /lib/i686/cmov/libc.so.6
No symbol table info available.
#7  0xb7c8ed3e in ?? () from /usr/lib/libpq.so.5
No symbol table info available.
#8  0x000007d3 in ?? ()
No symbol table info available.
[--- snip further backtrace ---]
(gdb) 
=== >8 ===

Now, stuff like "getent passwd", "getent shadow" (as root) and "id foo"
works fine, however, it would be nice to be able to actually log in with
new users ;-)

This might somehow be related to bug #488979, but in what way, I'm not
sure.

My configuration files are attached (these are mostly the same as in the
examples).  Note that in nss-pgsql.conf, I don't have a password in the
connectionstring, since that user connects using "trust".  Any
information wrt how to solve this would be very much appreciated!

Cheers,
Bram Senders

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libnss-pgsql2 depends on:
ii  libc6                      2.7-18        GNU C Library: Shared libraries
ii  libpq5                     8.3.8-0lenny1 PostgreSQL C client library

libnss-pgsql2 recommends no packages.

Versions of packages libnss-pgsql2 suggests:
ii  libpam-pgsql                  0.6.3-2    PAM module to authenticate using a
pn  nscd                          <none>     (no description available)

-- no debconf information
-------------- next part --------------
connectionstring        = hostaddr=127.0.0.1 dbname=system user=anonauth connect_timeout=1

# you can use anything postgres accepts as table expression

# Must return "usernames", 1 column, list
getgroupmembersbygid    = SELECT username FROM passwd_table WHERE gid = $1
# Must return passwd_name, passwd_passwd, passwd_gecos, passwd_dir, passwd_shell, passwd_uid, passwd_gid
getpwnam        = SELECT username, passwd, gecos, homedir, shell, uid, gid FROM passwd_table WHERE username = $1
# Must return passwd_name, passwd_passwd, passwd_gecos, passwd_dir, passwd_shell, passwd_uid, passwd_gid
getpwuid        = SELECT username, passwd, gecos, homedir, shell, uid, gid FROM passwd_table WHERE uid = $1
# All users
allusers        = SELECT username, passwd, gecos, homedir, shell, uid, gid FROM passwd_table
# Must return group_name, group_passwd, group_gid
getgrnam        = SELECT groupname, passwd, gid, ARRAY(SELECT passwd_table.username FROM passwd_table, usergroups WHERE passwd_table.uid = usergroups.uid AND usergroups.gid = group_table.gid) AS members FROM group_table WHERE groupname = $1
# Must return group_name, group_passwd, group_gid
getgrgid        = SELECT groupname, passwd, gid, ARRAY(SELECT passwd_table.username FROM passwd_table, usergroups WHERE passwd_table.uid = usergroups.uid AND usergroups.gid = group_table.gid) AS members FROM group_table WHERE gid = $1
# Must return gid.  %s MUST appear first for username match in where clause
groups_dyn      = SELECT usergroups.gid FROM passwd_table JOIN usergroups USING (uid) where username = $1 and usergroups.gid <> $2
allgroups       = SELECT groupname, passwd, gid, ARRAY(SELECT passwd_table.username FROM passwd_table, usergroups WHERE passwd_table.uid = usergroups.uid AND usergroups.gid = group_table.gid) AS members FROM group_table
-------------- next part --------------
# example configfile for PostgreSQL NSS module
# this file must be readable for root only

shadowconnectionstring = hostaddr=127.0.0.1 dbname=system user=shadowauth password=WACHTWOORD connect_timeout=1

#Query in the following format
#shadow_name, shadow_passwd, shadow_lstchg, shadow_min, shadow_max, shadow_warn, shadow_inact, shadow_expire, shadow_flag
shadowbyname = SELECT * FROM shadow_table WHERE username = $1
shadow = SELECT * FROM shadow_table
-------------- next part --------------
-- Default table setup for nss-pgsql

CREATE SEQUENCE group_id MINVALUE 2000 MAXVALUE 2147483647 NO CYCLE;
CREATE SEQUENCE user_id MINVALUE 2000 MAXVALUE 2147483647 NO CYCLE;

CREATE TABLE "group_table" (
	"gid" int4 NOT NULL DEFAULT nextval('group_id'),
	"groupname" character varying(16) NOT NULL,
	"descr" character varying,
	"passwd" character varying(20),
	PRIMARY KEY ("gid")
);

CREATE TABLE "passwd_table" (
	"username" character varying(64) NOT NULL,
	"passwd" character varying(128) NOT NULL,
	"uid" int4 NOT NULL DEFAULT nextval('user_id'),
	"gid" int4 NOT NULL,
	"gecos" character varying(128),
	"homedir" character varying(256) NOT NULL,
	"shell" character varying DEFAULT '/bin/bash' NOT NULL,
	PRIMARY KEY ("uid")
);

CREATE TABLE "usergroups" (
	"gid" int4 NOT NULL,
	"uid" int4 NOT NULL,
	PRIMARY KEY ("gid", "uid"),
	CONSTRAINT "ug_gid_fkey" FOREIGN KEY ("gid") REFERENCES "group_table"("gid"),
	CONSTRAINT "ug_uid_fkey" FOREIGN KEY ("uid") REFERENCES "passwd_table"("uid")
);
  
CREATE TABLE "shadow_table" (
 	"username" character varying(64) NOT NULL,
 	"passwd" character varying(128) NOT NULL,
 	"lastchange" int4 NOT NULL,
 	"min" int4 NOT NULL,
 	"max" int4 NOT NULL,
 	"warn" int4 NOT NULL,
 	"inact" int4 NOT NULL,
 	"expire" int4 NOT NULL,
 	"flag" int4 NOT NULL,
 	PRIMARY KEY ("username")
);

More information about the Nsspampgsql-devel mailing list