[Nsspampgsql-devel] Bug#611019: libnss-pgsql2: Does not correctly handle empty string in query result

Thomas Damgaard tdn at sikkerhed.org
Mon Jan 24 21:34:24 UTC 2011 

Package: libnss-pgsql2
Version: 1.4.0debian-3
Severity: important

I tried upgrading a Debian Lenny server to Squeeze a few weeks ago.
Since then all users in the database stopped working.
When trying to login via SSH, I saw these lines in the logs:



This got me wondering. It should not be possible to have accounts in the database expire.
They have a hard coded value for this field set in the queries in /etc/nss-pgsql-root.conf.
The query simply returns the empty string '' as field 8.

This has worked fine while running lenny.
After upgrading to squeeze, I started getting the error. 
Having spent hours debugging this, it turned out that 'getent shadow backup001' returns:
backup001:*:14551:0:99999:7:0:0:0
and not the expected
backup001:*:14551:0:99999:7:::

So, it returns 0 instead of empty string.
I had to turn on query logging in the database.
I noticed that the query did in fact select ''.
I tried modifying the query to return 99999 instead of '' and then 'getent shadow backup001' returns:
backup001:*:14551:0:99999:7:0:0:99999
And best of all: now login works!


So I guess the problem is that libnss-pgsql handles the empty string incorrectly and returns 0 to PAM instead of ''. This has probably also been the case in lenny, however, some semantics in PAM must have changed in squeeze so that it now interprets 0 as 'account expired'. Which is probably correct.

I think this is a very severy bug, since this will make login fail for users who upgrade to squeeze.
I hope this will be fixed before squeeze is released.






-- System Information:
Debian Release: 6.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i586)

Kernel: Linux 2.6.32-5-486
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libnss-pgsql2 depends on:
ii  libc6                    2.11.2-9        Embedded GNU C Library: Shared lib
ii  libpq5                   8.4.5-0squeeze2 PostgreSQL C client library

libnss-pgsql2 recommends no packages.

Versions of packages libnss-pgsql2 suggests:
pn  libpam-pgsql                  <none>     (no description available)
pn  nscd                          <none>     (no description available)

-- no debconf information

More information about the Nsspampgsql-devel mailing list