[Nsspampgsql-devel] Bug#611019: Bug#611019: libnss-pgsql2: Does not correctly handle empty string in query result

Stephen Gran sgran at debian.org
Tue Jan 25 07:01:43 UTC 2011 

severity 611019 wishlist
thanks

This one time, at band camp, Thomas Damgaard said:
> This has worked fine while running lenny.
> After upgrading to squeeze, I started getting the error. 
> Having spent hours debugging this, it turned out that 
> 'getent shadow backup001' returns:
> backup001:*:14551:0:99999:7:0:0:0
> and not the expected
> backup001:*:14551:0:99999:7:::
> 
> So, it returns 0 instead of empty string.
> I had to turn on query logging in the database.
> I noticed that the query did in fact select ''.
> I tried modifying the query to return 99999 instead of '' and then
> 'getent shadow backup001' returns:
> backup001:*:14551:0:99999:7:0:0:99999
> And best of all: now login works!
> 
> So I guess the problem is that libnss-pgsql handles the empty string
> incorrectly and returns 0 to PAM instead of ''. This has probably also
> been the case in lenny, however, some semantics in PAM must have
> changed in squeeze so that it now interprets 0 as 'account expired'.
> Which is probably correct.
> 
> I think this is a very severy bug, since this will make login fail
> for users who upgrade to squeeze.
> I hope this will be fixed before squeeze is released.

Hello,

I'm afraid this is a design decision, rather than a bug.  The code
explicitly casts the return to a numeric value:

        result->sp_lstchg = (long int) atol(PQgetvalue(res, 0, SHADOW_LSTCHG));
        result->sp_min = (long int) atol(PQgetvalue(res, 0, SHADOW_MIN));
        result->sp_max = (long int) atol(PQgetvalue(res, 0, SHADOW_MAX));
        result->sp_warn = (long int) atol(PQgetvalue(res, 0, SHADOW_WARN));
        result->sp_inact = (long int) atol(PQgetvalue(res, 0, SHADOW_INACT));
        result->sp_expire = (long int) atol(PQgetvalue(res, 0, SHADOW_EXPIRE));
        result->sp_flag = (unsigned long int) atol(PQgetvalue(res, 0, SHADOW_FLAG));

I suspect you're right that something changed in pam to make it suddenly
stop working for you, but it never should have worked with that
configuration.  The example config doesn't contain a query with '' in
it, but I suppose it could be clearer, hence I've marked this wishlist
with the idea that we'll update the example config to make it clearer
what the library expects.

Cheers,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran at debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/nsspampgsql-devel/attachments/20110125/a49b54ce/attachment.pgp>

More information about the Nsspampgsql-devel mailing list