From owner-freebsd-questions@FreeBSD.ORG Thu May 7 18:41:44 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5FBE5106566C for ; Thu, 7 May 2009 18:41:44 +0000 (UTC) (envelope-from toomas.aas@raad.tartu.ee) Received: from kuller.raad.tartu.ee (kuller.raad.tartu.ee [194.126.106.100]) by mx1.freebsd.org (Postfix) with ESMTP id 173FC8FC15 for ; Thu, 7 May 2009 18:41:44 +0000 (UTC) (envelope-from toomas.aas@raad.tartu.ee) Received: from localhost (localhost [127.0.0.1]) by kuller.raad.tartu.ee (Postfix) with ESMTP id E6A7639826 for ; Thu, 7 May 2009 21:23:36 +0300 (EEST) X-Virus-Scanned: amavisd-new at post.raad.tartu.ee Received: from kuller.raad.tartu.ee ([127.0.0.1]) by localhost (kuller.raad.tartu.ee [127.0.0.1]) (amavisd-new, port 10024) with LMTP id cBkc6RWfK4i5 for ; Thu, 7 May 2009 21:23:32 +0300 (EEST) Received: from raad.tartu.ee (lv.raad.tartu.ee [194.126.106.110]) by kuller.raad.tartu.ee (Postfix) with ESMTP id 80D3139873 for ; Thu, 7 May 2009 21:23:32 +0300 (EEST) Received: from INFO/SpoolDir by raad.tartu.ee (Mercury 1.48); 7 May 09 21:23:32 +0300 Received: from SpoolDir by INFO (Mercury 1.48); 7 May 09 21:23:29 +0300 Received: from [172.26.1.6] (172.26.1.6) by raad.tartu.ee (Mercury 1.48) with ESMTP; 7 May 09 21:23:27 +0300 Message-ID: <4A03271E.9080903@raad.tartu.ee> Date: Thu, 07 May 2009 21:23:26 +0300 From: Toomas Aas User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Applying FreeBSD-SA-09:07 broke PAM on 7.0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 May 2009 18:41:44 -0000 Hello! Finally I managed to find some time to apply the libc update to our server running FreeBSD 7.0 i386. I applied the patch as described in the section titled "To patch your present system:" of the advisory. I didn't notice any errors during the entire process, but after it was complete I could no longer log in, either via ssh or locally on the server console. The following error messages were returned after entering the login name on the console (the password prompt didn't even appear): login: in openpam_load_module(): no pam_unix.so found login: pam_start(): system error pam_unix.so.4 was still present in /usr/lib and there was also a symlink to it named pam_unix.so, as I saw after rebooting the server into single user mode. ldd /usr/lib/pam_unix.so.4 seemed to correctly find all the needed libraries. Using the fixit CD I copied the original libc.so.7 from 7.0 installation media to the system and this seems to have solved the problem, leaving me to wonder how to actually deal with the security issue. My own thought at this point is to bring in a fresh 7.2 source tree and rebuild everything, but maybe someone knows a less involved solution? Sounds like something else besides libc needs to be rebuilt, but what? Just a couple of days ago I applied this patch to another system running 7.1, and there were no problems. I've been running and patching FreeBSD since 2001 and never had such a strange problem with a security advisory! -- Toomas Aas