PAM/setloginclass link error in jail

From: Ben Kelly <ben_at_wanderview.com>
Date: Mon, 5 Sep 2011 19:17:06 -0400
Hello all,

I upgraded my server today to a recent HEAD from its old sources from about October 2010.  After the upgrade I ran into an unusual problem.  I've worked around the issue for now, but I was wondering if anyone could help me solve it correctly.

The problem is that all PAM related operations fail inside jails.  Initially I was getting this error in /var/log/messages:

passwd: in openpam_load_module(): no pam_unix.so found

That file was clearly there, however, so I dug into PAM and enabled some debug in pam_dynamic.c.  This got me the following message:

openpam_dynamic(): /usr/lib/pam_unix.so: /lib/libutil.so.9: Undefined symbol "setloginclass"

This is a syscall added to the system in March, 2011.  The link process works fine normally, but fails in any jail.  I went as far as turning on rtld debug to verify it was giving up on libutil about half way through when it could not resolve the symbol.  I verified that libc.so.7 was the same both inside and outside the jail.  The setloginclass symbol was defined as a WEAK reference.

Looking through past e-mail I noticed trasz_at_ said he was going to explicitly put in code to support setloginclass from root in a jail.  I think I see this code in the prison privilege checking as well.  Its just not clear to me why its not linking.

To work around the issue I hacked setloginclass out of libutil for now.  This is clearly not ideal as I'm not sure when and where that will blow up on me.  It did let me log back into my e-mail, however.

For reference:

FreeBSD ianto.in.wanderview.com 9.0-BETA2 FreeBSD 9.0-BETA2 #1 r278M: Mon Sep  5 18:54:58 UTC 2011     root_at_ianto.in.wanderview.com:/usr/obj/usr/src/sys/SERVER  i386

The system is using zfs, nullfs, and ezjail to manage the jails.  I did upgrade my zfs pools to the latest version at this same time, but so far I can't tie that to this problem.

Does anyone know why a jail would prevent rtld from linking in a particular syscall?  Any help or advice is greatly appreciated.

Thank you.

Ben
Received on Mon Sep 05 2011 - 21:47:01 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:17 UTC