From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 649F71FF13F for ; Thu, 12 Mar 2026 10:45:15 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 98F25C535; Thu, 12 Mar 2026 10:45:09 +0100 (CET) Date: Thu, 12 Mar 2026 10:44:31 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= Subject: Re: [PATCH pve-access-control 1/1] pam: fork for PAM authentication to isolate SIGCHLD handler To: Hannes Laimer , pve-devel@lists.proxmox.com References: <20260304134649.82272-1-h.laimer@proxmox.com> <20260304134649.82272-3-h.laimer@proxmox.com> In-Reply-To: <20260304134649.82272-3-h.laimer@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.17.0 (https://github.com/astroidmail/astroid) Message-Id: <1773308530.j96g4rur71.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1773308638654 X-SPAM-LEVEL: Spam detection results: 0 AWL -1.012 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_MSPIKE_H2 0.001 Average reputation (+2) RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.408 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.819 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.903 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: VBAB3BULMEH3VV5C5JCT63H4S5HLZYIS X-Message-ID-Hash: VBAB3BULMEH3VV5C5JCT63H4S5HLZYIS X-MailFrom: f.gruenbichler@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On March 4, 2026 2:46 pm, Hannes Laimer wrote: > PAM modules can temporarily override $SIG{CHLD}, causing SIGCHLDs from > RESTEnvironment worker processes to be lost. Run the PAM interaction in > a subprocess via PVE::Tools::run_fork to contain any signal handler > manipulation to the child. >=20 > Signed-off-by: Hannes Laimer Reviewed-by: Fabian Gr=C3=BCnbichler Tested-by: Fabian Gr=C3=BCnbichler this patch alone fixes the reproducer for me, tracing the signals also clearly shows that the PAM unix_chkpwd children are now decoupled properly from our worker handling.. > --- > src/PVE/Auth/PAM.pm | 74 +++++++++++++++++++++++++-------------------- > 1 file changed, 42 insertions(+), 32 deletions(-) >=20 > diff --git a/src/PVE/Auth/PAM.pm b/src/PVE/Auth/PAM.pm > index 3aacfc0..8586da5 100755 > --- a/src/PVE/Auth/PAM.pm > +++ b/src/PVE/Auth/PAM.pm > @@ -27,45 +27,55 @@ sub authenticate_user { > # user (www-data) need to be able to read /etc/passwd /etc/shadow > die "no password\n" if !$password; > =20 > - my $pamh =3D Authen::PAM->new( > - 'proxmox-ve-auth', > - $username, > - sub { > - my @res; > - while (@_) { > - my $msg_type =3D shift; > - my $msg =3D shift; > - push @res, (0, $password); > - } > - push @res, 0; > - return @res; > - }, > - ); > - > - if (!ref($pamh)) { > - my $err =3D $pamh->pam_strerror($pamh); > - die "error during PAM init: $err"; > + # PAM modules may temporarily override $SIG{CHLD}, causing SIGCHLDs = from > + # RESTEnvironment workers to be lost. Running the PAM interaction in= a fork > + # isolates any such handler manipulation from the parent process. > + my $client_ip; > + if (my $rpcenv =3D PVE::RPCEnvironment::get()) { > + $client_ip =3D $rpcenv->get_client_ip(); > } > =20 > - if (my $rpcenv =3D PVE::RPCEnvironment::get()) { > - if (my $ip =3D $rpcenv->get_client_ip()) { > - $pamh->pam_set_item(PAM_RHOST(), $ip); > + PVE::Tools::run_fork(sub { > + my $pamh =3D Authen::PAM->new( > + 'proxmox-ve-auth', > + $username, > + sub { > + my @res; > + while (@_) { > + my $msg_type =3D shift; > + my $msg =3D shift; > + push @res, (0, $password); > + } > + push @res, 0; > + return @res; > + }, > + ); > + > + if (!ref($pamh)) { > + my $err =3D $pamh->pam_strerror($pamh); > + die "error during PAM init: $err"; > } > - } > =20 > - my $res; > + if ($client_ip) { > + $pamh->pam_set_item(PAM_RHOST(), $client_ip); > + } > =20 > - if (($res =3D $pamh->pam_authenticate(0)) !=3D PAM_SUCCESS) { > - my $err =3D $pamh->pam_strerror($res); > - die "$err\n"; > - } > + my $res; > =20 > - if (($res =3D $pamh->pam_acct_mgmt(0)) !=3D PAM_SUCCESS) { > - my $err =3D $pamh->pam_strerror($res); > - die "$err\n"; > - } > + if (($res =3D $pamh->pam_authenticate(0)) !=3D PAM_SUCCESS) { > + my $err =3D $pamh->pam_strerror($res); > + die "$err\n"; > + } > + > + if (($res =3D $pamh->pam_acct_mgmt(0)) !=3D PAM_SUCCESS) { > + my $err =3D $pamh->pam_strerror($res); > + die "$err\n"; > + } > + > + $pamh =3D 0; # call destructor > =20 > - $pamh =3D 0; # call destructor > + return 1; > + }); > =20 > return 1; > } > --=20 > 2.47.3 >=20 >=20 >=20 >=20 >=20 >=20