PAM/setloginclass link error in jail

Ben Kelly ben at wanderview.com
Wed Sep 7 23:45:26 UTC 2011 

Just for the archives, this turned out to be a problem with updating the ezjail basejail directory.  I had run ezjail-admin update -i, but for some reason it did not install the new libc.so.7 while it did install pretty much everything else.  Moving the old basejail out of the way and installing a new basejail from scratch solved the problem.  Its not clear why ezjail's cpio command failed to update the libc.so.7 file in the first place.

Sorry for the noise.

- Ben

On Sep 5, 2011, at 7:17 PM, Ben Kelly wrote:

> Hello all,
> 
> I upgraded my server today to a recent HEAD from its old sources from about October 2010.  After the upgrade I ran into an unusual problem.  I've worked around the issue for now, but I was wondering if anyone could help me solve it correctly.
> 
> The problem is that all PAM related operations fail inside jails.  Initially I was getting this error in /var/log/messages:
> 
> passwd: in openpam_load_module(): no pam_unix.so found
> 
> That file was clearly there, however, so I dug into PAM and enabled some debug in pam_dynamic.c.  This got me the following message:
> 
> openpam_dynamic(): /usr/lib/pam_unix.so: /lib/libutil.so.9: Undefined symbol "setloginclass"
> 
> This is a syscall added to the system in March, 2011.  The link process works fine normally, but fails in any jail.  I went as far as turning on rtld debug to verify it was giving up on libutil about half way through when it could not resolve the symbol.  I verified that libc.so.7 was the same both inside and outside the jail.  The setloginclass symbol was defined as a WEAK reference.
> 
> Looking through past e-mail I noticed trasz@ said he was going to explicitly put in code to support setloginclass from root in a jail.  I think I see this code in the prison privilege checking as well.  Its just not clear to me why its not linking.
> 
> To work around the issue I hacked setloginclass out of libutil for now.  This is clearly not ideal as I'm not sure when and where that will blow up on me.  It did let me log back into my e-mail, however.
> 
> For reference:
> 
> FreeBSD ianto.in.wanderview.com 9.0-BETA2 FreeBSD 9.0-BETA2 #1 r278M: Mon Sep  5 18:54:58 UTC 2011     root at ianto.in.wanderview.com:/usr/obj/usr/src/sys/SERVER  i386
> 
> The system is using zfs, nullfs, and ezjail to manage the jails.  I did upgrade my zfs pools to the latest version at this same time, but so far I can't tie that to this problem.
> 
> Does anyone know why a jail would prevent rtld from linking in a particular syscall?  Any help or advice is greatly appreciated.
> 
> Thank you.
> 
> Ben

More information about the freebsd-current mailing list