Bug#883347: systemd fails to load pam_unix.so when spawning user.service

Michael Biebl biebl at debian.org
Sat Dec 2 21:39:00 GMT 2017 

Hi Russ!

Am 02.12.2017 um 19:41 schrieb Russ Allbery:
> Package: systemd
> Version: 235-3
> Severity: normal
> 
> Since upgrading a system to 235-3, all ssh connections are producing the
> following syslog errors:
> 
> Dec  2 06:28:23 lothlorien systemd: PAM unable to dlopen(pam_unix.so): /lib/security/pam_unix.so: cannot open shared object file: No such file or directory
> Dec  2 06:28:23 lothlorien systemd: PAM adding faulty module: pam_unix.so
> Dec  2 06:28:23 lothlorien sshd[20758]: pam_systemd(sshd:session): Failed to create session: Start job for unit user at 999.service failed with 'failed'
> Dec  2 06:28:23 lothlorien systemd[20760]: PAM failed: Authentication failure
> Dec  2 06:28:23 lothlorien systemd[20760]: user at 999.service: Failed to set up PAM session: Operation not permitted
> Dec  2 06:28:23 lothlorien systemd[20760]: user at 999.service: Failed at step PAM spawning /lib/systemd/systemd: Operation not permitted
> Dec  2 06:28:23 lothlorien systemd[1]: user at 999.service: Failed with result 'protocol'.
> Dec  2 06:28:23 lothlorien systemd[1]: Failed to start User Manager for UID 999.
> 
> I'm fairly confused by this, and I'm not sure whether to blame systemd or
> libpam or some other component.  Obviously, the problem is that for some
> reason it's trying to load /lib/security/pam_unix.so instead of the correct
> multiarch path of /lib/x86_64-linux-gnu/security/pam_unix.so (which does
> exist), but I have no idea why on earth it's doing that, or why this would
> have changed with the upgrade.
> 
> The ssh connection does successfully continue, but I suspect that's because
> I'm not relying on anything provided by the user session at the moment.
> 
> Everything else about PAM on this system is working fine; only systemd's
> user.service seems to be having problems.

systemd-logind.service was locked down further in v235. A diff of
systemd-logind.service shows:

+LockPersonality=yes
+IPAddressDeny=any


I'm not entirely sure if that is related, but you might try commenting
those two lines out in /lib/systemd/system/systemd-logind.service and
see if that makes a difference.

Regards,
Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20171202/73752f9e/attachment-0002.sig>

More information about the Pkg-systemd-maintainers mailing list