今天同事提了一个问题,一台centos7的设备,在用户su的时候发现时间非常的长,然后交给了;我首先判断环境变量,比如:.bashrc等,发现不是这个问题,所以就猜测是认证pam模块的问题,然后开始排查;
系统:CentOS Linux release 7.2.1511 (Core)
内核:Linux CN-CMCC-GZ-GY-C1-250-141 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
在问题排查的时候,首先抓了一下日志,发现如下情况(/var/log/messages):
Mar 23 19:51:27 cn-cmcc-gz-gy-c1-250-141 kernel: type=1100 audit(1490269887.426:12439910): pid=10710 uid=1000 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg=’op=PAM:authentication grantors=pam_unix acct=”root” exe=”/usr/bin/su” hostname=? addr=? terminal=pts/1 res=success’
Mar 23 19:51:27 cn-cmcc-gz-gy-c1-250-141 kernel: type=1101 audit(1490269887.427:12439911): pid=10710 uid=1000 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg=’op=PAM:accounting grantors=pam_unix,pam_localuser acct=”root” exe=”/usr/bin/su” hostname=? addr=? terminal=pts/1 res=success’
Mar 23 19:51:27 cn-cmcc-gz-gy-c1-250-141 su: (to root) ultranetscan on pts/1
Mar 23 19:51:27 cn-cmcc-gz-gy-c1-250-141 kernel: type=1103 audit(1490269887.428:12439912): pid=10710 uid=1000 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg=’op=PAM:setcred grantors=pam_unix acct=”root” exe=”/usr/bin/su” hostname=? addr=? terminal=pts/1 res=success’
Mar 23 19:51:27 cn-cmcc-gz-gy-c1-250-141 kernel: type=1107 audit(1490269887.435:12439913): pid=946 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg=’avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=10710 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus#012 exe=”/usr/bin/dbus-daemon” sauid=81 hostname=? addr=? terminal=?’
Mar 23 19:51:57 cn-cmcc-gz-gy-c1-250-141 kernel: type=1105 audit(1490269917.455:12439914): pid=10710 uid=1000 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg=’op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_unix,pam_xauth acct=”root” exe=”/usr/bin/su” hostname=? addr=? terminal=pts/1 res=success’
也就是说,在19:51:27出现了一次avc: denied,认证失败;网上搜了一下,都说是selinux的问题,但是这个确实已经disable了,接着排查(/var/log/secure);
Mar 23 19:51:57 cn-cmcc-gz-gy-c1-250-141 su: pam_systemd(su-l:session): Failed to create session: Connection reset by peer
Mar 23 19:51:57 cn-cmcc-gz-gy-c1-250-141 su: pam_unix(su-l:session): session opened for user root by ultranetscan(uid=1000)
Mar 23 19:54:47 cn-cmcc-gz-gy-c1-250-141 su: pam_unix(su-l:session): session closed for user root
在su的时候,使用pam_systemd的认证模块的时候,被reset了;然后找到/etc/pam.d/su,其中调用了/etc/pam.d/system-auth,在里面引用了-session optional pam_systemd.so;粗暴的方法就是注销掉;
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=6 onerr=fail no_magic_root unlock_time=120
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=2 minlen=8
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so remember=5
session optional pam_keyinit.so revoke
session required pam_limits.so
#-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
这样就跳过了pam_systemd认证检查了;具体为啥pam_systemd的session会话会reset因为时间原因没有深入去查,后续有时间看一下内核代码排查一下;