PAM dlerror: /lib/security/pam_plesk.so

[phatPhrog]

Since updating our CENTOS 4.2/Plesk 8 box we are now receiving the following errors in our messages and secure logs.

These are only examples, we are getting hundreds of these per day.

Any help resolving this would be appreciated.

Jun 4 02:35:01 u15198763 crond[20391]: PAM unable to dlopen(/lib/security/pam_plesk.so)
Jun 4 02:35:01 u15198763 crond[20391]: PAM [dlerror: /lib/security/pam_plesk.so: cannot enable executable stack as shared object requires: Permission denied]

PAM [dlerror: /lib/security/pam_plesk.so: cannot enable executable stack as shared object requires: Permission denied]
PAM adding faulty module: /lib/security/pam_plesk.so

Current permissions are:
1096 -rwxr-xr-x 1 root root 1116671 Mar 31 02:00 pam_plesk.so

Thank you for your help.

 

[troymc]

I have this same problem. The permission to start with were

-rw-r--r-- 1 root root 1116671 Mar 31 02:00 pam_plesk.so

and I updated them to be

-rwxr-xr-x 1 root root 1116671 Mar 31 02:00 pam_plesk.so

and I am still getting the messages too.

 

[phatPhrog]

PAM dlerror: /lib/security/pam_plesk.so FOLLOW-UP

troymc, I guess we're on our own here. Neither Sw-Soft nor CENTOS has netted any positive feedback or a FIX for this.

CENTOS says it's a Plesk problem and SW-Soft doesn't respond to help requests.

At least with Fedora problems could be resolved...

Will let you know if I can find anyone willing to aid in the fix.

 

[Griffith]

I did a search and found this:
http://www.howtoforge.com/forums/showthread.php?t=196&page=2

Create /etc/pam.d/ftp with this:

#%PAM-1.0
auth    required        pam_unix.so     nullok
account required        pam_unix.so
session required        pam_unix.so

I have NOT tested this, but seems to be sort of the same? If someone tests it please report if it makes any difference...

 

[phatPhrog]

Don't be insulted by my query....but....are you a SW-Soft employee/tech support rep?

Your help is a start to helping, but it would be nice to know someone has tested this on a non-production server before offering it as a proposed fix.

Again, Thanks for the help, but there are those that would blindly follow your direction without knowing or taking into account the consequences.

We use 1and1 servers . . . and as everyone knows, 1and1 does not use global configurations that all updates can be applied, expecially for those that don't know how to modify the 1and1 configurations.

 

[Griffith]

I haven't tested it myself, and I hope people test it on a testserver first.

 

[phatPhrog]

Just didn't want folks coming back yelling at ya. LOL

You know HOW grateful people can be.....just look at some of my posts.

 

[phatPhrog]

cross-post NOT INTENDED, but no one else will...

In reference to PAM dlopen, dlerror I am not intentionally cross-posting, but there are two and only two post on this entire forum pertaining to Plesk 8 and/or CENTOS so we need to join them since support is limited to a few!!

Posting this to all current posts relating to PSA8 in recent days:

http://forum.swsoft.com/showthread.php?s=&threadid=33493&highlight=PAM+dlerror

I'm still looking at it, but it seems turning off mailman and/or disabling mailing lists for each client has resulted in the PAM....pam_plesk.so errors going away.

Not sure just yet, only know the messages and secure logs no longer reflect PAM errors.

Will continue to update on our progress.

 

[atomicturtle]

Noexec strikes again. This is really a glibc problem, so the blame lies with Redhat. Basically its the diet-coke version of what we're using in ASL with PaX, except its all "opt-in", and doesnt work very well. Try running:

execstack -c /lib/security/pam_plesk.so

Let me know if that also happens on an ASL kernel, and I'll add that in to the RPM.

 

[phatPhrog]

PAM pam_plesk ASL

Yes it is happening with ASL. I am running 2.6.14-4.artsmp.

 

[phatPhrog]

PAM

After running execstack -c /lib/security/pam_plesk.so the following errors in the /var/log/messages

Jun 9 09:48:18 u15198763 proftpd[2512]: SERVERNAME (IP) - PAM(setcred): System error
Jun 9 09:48:18 u15198763 proftpd[2512]: SERVERNAME (IP) - PAM(close_session): System error

Jun 9 09:11:59 SERVERNAME kernel: grsec: signal 11 sent to /usr/sbin/httpd[httpd:19265] uid/euid:48/48 gid/egid:48/48, parent /usr/sbin/httpd[httpd:4324] uid/euid:0/0 gid/egid:0/0
Jun 9 09:12:00 SERVERNAME kernel: grsec: signal 11 sent to /usr/sbin/httpd[httpd:19265] uid/euid:48/48 gid/egid:48/48, parent /usr/sbin/httpd[httpd:4324] uid/euid:0/0 gid/egid:0/0
Jun 9 09:12:00 SERVERNAME kernel: grsec: signal 11 sent to /usr/sbin/httpd[httpd:15945] uid/euid:48/48 gid/egid:48/48, parent /usr/sbin/httpd[httpd:4324] uid/euid:0/0 gid/egid:0/0
Jun 9 09:12:00 SERVERNAME kernel: grsec: signal 11 sent to /usr/sbin/httpd[httpd:2235] uid/euid:48/48 gid/egid:48/48, parent /usr/sbin/httpd[httpd:4324] uid/euid:0/0 gid/egid:0/0
Jun 9 09:12:00 SERVERNAME kernel: grsec: signal 11 sent to /usr/sbin/httpd[httpd:15945] uid/euid:48/48 gid/egid:48/48, parent /usr/sbin/httpd[httpd:4324] uid/euid:0/0 gid/egid:0/0
Jun 9 09:12:00 SERVERNAME kernel: grsec: more alerts, logging disabled for 10 seconds

 

[troymc]

phatPhrog, did you ever get this completely resolved? Are you still getting those errors after executing execstack -c /lib/security/pam_plesk.so?

 

[phatPhrog]

pam_plesk.so

No. After running execstack -c /lib/security/pam_plesk.so, more errors cropped up and no one from SW-Soft, CENTOS or otherwise had any remedy, so we opted out. We reverted to a FC4/PSA 8 server.

Perhaps we will try again when CENTOS 4.3 is support by PSA.

Sorry.

 

[troymc]

Do you know what kind of problems this could cause? Does it only affect users setup through Plesk that need shell access?

 

[pmedeiros]

Hi,

I'm also using art's kernel (2.6.11-9.artsmp) on a 7.5.4 plesk box with CentOS 4.3

The message [...]PAM unable to dlopen(/lib/security/pam_plesk.so)[...] does not apear on this box, but on a test server with plesk 8.0.1 (upgraded from 8.0.0), it does. The problem desapears if i run "execstack -c /lib/security/pam_plesk.so".

Other problems, on this boxes (both 7.5.4 and 8.0.1):
- On Service management (plesk CP), the services that look disabled are "SMTP Server (QMail)" and "Dr.Web antivirus"... the smtp service is running and working great, but the dr.web service does not
- Error on Dr.Web:
[...]
Starting up DrWeb(R) daemon: Dr.Web (R) daemon for Linux/Plesk Edition, version 4.32.2 (2004-11-01)
Copyright (c) Igor Daniloff, 1992-2004
Doctor Web Ltd., Moscow, Russia
Support service: http://support.drweb.com
To purchase: http://buy.drweb.com

mprotect(): 13 (Permission denied)
[FAILED]
[...]

Any ideas in how to solve this ?

Thanks

Paulo

 

[pmedeiros]

Well ... new error at 8.0.1 box, at /var/log/httpd/error.log:
[...]
Failed loading /usr/local/Zend/lib/ZendExtensionManager.so: /usr/local/Zend/lib/ZendExtensionManager.so: cannot enable executable stack as shared object requires: Permission denied
[...]

;-)

PS: Still to test on 7.5.4, if it is ok

 

[pmedeiros]

Yep,

With ASL kernel the Zend error persists ... and a new error (not previoully mentioned):
[...]
[Thu Jun 22 16:16:36 2006] [error] Incorrect permissions on stub "/usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe" in FrontPageCheckup(). Until this problem is fixed, the FrontPage security patch is disabled and the FrontPage extensions may not work correctly.
[...]

Ideas wanted... please

 

[atomicturtle]

In reference to the dr. web users, try using the asl-testing version, specifically the gradm rpm. Thats where I put all the various checks and fixes for these little issues.