# PAM + jail root suddenly (after upgrade?) does not play nice

## nixscripter

I have an AMD64 box without multilib. It runs one 32-bit application in a jail root (long story). It was working until I changed to a hardened kernel (2.6.34-hardened-r6).

When I try to start it, with a custom init script I get this:

```
# /etc/init.d/boinc-x86 start

 * Starting BOINC client (i686-pc-linux-gnu) ...

 * start-stop-daemon: pam error: Critical error - immediate abort         [ !! ]

```

The script itself is quite simple:

```
start() {

   ebegin "Starting BOINC client (i686-pc-linux-gnu)"

   [ -d "$BOINCROOT/boinc" ] || 

      (mkdir -p "$BOINCROOT/boinc" && \

       chown nobody:nobody "$BOINCROOT/boinc") || eend $?

   # jailroot preparations

   for i in dev proc; do mount --bind /$i "$BOINCROOT/$i"; done

   start-stop-daemon --start --quiet \

      --exec "$BOINCEXEC" \

      --chuid nobody:nobody \

      --chroot "$BOINCROOT" \

      --chdir "/boinc" \

      --background \

      -- --daemon $BOINCARGS

   eend $?

}

```

When I manually do the chroot command, it works fine. It's just start-stop-daemon that is complaining.

What's going on?Last edited by nixscripter on Thu Dec 30, 2010 6:14 pm; edited 1 time in total

----------

## Sadako

It works fine under a non-hardened kernel, with the exact same setup?

Presuming you have the required kernel options selected, start disabling /proc/sys/kernel/grsecurity/chroot_* one by one and see which one (if any) will allow your script to run when disabled.

----------

## Hu

Also, check the output of dmesg after a failure.  For some types of failures, the GRsecurity patch will log that it blocked an action, which might give you a hint about which chroot options are involved.

----------

## nixscripter

Ah, answers. Sorry, been busy for Xmas.

 *Hu wrote:*   

> Also, check the output of dmesg after a failure.  For some types of failures, the GRsecurity patch will log that it blocked an action, which might give you a hint about which chroot options are involved.

 

I did. Nothing. That's why I was perplexed.

 *Sadako wrote:*   

> It works fine under a non-hardened kernel, with the exact same setup?
> 
> Presuming you have the required kernel options selected, start disabling /proc/sys/kernel/grsecurity/chroot_* one by one and see which one (if any) will allow your script to run when disabled.

 

Ah, so you can disable them manually through sysfs. Didn't know that.

I'll try it when I get back home in a day or two, and post back.Last edited by nixscripter on Tue Dec 28, 2010 8:35 pm; edited 1 time in total

----------

## nixscripter

Okay, I tried it:

```
for i in /proc/sys/kernel/grsecurity/chroot_*; do echo 0 >$i; done
```

It still won't run. (And I undid that after, of course.)

----------

## Hu

Try running it under dev-util/strace to check for any suspicious looking system call errors.

----------

## nixscripter

I did when I was looking for which chroot flag to turn off. It seems pretty unreadable. I cannot see where anything bad happens.

Here is the subprocess that prints the PAM error message (init scripts do a lot of them), which is the start-stop daemon process. I don't see how it runs the BOINC process at all:

```
[pid  6540] clone(Process 6541 attached

child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x337097779d0) = 6541

[pid  6541] umask(022 <unfinished ...>

[pid  6541] <... umask resumed> )       = 022

[pid  6541] open("/dev/tty", O_RDWR <unfinished ...>

[pid  6541] <... open resumed> )        = 3

[pid  6541] open("/dev/null", O_RDWR <unfinished ...>

[pid  6541] <... open resumed> )        = 4

[pid  6541] chroot("/var/boinc/jailroot" <unfinished ...>

[pid  6541] <... chroot resumed> )      = 0

[pid  6541] chdir("/boinc" <unfinished ...>

[pid  6541] <... chdir resumed> )       = 0

[pid  6541] stat("/etc/pam.d", 0x3a985bfa080) = -1 ENOENT (No such file or directory)

[pid  6541] open("/etc/pam.conf", O_RDONLY) = -1 ENOENT (No such file or directory)

[pid  6541] time([1293663185])          = 1293663185

[pid  6541] open("/etc/localtime", O_RDONLY <unfinished ...>

[pid  6541] <... open resumed> )        = 5

[pid  6541] fstat(5,  <unfinished ...>

[pid  6541] <... fstat resumed> {st_mode=S_IFREG|0644, st_size=2294, ...}) = 0

[pid  6541] fstat(5, {st_mode=S_IFREG|0644, st_size=2294, ...}) = 0

[pid  6541] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 <unfinished ...>

[pid  6541] <... mmap resumed> )        = 0x33709775000

[pid  6541] read(5,  <unfinished ...>

[pid  6541] <... read resumed> "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 2294

[pid  6541] lseek(5, -1457, SEEK_CUR)   = 837

[pid  6541] read(5, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 1457

[pid  6541] close(5)                    = 0

[pid  6541] munmap(0x33709775000, 4096 <unfinished ...>

[pid  6541] <... munmap resumed> )      = 0

[pid  6541] socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0 <unfinished ...>

[pid  6541] <... socket resumed> )      = 5

[pid  6541] connect(5, {sa_family=AF_FILE, path="/dev/log"}, 110 <unfinished ...>

[pid  6541] <... connect resumed> )     = -1 EPROTOTYPE (Protocol wrong type for socket)

[pid  6541] close(5 <unfinished ...>

[pid  6541] <... close resumed> )       = 0

[pid  6541] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0 <unfinished ...>

[pid  6541] <... socket resumed> )      = 5

[pid  6541] connect(5, {sa_family=AF_FILE, path="/dev/log"}, 110 <unfinished ...>

[pid  6541] <... connect resumed> )     = 0

[pid  6541] sendto(5, "<83>Dec 29 16:53:05 start-stop-d"..., 92, MSG_NOSIGNAL, NULL, 0 <unfinished ...>

[pid  6541] <... sendto resumed> )      = 92

[pid  6541] time([1293663185])          = 1293663185

[pid  6541] sendto(5, "<83>Dec 29 16:53:05 start-stop-d"..., 84, MSG_NOSIGNAL, NULL, 0 <unfinished ...>

[pid  6541] <... sendto resumed> )      = 84

[pid  6541] close(5 <unfinished ...>

[pid  6541] <... close resumed> )       = 0

[pid  6541] time([1293663185])          = 1293663185

[pid  6541] socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5

[pid  6541] connect(5, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket)

[pid  6541] close(5)                    = 0

[pid  6541] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 5

[pid  6541] connect(5, {sa_family=AF_FILE, path="/dev/log"}, 110 <unfinished ...>

[pid  6541] <... connect resumed> )     = 0

[pid  6541] sendto(5, "<27>Dec 29 16:53:05 /etc/init.d/"..., 112, MSG_NOSIGNAL, NULL, 0 <unfinished ...>

[pid  6541] <... sendto resumed> )      = 112

[pid  6541] close(5 <unfinished ...>

[pid  6541] <... close resumed> )       = 0

[pid  6541] ioctl(2, SNDCTL_TMR_TIMEBASE or TCGETS <unfinished ...>

[pid  6541] <... ioctl resumed> , 0x3a985bf9e90) = -1 ENOTTY (Inappropriate ioctl for device)

[pid  6541] write(2, "\n", 1)           = 1

[pid  6541] ioctl(2, SNDCTL_TMR_TIMEBASE or TCGETS <unfinished ...>

[pid  6541] <... ioctl resumed> , 0x3a985bf9e80) = -1 ENOTTY (Inappropriate ioctl for device)

[pid  6541] ioctl(2, SNDCTL_TMR_TIMEBASE or TCGETS <unfinished ...>

[pid  6541] <... ioctl resumed> , 0x3a985bf9e80) = -1 ENOTTY (Inappropriate ioctl for device)

[pid  6541] write(2, " * ", 3 *  <unfinished ...>

[pid  6541] <... write resumed> )       = 3

[pid  6541] write(2, "start-stop-daemon: pam error: Cr"..., 62start-stop-daemon: pam error: Critical error - immediate abort <unfinished ...>

[pid  6541] <... write resumed> )       = 62

[pid  6541] ioctl(2, SNDCTL_TMR_TIMEBASE or TCGETS <unfinished ...>

[pid  6541] <... ioctl resumed> , 0x3a985bf9e90) = -1 ENOTTY (Inappropriate ioctl for device)

[pid  6541] write(2, "\n", 1

[pid  6541] <... write resumed> )       = 1

[pid  6541] exit_group(1)               = ?

Process 6541 detached

```

----------

## Hu

 *nixscripter wrote:*   

> I did when I was looking for which chroot flag to turn off. It seems pretty unreadable. I cannot see where anything bad happens.
> 
> ```
> [pid  6541] stat("/etc/pam.d", 0x3a985bfa080) = -1 ENOENT (No such file or directory)
> 
> ...

 PAM does not react well to being unable to read its configuration files.  Disable use of PAM in the chroot'd process or provide it with configuration files it can use.

----------

## nixscripter

Okay, two things.

First, I went back to the way things were, with the non-hardened kernel. It didn't work. My new guess is that an upgrade of PAM closed some hole or other, and that broke it. I should change the title of this post.

Second, after playing around with it -- enabling debugging, putting config files in the jailroot, and doing library tricks -- this is the message I get in auth.log after a run:

```
Dec 30 11:29:01 mybox start-stop-daemon: PAM no modules loaded for `start-stop-daemon' service
```

And then it bombs out with a new error: 

```
start-stop-daemon: pam error: Permission denied
```

All I have in the jailroot/etc/pam.conf (which it opens after the chroot) is this: 

```
start-stop-daemon   auth   sufficient   pam_permit.so
```

If I could turn PAM off for just this init script, I'd love to know how.

----------

## nixscripter

Happy New Year, and bump.

----------

## r_pns

I have had a similar issue for a long time.

With PAM-enabled openrc I run the following code in a custom init script

```
start-stop-daemon --start \

        --env HOME=${MLDONKEY_DIR} \

        --chroot ${CHROOT} \

        --pidfile ${MLDONKEY_PID}  --make-pidfile \

        --user ${MLDONKEY_USER} \

        --nice ${NICE} \

        --exec ${MLDONKEY_BINARY}

```

and get

```
start-stop-daemon: pam error: Critical error - immediate abort

```

Strace gives an innocently looking output

```
 * Starting mldonkey-chroot ...execve("/sbin/start-stop-daemon", ["start-stop-daemon", "--start", "--env", "HOME=/home/mldonkey", "--chroot", "/p2p", "--pidfile", "/var/run/mldonkey.pid", "--make-pidfile", "--user", "mldonkey", "--nice", "19", "--exec", "/usr/bin/mlnet"], [/* 58 vars */]) = 0

brk(0)                                  = 0x143c000

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6bde694000

access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)

open("/lib64/tls/x86_64/libutil.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/lib64/tls/x86_64", 0x7fff23ff6760) = -1 ENOENT (No such file or directory)

open("/lib64/tls/libutil.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/lib64/tls", 0x7fff23ff6760)      = -1 ENOENT (No such file or directory)

open("/lib64/x86_64/libutil.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)

stat("/lib64/x86_64", 0x7fff23ff6760)   = -1 ENOENT (No such file or directory)

open("/lib64/libutil.so.1", O_RDONLY)   = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\20\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=10464, ...}) = 0

mmap(NULL, 2105608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6bde272000

mprotect(0x7f6bde274000, 2093056, PROT_NONE) = 0

mmap(0x7f6bde473000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f6bde473000

close(3)                                = 0

open("/lib64/librc.so.1", O_RDONLY)     = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`*\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=51560, ...}) = 0

mmap(NULL, 2146808, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6bde065000

mprotect(0x7f6bde070000, 2097152, PROT_NONE) = 0

mmap(0x7f6bde270000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f6bde270000

close(3)                                = 0

open("/lib64/libeinfo.so.1", O_RDONLY)  = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\24\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=22664, ...}) = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6bde693000

mmap(NULL, 2120696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6bdde5f000

mprotect(0x7f6bdde64000, 2093056, PROT_NONE) = 0

mmap(0x7f6bde063000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7f6bde063000

close(3)                                = 0

open("/lib64/libdl.so.2", O_RDONLY)     = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\17\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=14512, ...}) = 0

mmap(NULL, 2109720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6bddc5b000

mprotect(0x7f6bddc5e000, 2093056, PROT_NONE) = 0

mmap(0x7f6bdde5d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f6bdde5d000

close(3)                                = 0

open("/lib64/libpam.so.0", O_RDONLY)    = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200(\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=55712, ...}) = 0

mmap(NULL, 2150936, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6bdda4d000

mprotect(0x7f6bdda5a000, 2093056, PROT_NONE) = 0

mmap(0x7f6bddc59000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f6bddc59000

close(3)                                = 0

open("/lib64/libc.so.6", O_RDONLY)      = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\37\2\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=1588720, ...}) = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6bde692000

mmap(NULL, 3699960, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6bdd6c5000

mprotect(0x7f6bdd842000, 2097152, PROT_NONE) = 0

mmap(0x7f6bdda42000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17d000) = 0x7f6bdda42000

mmap(0x7f6bdda47000, 21752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6bdda47000

close(3)                                = 0

open("/etc/ld.so.cache", O_RDONLY)      = 3

fstat(3, {st_mode=S_IFREG|0644, st_size=182299, ...}) = 0

mmap(NULL, 182299, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6bde665000

close(3)                                = 0

open("/lib64/libncurses.so.5", O_RDONLY) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240M\1\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=329424, ...}) = 0

mmap(NULL, 2426760, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6bdd474000

mprotect(0x7f6bdd4c0000, 2093056, PROT_NONE) = 0

mmap(0x7f6bdd6bf000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4b000) = 0x7f6bdd6bf000

mmap(0x7f6bdd6c4000, 1928, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6bdd6c4000

close(3)                                = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6bde664000

mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6bde662000

arch_prctl(ARCH_SET_FS, 0x7f6bde662720) = 0

mprotect(0x7f6bdd6bf000, 16384, PROT_READ) = 0

mprotect(0x7f6bdda42000, 16384, PROT_READ) = 0

mprotect(0x7f6bddc59000, 4096, PROT_READ) = 0

mprotect(0x7f6bdde5d000, 4096, PROT_READ) = 0

mprotect(0x7f6bde063000, 4096, PROT_READ) = 0

mprotect(0x7f6bde270000, 4096, PROT_READ) = 0

mprotect(0x7f6bde473000, 4096, PROT_READ) = 0

mprotect(0x61c000, 4096, PROT_READ)     = 0

mprotect(0x7f6bde695000, 4096, PROT_READ) = 0

munmap(0x7f6bde665000, 182299)          = 0

rt_sigaction(SIGINT, {0x407880, [], SA_RESTORER, 0x7f6bdd6fc210}, NULL, 8) = 0

rt_sigaction(SIGQUIT, {0x407880, [], SA_RESTORER, 0x7f6bdd6fc210}, NULL, 8) = 0

rt_sigaction(SIGTERM, {0x407880, [], SA_RESTORER, 0x7f6bdd6fc210}, NULL, 8) = 0

brk(0)                                  = 0x143c000

brk(0x145d000)                          = 0x145d000

socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3

connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)

close(3)                                = 0

socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3

connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)

close(3)                                = 0

open("/etc/nsswitch.conf", O_RDONLY)    = 3

fstat(3, {st_mode=S_IFREG|0644, st_size=508, ...}) = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6bde691000

read(3, "# /etc/nsswitch.conf:\n# $Header:"..., 4096) = 508

read(3, "", 4096)                       = 0

close(3)                                = 0

munmap(0x7f6bde691000, 4096)            = 0

open("/lib64/libnss_compat.so.2", O_RDONLY) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\25\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=35528, ...}) = 0

mmap(NULL, 2131304, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6bdd26b000

mprotect(0x7f6bdd273000, 2093056, PROT_NONE) = 0

mmap(0x7f6bdd472000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7f6bdd472000

close(3)                                = 0

open("/etc/ld.so.cache", O_RDONLY)      = 3

fstat(3, {st_mode=S_IFREG|0644, st_size=182299, ...}) = 0

mmap(NULL, 182299, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6bde665000

close(3)                                = 0

open("/lib64/libnsl.so.1", O_RDONLY)    = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0L\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=101168, ...}) = 0

mmap(NULL, 2206440, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6bdd050000

mprotect(0x7f6bdd067000, 2097152, PROT_NONE) = 0

mmap(0x7f6bdd267000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7f6bdd267000

mmap(0x7f6bdd269000, 6888, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6bdd269000

close(3)                                = 0

mprotect(0x7f6bdd267000, 4096, PROT_READ) = 0

mprotect(0x7f6bdd472000, 4096, PROT_READ) = 0

munmap(0x7f6bde665000, 182299)          = 0

open("/lib64/libnss_nis.so.2", O_RDONLY) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`%\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=47512, ...}) = 0

mmap(NULL, 2143512, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6bdce44000

mprotect(0x7f6bdce4f000, 2093056, PROT_NONE) = 0

mmap(0x7f6bdd04e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7f6bdd04e000

close(3)                                = 0

open("/etc/ld.so.cache", O_RDONLY)      = 3

fstat(3, {st_mode=S_IFREG|0644, st_size=182299, ...}) = 0

mmap(NULL, 182299, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6bde665000

close(3)                                = 0

open("/lib64/libnss_files.so.2", O_RDONLY) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300&\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=51528, ...}) = 0

mmap(NULL, 2148056, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6bdcc37000

mprotect(0x7f6bdcc43000, 2093056, PROT_NONE) = 0

mmap(0x7f6bdce42000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f6bdce42000

close(3)                                = 0

mprotect(0x7f6bdce42000, 4096, PROT_READ) = 0

mprotect(0x7f6bdd04e000, 4096, PROT_READ) = 0

munmap(0x7f6bde665000, 182299)          = 0

open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3

fcntl(3, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)

lseek(3, 0, SEEK_CUR)                   = 0

fstat(3, {st_mode=S_IFREG|0644, st_size=2935, ...}) = 0

mmap(NULL, 2935, PROT_READ, MAP_SHARED, 3, 0) = 0x7f6bde691000

lseek(3, 2935, SEEK_SET)                = 2935

munmap(0x7f6bde691000, 2935)            = 0

close(3)                                = 0

stat("/p2p//usr/bin/mlnet", {st_mode=S_IFREG|0755, st_size=6555024, ...}) = 0

open("/var/run/mldonkey.pid", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3

fcntl(3, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)

getdents(3, /* 223 entries */, 32768)   = 5768

getdents(3, /* 0 entries */, 32768)     = 0

close(3)                                = 0

unlink("/var/run/mldonkey.pid")         = -1 ENOENT (No such file or directory)

clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f6bde6629f0) = 24936

wait4(24936, 

 * start-stop-daemon: pam error: Critical error - immediate abort

[{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 24936

--- {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=24936, si_status=1, si_utime=0, si_stime=0} (Child exited) ---

open("/etc/localtime", O_RDONLY)        = 3

fstat(3, {st_mode=S_IFREG|0644, st_size=1464, ...}) = 0

fstat(3, {st_mode=S_IFREG|0644, st_size=1464, ...}) = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6bde691000

read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\0\0\16\0\0\0\0"..., 4096) = 1464

lseek(3, -898, SEEK_CUR)                = 566

read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17\0\0\0\17\0\0\0\0"..., 4096) = 898

close(3)                                = 0

munmap(0x7f6bde691000, 4096)            = 0

getpid()                                = 24935

socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3

connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket)

close(3)                                = 0

socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3

connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0

sendto(3, "<27>Nov 27 15:41:55 /etc/init.d/"..., 108, MSG_NOSIGNAL, NULL, 0) = 108

close(3)                                = 0

ioctl(2, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7fff23ff47e0) = -1 ENOTTY (Inappropriate ioctl for device)

write(2, "\n", 1

)                       = 1

ioctl(2, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7fff23ff47d0) = -1 ENOTTY (Inappropriate ioctl for device)

ioctl(2, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7fff23ff47d0) = -1 ENOTTY (Inappropriate ioctl for device)

write(2, " * ", 3 * )                      = 3

write(2, "start-stop-daemon: failed to sta"..., 51start-stop-daemon: failed to start `/usr/bin/mlnet') = 51

ioctl(2, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7fff23ff47e0) = -1 ENOTTY (Inappropriate ioctl for device)

write(2, "\n", 1

)                       = 1

exit_group(1)                           = ?

 [ !! ]

mldonkey-chroot | * ERROR: mldonkey-chroot failed to start

```

The last tried versions are 

```
sys-libs/pam-1.1.5  USE="berkdb cracklib nls vim-syntax -audit -debug -nis (-selinux) -test"

sys-auth/pambase-20101024  USE="(consolekit) cracklib sha512 -debug -gnome-keyring -minimal -mktemp -pam_krb5 -pam_ssh -passwdqc (-selinux)"

sys-apps/openrc-0.9.4  USE="ncurses pam unicode -debug (-selinux)"

sys-kernel/gentoo-sources-3.0.6

```

The relevant bug is bug 292632 wrongly marked as a duplicate of some other old obscure one. Please see it for the discussion.

I think as start-stop-daemon supports chrooting, it should be documented how to satisfy pam requirements in a chrooted environment or at least disable all the pam stuff for a given daemon.

----------

