# gentoo-hardened broken shell stdin

## sergeev917

Hi, everyone!

For some time I've encountered a problem with a gentoo server running hardened profile and stuff, now I finally got time to dive myself into it.

The problem shows itself in this way:

```

srv ~ # newrole -r sysadm_r

Password: 

srv ~ # /etc/init.d/nginx status

Authenticating root.

Password: 

 * status: started

srv ~ # /etc/init.d/nginx status

Authenticating root.

Password: 

 * Authentication failed for root

```

Logs:

```

openrc-run[24882]: pam_unix(run_init:auth): conversation failed

openrc-run[24882]: pam_unix(run_init:auth): auth could not identify password for [root]

```

What I've discovered so far -- authentication process works until it has succeded once. Then it does not work anymore until the session end and a new newrole invokation. Using strace over failed commands I've found out that the root of this problem is somewhat interesting. The actual read() system call fails:

```

write(2, "Password: ", 10)        = 10

read(0, BUF_PTR, 511)       = -1 EAGAIN (Resource temporarily unavailable)

```

Seems like pseudo-terminal is broken for new child processes:

```

srv ~ # read x

bash: read: read error: 0: Resource temporarily unavailable

```

And it looks like the problem of all this is inside pam & run_init; given I enable the following line in /etc/pam.d/run_init:

```

auth       sufficient   pam_rootok.so

```

I have everything working, but without password prompts and I would rather have them stay. Shown manipulations are made on the system in permissive selinux mode, so I don't think the problem is from this part.

Are there any ideas about how to tackle this further and where the source of the problem could be?

--

PTY manipulations are coming from run_init and open_init_pty binaries from sys-apps/policycoreutils; I have version 2.6-r1 with +pam -audit -dbus.

----------

## bunder

(i had posted this earlier but removed it as i wasn't sure what run_init was from, i use grsec instead of selinux)

there are a few pam scripts that use the "root ok" mechanism (like su), i don't necessarily think it's pam's fault, but something sure doesn't seem right there.

----------

