security-misc pam-info broken pipe bug

Clean Kicksecure morphed to Debian, on the login screen I see:

/usr/libexec/security-misc/pam-info: line 91: echo: write error: Broken pipe.

Happens when closing the lid without locking the screen first.

1 Like

The only bad effect so far is the textual output (which is considered a bug)?
But login otherwise functional?

I wonder how this can happen.

Is faillock installed? To check:

sudo which faillock

Which Kicksecure meta package did you install?

Yes and yes.

Yes, installed.

/usr/sbin/faillock.

Solely kicksecure-cli-host

Perhaps kicksecure-xfce-host is required?

1 Like

please change name from pip to pipe for search reasons.
Can’t edit anymore.

1 Like

I’ll be adding more debug information to the script.

Ok.

Nope. If it was, that would be confusing and a bug.

1 Like

Added a debug option to the script just now:


May or may not be related:

++ grep accessfile=/etc/security/access-security-misc.conf /etc/pam.d/common-acc
ount
+ grep_result=
+ '[' '!' '' = '' ']'
++ id -u
+ '[' '!' 0 = 0 ']'
++ faillock --user user
+ pam_faillock_output='user:
When                Type  Source                                           Valid
'
+ '[' 'user:
When                Type  Source                                           Valid
' = '' ']'
++ head -1
++ echo 'user:
When                Type  Source                                           Valid
'
/usr/libexec/security-misc/pam-info: line 97: echo: write error: Broken pipe
+ pam_faillock_output_first_line=user:
++ LANG=C
++ str_replace : ''
++ echo user:
+ user_name=user
++ echo 'user:
When                Type  Source                                           Valid'
++ wc -l
+ pam_faillock_output_count=2
+ failed_login_counter=0
+ '[' '!' user = user ']'
+ '[' 0 = 0 ']'
+ true '/usr/libexec/security-misc/pam-info: INFO: Failed login counter is 0, ok.'
+ exit 0

I cannot reproduce this bash error when I copy/paste that. Perhaps some invisible character such as a tab.

However that might be, I refactored above script. Using a different method to get the first line now. Could you try please?

Is this the last commit from 7h ago?
09e6af5c080f776d56d7e2390f88c4ae7e01bdb7

Yes.

(But there have been a number of commits. Not only that one.)

Couldn’t reproduce again, so made a test.

How to reproduce broken pipe:

$ set -o pipefail
$ v=$(cat /usr/share/keyrings/derivative.asc)
$ echo "$v" | head -1
-----BEGIN PGP PUBLIC KEY BLOCK-----
$ echo $?
141
$ echo 141-128 | bc
13
$ kill -l 13
PIPE

Shell exiting with unhandle signal returns exit code 128+signum.

On a last note, pipes must have a reader and a writer. If a process tries to write to a pipe that has no reader, it will be sent the SIGPIPE signal from the kernel. This is imperative when more than two processes are involved in a pipeline.

The reader head closes when it founds its first match, but echo continues to write data to a pipe that doesn’t have a reader anymore, so the kernel sends the pipe signal for the command to stop.

The above bug does not affect the program, just the visual.
I believe: /usr/libexec/security-misc/pam-info: line 97: echo: write error: Broken pipe came from an ERR trap because pipefail is set. If pipefail is not set, the error doesn’t appear.

If you want to keep pipefail but avoid sig pipe on individual cases, you can do so by not closing the reader (this can be a long process when dealing with a large enough data sent by the writer):

$ echo "$v" | while IFS=\n read -r user; do [ ! $i ] && echo $user; i=1; done

or in the script case:

$ pam_faillock_output_first_line="$(echo "$pam_faillock_output" | while IFS=\n read -r line; do [ ! $i ] && echo $line; i=1; done)"

I know it doesn’t look pretty, but it solves the individual case while keeping pipefail for other reasons.

1 Like

I haven’t encountered problems with security-misc/pam-info at 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7 · Kicksecure/security-misc · GitHub though.

1 Like