Test fails when builder's UID != GID, specifically test-pam, test-pam-noauth

Description of problem:

When the uid# and gid# of the build account differs, make check fails on test-pam and test-pam-noauth .

make check TESTS="test-pam test-pam-noauth" VERBOSE=1

FAIL: test-pam
==============

Testing PAM backend with username-password...
PWRAP_DEBUG[<unknown> (661421)] - pwrap_init: Initialize pam_wrapper
PWRAP_TRACE[<unknown> (661421)] - pwrap_init: pam_wrapper config dir: /tmp/pam.m
PWRAP_TRACE[<unknown> (661421)] - pwrap_init: Using libpam path: /usr/lib/libpam.so.0
PWRAP_DEBUG[<unknown> (661421)] - copy_confdir: Copy config files from ./pam.661395.tmp/ to /tmp/pam.m
PWRAP_TRACE[<unknown> (661421)] - copy_ftw: Copying ./pam.661395.tmp/users.oath
PWRAP_TRACE[<unknown> (661421)] - copy_ftw: Copying ./pam.661395.tmp/passdb
PWRAP_TRACE[<unknown> (661421)] - copy_ftw: Copying ./pam.661395.tmp/ocserv
PWRAP_TRACE[<unknown> (661421)] - copy_ftw: Copying ./pam.661395.tmp/nss-passwd
PWRAP_TRACE[<unknown> (661421)] - copy_ftw: Copying ./pam.661395.tmp/nss-group
PWRAP_DEBUG[<unknown> (661421)] - pwrap_init: Successfully initialized pam_wrapper
warning: skipping unknown option 'cookie-validity'
note: vhost:default: setting 'pam' as primary authentication method
note: setting 'file' as supplemental config option
listening (TCP) on 0.0.0.0:64028...
listening (TCP) on [::]:64028...
listening (UDP) on 0.0.0.0:64028...
listening (UDP) on [::]:64028...
ocserv[661422]: sec-mod: reading supplemental config from files
ocserv[661422]: sec-mod: could not chown socket './ocserv-socket.434f19bb.0': Operation not permitted
ocserv[661422]: sec-mod: sec-mod initialized (socket: ./ocserv-socket.434f19bb.0)

Connecting with wrong password...
PWRAP_TRACE[<unknown> (661427)] - pwrap_init: Check if pam_wrapper dir /tmp/pam.s is a stale directory
PWRAP_TRACE[<unknown> (661427)] - pwrap_clean_stale_dirs: Remove stale pam_wrapper dir: /tmp/pam.s
PWRAP_TRACE[<unknown> (661427)] - p_rmdirs_at: p_rmdirs_at removing /tmp/pam.s at CWD

PWRAP_TRACE[<unknown> (661427)] - pwrap_init: Check if pam_wrapper dir /tmp/pam.t is a stale directory
PWRAP_TRACE[<unknown> (661427)] - pwrap_clean_stale_dirs: Remove stale pam_wrapper dir: /tmp/pam.t
PWRAP_TRACE[<unknown> (661427)] - p_rmdirs_at: p_rmdirs_at removing /tmp/pam.t at CWD

PWRAP_DEBUG[<unknown> (661427)] - pwrap_init: Initialize pam_wrapper
PWRAP_TRACE[<unknown> (661427)] - pwrap_init: pam_wrapper config dir: /tmp/pam.u
PWRAP_TRACE[<unknown> (661427)] - pwrap_init: Using libpam path: /usr/lib/libpam.so.0
PWRAP_DEBUG[<unknown> (661427)] - copy_confdir: Copy config files from ./pam.661395.tmp/ to /tmp/pam.u
PWRAP_TRACE[<unknown> (661427)] - copy_ftw: Copying ./pam.661395.tmp/users.oath
PWRAP_TRACE[<unknown> (661427)] - copy_ftw: Copying ./pam.661395.tmp/passdb
PWRAP_TRACE[<unknown> (661427)] - copy_ftw: Copying ./pam.661395.tmp/ocserv
PWRAP_TRACE[<unknown> (661427)] - copy_ftw: Copying ./pam.661395.tmp/nss-passwd
PWRAP_TRACE[<unknown> (661427)] - copy_ftw: Copying ./pam.661395.tmp/nss-group
PWRAP_DEBUG[<unknown> (661427)] - pwrap_init: Successfully initialized pam_wrapper
warning: skipping unknown option 'cookie-validity'
note: vhost:default: setting 'pam' as primary authentication method
ocserv[661422]: sec-mod: received unauthorized request from pid 661427 and uid 1001
ocserv[661422]: sec-mod: rejected unauthorized connection
note: setting 'file' as supplemental config option
ocserv[661422]: sec-mod: received unauthorized request from pid 661427 and uid 1001
ocserv[661422]: sec-mod: rejected unauthorized connection
ocserv[661427]: common/common.c:701: recvmsg: Connection reset by peer
ocserv[661427]: error receiving sec-mod reply: Connection reset by peer
ocserv[661427]: GnuTLS error (at worker-vpn.c:861): GnuTLS internal error.
PWRAP_TRACE[<unknown> (661427)] - pwrap_destructor: entering pwrap_destructor
PWRAP_TRACE[<unknown> (661427)] - pwrap_destructor: destructor called for pam_wrapper dir /tmp/pam.u
PWRAP_TRACE[<unknown> (661427)] - p_rmdirs_at: p_rmdirs_at removing /tmp/pam.u at CWD

Version of ocserv used:

1.1.4 (but git HEAD still seems to hava same problem)

Distributor of ocserv

Fedora EPEL on Rocky Linux 9

How reproducible:

always

Describe the steps to reproduce the issue:

  • Create a build account with uid != gid, ex. kabe:x:1001:10::/home/kabe:/bin/bash
  • Build: ./configure --prefix="/usr" make -j4
  • test: make check TESTS="test-pam test-pam-noauth" VERBOSE=1

Actual results:

FAIL of pam-test and pam-test-noauth

Expected results:

all tests pass