I am developing a new pam module in Monterey [12.6], where I have a dynamic library [.so file] (usage external curl & openssl library) which is referenced from PAM.
More specifically, this is a setup to allow Multi factor Authentication to be used for all authentication.it simply calls some apis.
When I added this module for sudo authentication in /etc/pam.d/sudo file as
auth sufficient /usr/local/lib/security/pam_google_authenticator.so
It logs "Library Validation failed: Rejecting 'pam_google_authenticator.so' (Team ID: XXXXXXX, platform: no) for process 'sudo(2498)' (Team ID: none, platform: yes), reason: mapping process is a platform binary, but mapped file is not" but it still loads my pam module and everything is working fine.
But when I added this module for lock screen into /etc/pam.d/screensaver same as above, it logs "Library Validation failed: Rejecting 'pam_google_authenticator.so' (Team ID: XXXXXXXX, platform: no) for process 'loginwindow(15839)' (Team ID: none, platform: yes), reason: mapping process is a platform binary, but mapped file is not" and took back to logon window[not sleep window]
I have code signed pam_google_authenticator.so with
codesign --force --deep --sign "Developer ID Application: --------------(XXXXXXX)" /usr/local/lib/securitypam_google_authenticator.so
For your reference I can here are the logs in console app crash report
System Integrity Protection: enabled
Crashed Thread: 3 Dispatch queue: com.apple.loginwindow.auth
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Codes: 0x0000000000000001, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process: exc handler [25964]
I have found other references to this error but those seem to involve application bundles. In my case I have a single .so library (plus the two others) I wish to invoke.
The library is from https://github.com/google/google-authenticator-libpam
Again, this works fine in the three previous OS versions. What do I need to change to make it work here? Advice most appreciated, please. Thank you!
Library validation is a feature that, when it’s enabled, means that a process will only load code signed by Apple as part of the OS or signed by their team. Library validation is an opt-in feature for third-party developers but it’s generally enabled for all programs that are built into the system [1].
This obviously causes problems if the system program has to load a third-party plug-in. In that case we sign the system program with an entitlement that explicitly opts out of library validation. For example:
% sudo cp `which sudo` .
% sudo chown quinn:staff ./sudo
% codesign -d --entitlements - ./sudo
Executable=/Users/quinn/sudo
[Dict]
[Key] com.apple.private.AuthorizationServices
[Value]
[Array]
[String] com.apple.security.sudo
[Key] com.apple.private.security.clear-library-validation
[Value]
[Bool] true
We specifically want sudo
to be able to load PAM modules and so it opts out of library validation. The mapping process is a platform binary, but mapped file is not
message you’re seeing is non-fatal. The code within sudo
catches this error and retries in a way that allows it to load third-party code.
When you add the module to the screensaver
service, it ends up being loaded by loginwindow
. I’m actually surprised to see that loginwindow
also disables library validation:
% codesign -d --entitlements - /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow
Executable=/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow
[Dict]
…
[Key] com.apple.private.security.clear-library-validation
[Value]
[Bool] true
…
That fact that loginwindow
crashes in this case indicates that something else is going wrong. It’s possible that it’s as simple as it not catching the error and retrying in the same way that sudo
does, but that’s just speculation on my part.
To learn more I’d like to get a copy of the full crash report. Please post it here, using the instructions in Posting a Crash Report.
Oh, and you wrote:
I am developing a new pam module in Monterey [12.6]
Have you tried this on macOS 13? If not, please do so. If you don’t want to upgrade to macOS 13, you can always spin it up in a VM.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] The exact mechanics of this varies between built-in programs and third-party programs because built-in programs don’t have a Team ID. Hence the message mapping process is a platform binary, but mapped file is not
, where platform binary
maps to what I’m calling a system program.