2086 – pam_loginuid causing trouble for tl-passwd

Bug 2086 - pam_loginuid causing trouble for tl-passwd

Summary: pam_loginuid causing trouble for tl-passwd

Status:	CLOSED WONTFIX

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	trunk
Hardware:	PC Linux

Importance:	P2 Normal
Target Milestone:	4.13.0
Assignee:	Peter Åstrand

URL:
Keywords:

Duplicates (1):	3619 (view as bug list)
Depends on:
Blocks:

Reported:	2006-06-28 15:04 CEST by Erik Forsberg
Modified:	2021-04-29 08:09 CEST (History)
CC List:	1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Erik Forsberg cendio

2006-06-28 15:04:38 CEST

Les' had trouble using tl-passwd on hos FC4 machine. The trouble turned out to
be caused by the last line in /etc/pam.d/sshd:

session    required     pam_loginuid.so

The manual page for pam_loginuid.so:

--snip--
pam_loginuid(8)          System Administrator's Manual         pam_loginuid(8)

NAME
       pam_loginuid - record user's login uid to the process attribute

SYNOPSIS
       session required /lib/security/pam_loginuid.so

DESCRIPTION
       pam_loginuid  sets  the loginuid process attribute for the process that
       was authenticated. This is necessary for applications to  be  correctly
       audited.  This  pam module should only be used for entry point applica-
       tions like: login, sshd, gdm, vsftpd, crond, at, and remote. There  are
       probably  other  entry point applications besides these. You should not
       use it for applications like sudo or su as that defeats the purpose  by
       changing the loginuid to the account they just switched to.

ARGUMENTS
       require_auditd
              This  option,  when  given,  will cause this module to query the
              audit daemon status and deny logins if it is not running.

EXAMPLE
       /etc/pam.d/gdm:
       auth       required     pam_stack.so service=system-auth
       auth       required     pam_nologin.so
       account    required     pam_stack.so service=system-auth
       password   required     pam_stack.so service=system-auth
       session    required     pam_stack.so service=system-auth
       session    required     pam_loginuid.so
       session    optional     pam_console.so

SEE ALSO
       auditd(8), auditctl(8)

BUGS
       Let's hope not, but if you find any, please email the author.

AUTHOR
       Steve Grubb <sgrubb@redhat.com>

Red Hat Linux                     2005/07/29                   pam_loginuid(8)

--snap--

Need to investigate if thinlinc should use pam_loginuid or not.

Comment 1 Erik Forsberg cendio

2006-06-28 15:54:14 CEST

The best way to solve this is probably to implement bug 951, since that will
eliminate the need to check the current password via lsh-pam-checkpw, since the
passwd command will do that for us.

Comment 2 Peter Åstrand cendio

2009-12-21 13:21:54 CET

This problem exists on SLED11 as well. The main problem is that lsh-pam-checkpw not only verifies the password, but also opens a session. This is useful for VSM, but not at all necessary for tl-passwd. We could extend lsh-pam-checkpw with options to specify the desired behaviour, but probably, it's better to fix bug 951 instead.

Comment 3 Peter Åstrand cendio

2012-04-04 09:28:51 CEST

*** Bug 3619 has been marked as a duplicate of this bug. ***

Comment 4 Pierre Ossman cendio

2021-04-29 08:09:30 CEST

tl-passwd has been removed from the product.

Note You need to log in before you can comment on or make changes to this bug.