Bug 13136

Summary: PAM: console device grants not revoked on logout
Product: [Retired] Red Hat Linux Reporter: Chris Evans <chris>
Component: pamAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: notting, pbrown
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-07-21 22:12:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Evans 2000-06-27 22:44:46 UTC 
I log in as "chris" on tty1
User "chris" gets ownership of /dev/fd0, /dev/gpmctl, etc. etc.
I log out
Ownership of all the devices has _NOT_ reverted back to root.
I have verified that RH6.1 behaves correctly and does the reversions
Comment 1 Nalin Dahyabhai 2000-07-03 07:24:39 UTC 
I can't reproduce this.  Which service are you logging into?  Console login?
GDM?  KDM?  XDM?  What are the contents of the relevant /etc/pam.d configuration
file and /etc/pam.d/system-auth?
Comment 2 Chris Evans 2000-07-08 22:34:04 UTC 
Was definitely non-graphical console login. I run at runlevel 3. Default, full
BETA-2 install from scratch. Will reboot into BETA-2 and get a test-case..
Comment 3 Chris Evans 2000-07-08 22:41:42 UTC 
Here is system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5 shadow
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     required      /lib/security/pam_deny.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

And here is login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

Let me know if you want console.perms, but it is unchanged from the install. I
haven't changed ANY config files since the default install in fact.
Comment 4 Chris Evans 2000-07-08 22:50:11 UTC 
OK... I see this problem if I
1) Log in on text console tty1 as "chris"
2) Log out
3) Log in on tty1 as "root"
4) "ls -l /dev/fd0" (or any other console device).
5) .. and it's still owned by "chris"

Let me know if you still can't reproduce
Comment 5 Nalin Dahyabhai 2000-07-10 15:23:29 UTC 
Are you using NIS?
Comment 6 Chris Evans 2000-07-10 20:10:03 UTC 
According to "authconfig": no.
I'm blowing away my BETA2 for a BETA3 tonight. Will see if it persists.
Comment 7 Nalin Dahyabhai 2000-07-10 20:41:53 UTC 
I was able to (briefly) reproduce this on Beta 2, but not under Beta 3.  I'm
tempted to chalk it up to compiler wackiness, as the pam_console module
didn't change between 6.2 and beta 2.
Comment 8 Chris Evans 2000-07-21 22:12:20 UTC 
Nalin - when my BETA5 CD's arrive I will re-test and close if it does not
reproduce.
Note however a bugzilla deficiency: there is no resolution status "COMPILER
WACKINESS" :-)
Comment 9 Chris Evans 2000-07-31 22:04:13 UTC 
BETA5 seems to be behaving fine.
Perhaps whilst text console testing, I was logged in on X in the background.
Or perhaps it was compiler wackiness. I suspect an X login hanging around in the
background, though.
Anyway.. closed.