Bug 1334138

Summary: listsep=, breaks pam_access.so
Product: Red Hat Enterprise Linux 7 Reporter: Eugene Kanter <ekanter>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: jplans, jturner, pkis, srevivo, tao, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 201008 Environment:
Last Closed: 2016-05-09 07:17:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 201008    
Bug Blocks:    

Description Eugene Kanter 2016-05-09 01:55:35 UTC 
+++ This bug was initially created as a clone of Bug #201008 +++

+++ This bug was initially created as a clone of Bug #132135 +++



Steps to reproduce in basic pam_access.so configuration.

1. insert
account     required      pam_access.so
above
account     required      pam_unix.so
in 
/etc/pam.d/password-auth-ac
/etc/pam.d/system-auth-ac

2. add lines
+ : root : ALL
- : ALL : ALL
to /etc/security/access.conf

3. verify that no login other then root is accepted.
4. append option listsep=, after pam_access.so as described in Bug #201008
5. verify that access rules are ignored and any valid user can now login.


pam_access.so configuration reference https://access.redhat.com/solutions/70472
Comment 2 Tomas Mraz 2016-05-09 07:17:37 UTC 
Your configuration is incorrect. If you use different listsep than default you have to ensure that there are no spaces around the ':' field separator character. Note that the configuration in bug 201008 does not have any spaces there.