Bug 137802

Summary: pam_console authentication when invoked under root
Product: [Fedora] Fedora Reporter: Dmitry Butskoy <dmitry>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideKeywords: EasyFix, FutureFeature
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-11-25 14:59:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
enhance pam_console authentication when invoked under root (super user)
none
accompanied patch for pam_console.8 none

Description Dmitry Butskoy 2004-11-01 15:24:50 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20040923

Description of problem:

  My users often work on several virtual consoles (and gdm)
simultaneously. Thus they want to login with password only once.
  At first sight most suitable decision would be to use existing
pam_console module for "auth". However when invoked under root
(because "/bin/login" runs under root), pam_console behaves as
"pam_rootok", and anyone logins even without password prompt.
"Pam_rootok" behaviour is not obligatory, and even there is a comment
on it in the source.

  I have made a patch which cleans "pam_rootok" stuff and allows
pam_console to be useful when invokes under root.

  The idea is if "getuid() == 0" we obtain user name by pam_get_user()
call instead.
  But we must make sure it is local physical console. Otherwise a
remote user can login without the password when already someone sits
at the console. We can check this inspecting whether PAM_RHOST is set
or not.
  Both /bin/login (under telnetd) and /usr/bin/gdm set PAM_RHOST for
remote invokations. (/bin/login -- source check and test by me, gdm --
source check only). But I have not found similar for kdm/xdm .
Therefore the new pam_console cannot be used with kdm/xdm when they
allow remote logins.

 One month patched pam_console works for us without a problem. I hope,
this patch may be applied for mainstream.
 The kdm and xdm case is not an issue, because the patch in any way
does not worsen the current pam_console behaviour. (Currently, if we
use pam_console for login, anyone can login without password :-) ).
 Deleting of "pam_rootok"-like code does nothing for current
applications (i.e. halt, reboot), because there are explicit
pam_rootok.so specifications in the pam configs for all of them.



Version-Release number of selected component (if applicable):
pam-0.77-65

How reproducible:
Always

Steps to Reproduce:
Our /etc/pam.d/login as an example of new functionality:

#%PAM-1.0
auth       required     pam_securetty.so
# this line is added...
auth       sufficient   pam_console.so
auth       required     pam_stack.so service=system-auth
auth       optional     pam_ssh.so try_first_pass
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
session    optional     pam_ssh.so


Actual Results:    Currently, anyone logins even without password prompt

Expected Results:  For the first console login, a password should be
asked. The next additional logins should not ask for the password.

Additional info:
Comment 1 Dmitry Butskoy 2004-11-01 15:27:02 UTC 
Created attachment 106017 [details]
enhance pam_console authentication when invoked under root (super user)
Comment 2 Tomas Mraz 2004-11-01 16:38:30 UTC 
I will accept this patch for FC4, it seems to be reasonable, thanks.

Even better if you wrote a few words to pam_console.8 manpage which
would describe the functionality of pam_console for "auth".
Comment 3 Dmitry Butskoy 2004-11-02 17:48:53 UTC 
Created attachment 106076 [details]
accompanied patch for pam_console.8

It describes "auth" stuff (which was missing), with new enhancements...
Comment 4 Tomas Mraz 2004-11-02 18:01:44 UTC 
Thank you for your very fine patches.