Bug 154498

Summary: util-linux login & pam session
Product: Red Hat Enterprise Linux 4 Reporter: Karel Zak <kzak>
Component: util-linuxAssignee: Karel Zak <kzak>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: sgrubb, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2005-669 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-05 16:52:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 113381, 156322    
Attachments:
Description Flags
bug fix patch (by Steve Grubb) none

Description Karel Zak 2005-04-12 08:30:17 UTC 
From: 	Steve Grubb
Date: 	Fri, 8 Apr 2005 16:24:11 -0400  (22:24 CEST)

I found a problem in login's handling of the 
pam session. If for some reason the pam set credential call fails, it does 
not close the pam session. pam open can mount drives, so calling pam close is 
important. Attached is a patch that fixes this. I believe all versions of 
util-linux are similarly affected.
Comment 1 Karel Zak 2005-04-12 08:32:09 UTC 
Created attachment 113015 [details]
bug fix patch (by Steve Grubb)
Comment 12 Karel Zak 2005-09-05 08:14:07 UTC 
Test case:

Add at begin of /etc/pam.d/system-auth:
   auth        required      pam_debug.so auth=success cred=perm_denied

(this setting disable login to system!). Now try log in for example by "telnel
localhost". You have to found in /var/log/messages:

Sep  5 10:04:48 petra pam_tally[9480]: pam_tally: option deny=5 allowed in auth
phase only
Sep  5 10:04:48 petra remote(pam_unix)[9480]: session opened for user zakkr by
(uid=0)
Sep  5 10:04:48 petra remote(pam_unix)[9480]: session closed for user zakkr
Sep  5 10:04:48 petra login[9480]: Permission denied

The important line is "session closed" that missing in old version without bug fix.
Comment 15 Red Hat Bugzilla 2005-10-05 16:52:14 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-669.html