Bug 193335

Summary: /etc/pam.d/system-auth contains bad logic
Product: [Fedora] Fedora Reporter: Chris Tyler <ctyler.fedora>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-29 07:55:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Tyler 2006-05-27 16:38:08 UTC 
Description of problem:
The file /etc/pam.d/system-auth, which is included into a number of other PAM
configuration files and which is (apparently) generated by authconfig, contains
what looks like nonsense logic.

Version-Release number of selected component (if applicable):
0.99.3.0-2

This is the content of the auth section of that file using only local
authentication:
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

The pam_succeed_if line does not affect the outcome. (It was probably intended
to deny logins where 0<UID<500?)

In the account section there is similar fluff:
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

The pam_succeed_if line here has no effect on the outcome.
Comment 1 Tomas Mraz 2006-05-29 07:55:38 UTC 
This is not a bug. These lines come to effect when the authentication against a
network service (LDAP, KRB5) is enabled. Otherwise they just don't change
anything so there is no need to remove them if no such authentication service is
enabled. 

The auth line disappears when "Authenticate system accounts by network services"
is enabled.