Bug 198629

Summary: Make login processes initialise session keyring
Product: [Fedora] Fedora Reporter: David Howells <dhowells>
Component: gdmAssignee: Ray Strode [halfline] <rstrode>
Status: CLOSED RAWHIDE QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: high    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-18 13:30:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 198623    

Description David Howells 2006-07-12 13:20:31 UTC 
+++ This bug was initially created as a clone of Bug #198623 +++

This package contains the "gdm" program for which the PAM script needs to be 
modified.

WHAT NEEDS TO BE DONE
=====================
The PAM scripts for the login programs need to be altered to forcibly create a 
new session keyring when a login event occurs.

These simply require the following line adding to their PAM scripts:

	session	    optional    pam_keyinit.so    force revoke

This forces them to create a new session keyring during login, replacing the
one inherited from their parent, and causes the session keyring so created to
be revoked when the login process exits.

Ideally, this should be "required" not "optional", but it still has to work if 
the pam_keyinit.so library is absent.

The authlogin program needs modifying to add:

	session	    optional    pam_keyinit.so    revoke

To the default session (system-auth).  This just creates a new session keyring 
if one doesn't yet exist for this process.

The "su" program needs to split its "su - [user]" mode PAM script from its "su 
[user]" PAM script, so that the former can forcibly create a keyring whilst 
the latter doesn't.
Comment 1 David Howells 2006-07-13 12:57:09 UTC 
| These simply require the following line adding to their PAM scripts:

Aargh! I forgot to mention: this needs to go *above* the other session lines, 
so that any key they add gets placed in the new keyring.
Comment 3 Ray Strode [halfline] 2006-07-18 13:30:53 UTC 
So I had this in earlier this week:

* Wed Jul 12 2006 Ray Strode <rstrode> - 1:2.15.5-4
- add new pam module to pam files to support kernel session keyring
(and)
* Fri Jul 14 2006 Ray Strode <rstrode> - 1:2.15.6-2
- put new pam module at top of stack (bug 198629)

but then somehow reverted it.

Should be fixed in tomorrow's rawhide.