Bug 198755
Summary: | Make login processes initialise session keyring | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Howells <dhowells> | ||||||
Component: | sudo | Assignee: | Karel Zak <kzak> | ||||||
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 6 | Keywords: | Reopened | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2006-07-16 22:37:26 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 198623 | ||||||||
Attachments: |
|
Description
David Howells
2006-07-13 10:01:37 UTC
Created attachment 132361 [details]
Separate out PAM script for "sudo -i" and add keyinit instructions to samples
Patch to make sudo use separate PAM scripts for "sudo" and "sudo -i". Also
creates a new sample PAM script for "sudo -i" and adds appropriate keyinit
instructions to both.
Created attachment 132362 [details]
Modify SPEC file to add keyring initialisation to PAM scripts
David, I think your solution based on def_env_reset is not the best idea, because it could be enabled by the "Default env_reset" option in sudoers. I want to be sure, so I've rather used: +#ifdef HAVE_PAM_LOGIN + if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) + pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh); + else +#endif + pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); and added HAVE_PAM_LOGIN to configure.in. I think it's a way which could be accepted by upstream (I hope:-). Thanks for your work. Karel - are your concerns regarding David's proposed approach, and subsequent alternative implementation, applicable to the numerous other login type utilities? I ask this question because there are about 10 packages with the same fix suggested. So I'm not sure if the other packages are ok as-is or whether they should consider your alternative approach. Tim, this thing (in comment #4) is sudo specific and doesn't have impact to the others packages. For login processes (= create new session) we need "force revoke" and for the rest we need "revoke" in PAM setting. The sudo command is specific, because it supports both modes. So, we need a way how do distinction between this modes in sudo code. My concern was about the way how David has done this distinction. |