Bug 201
| Summary: | login no longer honors PAM sessions | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | allbery |
| Component: | distribution | Assignee: | Jeff Johnson <jbj> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.2 | CC: | felipe |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 1998-12-06 04:35:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Restored the util-linux-2.7 fork/exec/wait/PAM_END. I also added your comments and e-mail address to the source. Fixed in dist-6.0/util-linux-2.9-4 *** Bug 1009 has been marked as a duplicate of this bug. *** In util-linux 2.8, a piece of code of login.c was eliminated. This code waited for the shell to end to call pam_close_session. So, the version that comes with redhat 5.2 calls pam_close_session before executing the shell instead of waiting for it to end and then close the session. The bug is fixed since util-linux-2.9c ------- Additional Comments From ayn2 02/02/99 01:24 ------- This is a duplicate of #201 |
[util-linux-2.8- The following comment can be found in util-linux-2.8/login-utils/login.c: /* There was some junk with fork()/exec()/signal()/wait() here that was incorrect, and util-linux-2.7-11.src.rpm contains a patch that makes the fork entirely useless. If you introduce one again, please document in the source what its purpose is. - aeb */ PAM_END; Will someone please track down "aeb" and make him read the PAM documentation, followed by an overview of Kerberos? I was not amused to discover that our Kerberos tickets and AFS tokens (similar) were being destroyed immediately because the above brokenness invokes pam_close_session() to destroy the tickets/tokens before exec()ing the user's shell instead of at logout. PAM is now fairly useless for its intended purpose except in cases where it doesn't buy one anything. I have worked around this problem locally for AFS tokens; the solution for Kerberos was to replace /bin/login with a non-PAMified Kerberized version until such time as it can be fixed properly.