Bug 442565

Summary: pam_sepermit exclusive does not work with gnome-screensaver
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Fedora 9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 07:54:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
I was thinking just check for uid==0
none
Base decision on euid none

Description Daniel Walsh 2008-04-15 15:21:02 UTC 
Description of problem:


 sepermit should only check exclusive if it is running as root, otherwise it
sees itself and fails.
Comment 1 Tomas Mraz 2008-04-15 15:41:07 UTC 
I was thinking about this and I simply think that pam_sepermit should not be
added to the gnome-screensaver pam configuration at all (and use for example
'auth sufficient pam_succeed_if.so user = xguest') or there should be an option
to ignore the exclusive flags in the configuration file which would be used with
pam_sepermit and screensaver.
Comment 2 Daniel Walsh 2008-04-15 16:00:02 UTC 
Created attachment 302484 [details]
I was thinking just check for uid==0
Comment 3 Daniel Walsh 2008-04-15 16:00:51 UTC 
This patch works for me.

The problem with hard coding xguest is it forces users to edit the pam stack.
Comment 4 Tomas Mraz 2008-04-15 16:34:56 UTC 
Created attachment 302491 [details]
Base decision on euid

The decision should be based on effective uid rather than on real. Also I moved
the test a little bit later - there might be some more flags added in future.
The question is whether adding an explicit option to the module to ignore the
exclusive flag could be useful or not. But as I see it currently this patch
should be sufficient.
Comment 5 Daniel Walsh 2008-04-15 17:13:25 UTC 
Ok, I was debating whether to put it there.  I can never remember the correct
get*uid call to call.

Can you get this out for Fedora 9?
Comment 6 Bug Zapper 2008-05-14 09:29:31 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping