Bug 51646
Summary: | pam limits drops other user privileges | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Tarhon-Onu Victor <lsmituc> |
Component: | pam | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Aaron Brown <abrown> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.1 | CC: | arpadffy, lukasz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2002-12-18 14:10:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tarhon-Onu Victor
2001-08-13 15:30:32 UTC
I forgot: you have to add the following line in /etc/pam.d/login file: session required /lib/security/pam_limits.so ...in order to make the limitations made in limits.conf to work all the time. For any reason they do not work all the time or as the should do. This bug does not exist in the pam package shipped by default with redhat 7.0, neither in the updates. I just checked and I also downgraded pam-0.75 and 0.74 to 0.72 from rh7.0 upgrades. another problem is that limits in limits.conf is taken globally as for ex: * - maxlogins 10 will allow max 10 users on the system instead of max ten logins per user. I'm requesting that PAM problem treated as a security problem with high priority. It is impossible to manage large systems with 3000 users without limits. It looks like an additional check (checking if the group in question is the user's primary group) is causing this, and it's a messy problem. I think it'll be fixed in -11, but it needs more testing. Hello, I would like to confirm this bug, because I have posted to bugtraq test with other results... Anyway: There is a little test: lt:~# cat /etc/security/limits.conf |grep -v "#" @test - maxlogins 2 lt:~# cat /etc/pam.d/login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so session required /lib/security/pam_limits.so lt:~# id test uid=503(test) gid=509(test) groups=509(test) Only root is login on console tty1 Now, I try login as user test on tty2: login: test Password: Last login: Sun Sep 9 18:29:38 on tty2 lt:~# id uid=0(root) gid=0(root) groups=509(test) Taadam. :-) If I remove line @test - maxlogins 2 from /etc/security/limits.conf or line session required /lib/security/pam_limits.so from /etc/pam.d/login it works correctly, i can login as test on tty2 without root privilege. :-) login: test Password: Last login: Sun Sep 9 18:29:28 on tty1 lt:~$ id uid=503(test) gid=509(test) groups=509(test) lt:~$ bash-2.05$ rpm -q pam pam-0.74-22 bash-2.05$ uname -r 2.4.9 I've been doing some more checking, and it appears that it picks up the first user logged in /var/run/utmp (not the most recently logged in user necessarily). If there are no other users logged in, then the bug does not trigger. Verified ok with the newer pam (although it can't count user limits right) Closing this bug, opening a new one with the off by one user error in it |