Bug 596887

Summary: ksu with pam occasionally fails
Product: Red Hat Enterprise Linux 5 Reporter: Jeff Bastian <jbastian>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.5CC: dpal, jplans, jwest, tao, zmraz
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: krb5-1.6.1-41.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 596937 (view as bug list) Environment:
Last Closed: 2011-01-13 23:52:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 596937, 602967    
Attachments:
Description Flags
proposed patch none

Description Jeff Bastian 2010-05-27 17:40:44 UTC 
Description of problem:
ksu had pam support added with bug 477033.  It's occasionally failing with an error, "Error opening session for <USERNAME>".

Adding "[ksu] { use_pam = false }" to /etc/krb5.conf "fixes" the problem by disabling pam usage, but this also removes the other pam modules from the mix like pam_access.


Version-Release number of selected component (if applicable):
krb5-workstation-1.6.1-36.el5_4.1.x86_64

How reproducible:
occasionally

Steps to Reproduce:
1. configure system for kerberos
2. ksu username
  
Actual results:
Error opening session for <USERNAME>

Expected results:
become the <USERNAME> user
Comment 7 Nalin Dahyabhai 2010-05-27 21:05:50 UTC 
Created attachment 417384 [details]
proposed patch

This moves the pam_session_open() call earlier, to do it before switching to the target user's privileges.  Incorporates currently-proposed changes for bug #540769 because they're intertwined.
Comment 24 errata-xmlrpc 2011-01-13 23:52:53 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0098.html