Bug 66902

Summary: separate PAM configuration for kscreensaver is not used
Product: Red Hat Enterprise Linux 3 Reporter: Jan Iven <jan.iven>
Component: kdebaseAssignee: Than Ngo <than>
Status: CLOSED DEFERRED QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: jaroslaw.polok
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-24 16:50:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Iven 2002-06-18 10:00:19 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020509

Description of problem:
kcheckpass uses /etc/pam.d/kde when unlocking the screen. It should rather use
/etc/pam.d/kscreensaver. The mechanism appears to be:

kdesktop -> setenv(KDE_PAM_ACTION, KSCREENSAVER_PAM_SERVICE)
kcheckpass -> use /etc/pam.d/"caller"( = getenv(KDE_PAM_ACTION))

KSCREENSAVER_PAM_SERVICE is a macro from configure and will be set to pam_action
which is set itself by --with-pam=XXXX.

This is funny as the same spec file creates a separate /etc/pam.d/kscreensaver
(which will apparently not be used).

The RedHat spec file uses --with-pam=kde. Net result is that kscreensaver uses
/etc/pam.d/kde.





Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.mess up /etc/pam.d/kscreensaver, deny everybody and put in fancy  
restrictions etc.
2.lock your screen in KDE
3.unlock 
	

Actual Results:  unlock works

Expected Results:  You should stay locked out since PAM should not be able to
authenticate you using the "kscreensaver" service. It can, because it uses the
"kde" service instead.


Additional info:

BTW, this is not our actual problem, we are rather stuck with pam_afs and AFS
token extension on unlock. But the above should demonstrate this well enough.
Comment 1 Jan Iven 2002-06-18 10:03:19 UTC 
In the spec file you could use --with-kss-pam=kscreensaver which should do the
right thing.
Comment 2 Than Ngo 2003-03-12 17:04:38 UTC 
It works for me. it's intended to use kde pam file instead separate file.
Comment 3 Jan Iven 2003-03-19 10:12:36 UTC 
The problem comes from having expiring credentials, like AFS tokens or Kerberos
TGTs. You normally don't want to create a new session (voiding all existing
credentials) if you go for a 5-minute break. If you split between "session
start" (like logging into gdm/kdm) and "session continuation", you can do things
like non-destructive token renewal. Please consider re-opening, the changes for
Red Hat should be minimal.
Comment 4 Than Ngo 2005-10-24 16:50:56 UTC 
ok, i will add separate pam config file for kscreensaver in next comming RHEL5.

Many Thanks for your report.
Comment 5 Issue Tracker 2007-06-12 07:40:00 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0449.html

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 3.9'
Ticket type set to: 'Problem'

This event sent from IssueTracker by navid 
 issue 81747