Bug 77791
Summary: | pam_mkhomedir cannot create home when called from su | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Reiner Jung <r.jung> | ||||||
Component: | coreutils | Assignee: | Tim Waugh <twaugh> | ||||||
Status: | CLOSED RAWHIDE | QA Contact: | David Lawrence <dkl> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | rawhide | CC: | tmraz | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | i386 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | 5.2.1-34 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2004-12-06 15:51:52 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Reiner Jung
2002-11-13 17:35:42 UTC
Created attachment 103910 [details]
Patch
This patch temporarily sets fsuid to 0 so the pam_mkhomedir can create the
user's home directory.
The patch above solves it on the pam side, but it's debatable if it wasn't better to move the setfsuid call in su after the pam_open_session call. Ccing twaugh as he is owner of coreutils. Created attachment 106763 [details]
New and better patch
Oh, workaround for this is "chmod 1777 /home", but you may not regard that as secure or desierable. I sent my patch upstream as well. The problem bites plenty hard because the session fails if the PAM fails. Nicolai Comment on attachment 106763 [details]
New and better patch
I'm sorry but this patch is bogus.
I think this should be changed in su not in pam. The setfsuid and setfsgid calls should not be made before pam_open_session. Is this still an issue? Yes, it is. What exactly are the requirements here? I can't see anything in the pam_open/close_session man page to suggest that setfsuid/gid() should be needed *after* pam_open_session, only before: pam_open_session [...] Some types of functions associated with session initialization are logging for the purposes of system-audit and mounting directories (the userĂ¢s home directory for example). These should not concern the application. It should be noted that the effective uid, geteuid(2), of the application should be of suf- ficient privilege to perform such tasks. After looking at the history of the pam patch, and the reason that the setfsuid/gid() calls were added in the first place, I think they can now be removed. Does 5.2.1-34 fix this bug? |