Bug 77791

Summary: pam_mkhomedir cannot create home when called from su
Product: [Fedora] Fedora Reporter: Reiner Jung <r.jung>
Component: coreutilsAssignee: Tim Waugh <twaugh>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 5.2.1-34 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-12-06 15:51:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch
none
New and better patch none

Description Reiner Jung 2002-11-13 17:35:42 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
Setup a Redhat machine with ldap. Necessary for create the home directory ist
that with su - USERNAME the home directory automaticly will be create. For this
i make a entry in the /PAM/SU. This don't work.
When i test the same with login or other PAM modules it work

When I remember with RH 7.2 or 7.3 it works.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Create the entry in the pam su file

pam/su gemacht.

######################################################################
#%PAM-1.0
auth       sufficient   /lib/security/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel"
group.
#auth       sufficient   /lib/security/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel"
group.
#auth       required     /lib/security/pam_wheel.so use_uid
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_xauth.so

2.su - USERNAME (availible in the LDAP database)

3.su - hans
Creating directory '/home/hans'.
could not open session
	



Actual Results:  The home directory isn't created

Expected Results:  nothing, not possible to work with auto create LDAP accounts. 
Impossible for my client.

Additional info:

create entry in syslog.conf

*.debug            /var/log/debug


###########################################

Nov 13 18:19:14 groupware slapd[1017]: conn=49 op=5 SRCH
base="dc=creativix,dc=n
etz" scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=hans)(uniqueMember=c
n=hans,ou=People,dc=creativix,dc=netz)))"
Nov 13 18:19:14 groupware slapd[1017]: conn=49 op=5 SEARCH RESULT
tag=101 err=0
text=
Nov 13 18:19:14 groupware slapd[626]: conn=49 op=6 SRCH
base="dc=creativix,dc=ne
tz" scope=2 filter="(&(objectClass=posixAccount)(uid=hans))"
Nov 13 18:19:14 groupware slapd[626]: conn=49 op=6 SEARCH RESULT tag=101
err=0 t
ext=
Nov 13 18:19:14 groupware PAM-mkhomedir[1433]: unable to create
directory /etc/s
kel
Nov 13 18:19:14 groupware slapd[1000]: conn=49 op=7 SRCH
base="dc=creativix,dc=n
etz" scope=2 filter="(&(objectClass=posixAccount)(uid=hans))"
Nov 13 18:19:14 groupware su(pam_unix)[1433]: session opened for user
hans by ro
ot(uid=0)
Nov 13 18:19:14 groupware slapd[1000]: conn=49 op=7 SEARCH RESULT
tag=101 err=0
text=
Nov 13 18:19:14 groupware slapd[616]: conn=-1 fd=32 closed
Nov 13 18:19:14 groupware slapd[1000]: conn=-1 fd=31 closed
Comment 1 Tomas Mraz 2004-09-16 15:09:57 UTC 
Created attachment 103910 [details]
Patch

This patch temporarily sets fsuid to 0 so the pam_mkhomedir can create the
user's home directory.
Comment 2 Tomas Mraz 2004-09-16 15:13:29 UTC 
The patch above solves it on the pam side, but it's debatable if it
wasn't better to move the setfsuid call in su after the
pam_open_session call.

Ccing twaugh as he is owner of coreutils.
Comment 3 Nicolai Langfeldt 2004-11-15 22:56:27 UTC 
Created attachment 106763 [details]
New and better patch
Comment 4 Nicolai Langfeldt 2004-11-15 22:58:26 UTC 
Oh, workaround for this is "chmod 1777 /home", but you may not regard
that as secure or desierable.  I sent my patch upstream as well.  The
problem bites plenty hard because the session fails if the PAM fails.

Nicolai
Comment 5 Tomas Mraz 2004-11-16 15:20:47 UTC 
Comment on attachment 106763 [details]
New and better patch

I'm sorry but this patch is bogus.
Comment 6 Tomas Mraz 2004-11-16 16:10:08 UTC 
I think this should be changed in su not in pam. The setfsuid and
setfsgid calls should not be made before pam_open_session.
Comment 7 Tim Waugh 2004-12-06 12:17:12 UTC 
Is this still an issue?
Comment 8 Tomas Mraz 2004-12-06 12:28:31 UTC 
Yes, it is.
Comment 9 Tim Waugh 2004-12-06 13:30:05 UTC 
What exactly are the requirements here?  I can't see anything in the
pam_open/close_session man page to suggest that setfsuid/gid() should be needed
*after* pam_open_session, only before:

       pam_open_session
              [...]
              Some types of functions associated with session  initialization
              are  logging  for  the  purposes  of  system-audit and mounting
              directories (the userĂ¢s  home  directory  for  example).  These
              should not concern the application. It should be noted that the
              effective uid, geteuid(2), of the application should be of suf-
              ficient privilege to perform such tasks.
Comment 10 Tim Waugh 2004-12-06 15:51:52 UTC 
After looking at the history of the pam patch, and the reason that the
setfsuid/gid() calls were added in the first place, I think they can now be removed.

Does 5.2.1-34 fix this bug?