Bug 143750 - console login as root fails if /etc/nologin exists
console login as root fails if /etc/nologin exists
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-26 15:23 EST by Gabor Kovacs
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: pam-0.77-66.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-10 05:14:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Gabor Kovacs 2004-12-26 15:23:29 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux) (KHTML, like Gecko)

Description of problem:
Logging in on console as root fails if /etc/nologin exists. Logging in by ssh is OK.

An attempt to login as root gives the following log:

Dec 21 11:52:54 bolyai26 login(pam_unix)[3309]: session opened for user root by LOGIN(uid=0)
Dec 21 11:52:54 bolyai26 login[3309]: Please ignore underlying account module


Version-Release number of selected component (if applicable):
util-linux-2.12a-16

How reproducible:
Always

Steps to Reproduce:
1. create /etc/nologin as root (dont close shell if you can't log in by ssh)
2.
3.
    

Additional info:

Authentication was set by system-config-authentication to shadow, MD5 passwords.
Comment 1 Elliot Lee 2005-01-03 17:18:06 EST
I've verified this behaviour - I think it may be more of a PAM thing.
Comment 2 Tomas Mraz 2005-01-04 08:09:52 EST
This is a nice one - actually there are 2 bugs - in pam library for
allowing the PAM_IGNORE status to get to an application and in the
pam_nologin (overwriting return value by return of pam_get_item).
Comment 3 Tomas Mraz 2005-01-04 14:19:07 EST
The openssh works because it doesn't test return value of pam_setcred
and it handles the /etc/nologin file on its own.
Comment 4 Tomas Mraz 2005-01-07 10:37:27 EST
I've fixed this in UPSTREAM CVS, however I plan to add it to the next
FC3 errata too.
Comment 5 Tomas Mraz 2005-01-21 04:32:32 EST
Actually this isn't a security bug.

Note You need to log in before you can comment on or make changes to this bug.