Bug 178714 - /etc/pam.d/su: 'multiple', 2nd (context) prompt
/etc/pam.d/su: 'multiple', 2nd (context) prompt
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: coreutils (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
Depends On:
Blocks: 181409
  Show dependency treegraph
Reported: 2006-01-23 13:40 EST by Rex Dieter
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2006-0313
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-10 17:11:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2006:0313 normal SHIPPED_LIVE coreutils bug fix update 2006-08-09 00:00:00 EDT

  None (edit)
Description Rex Dieter 2006-01-23 13:40:08 EST
With a recent update of coreutils, su's behavior has changed, in that after
prompting for password, also prompts for (selinux?) context.  I'm seeing
something like:
$ su
Your default context is root:system_r:unconfined_t.

Do you want to choose a different one? [n]

kde's kdesu barfs/hangs on this second prompt.

A fix was pointed out to me on the selinux mailing list by dwalsh:
"Remove multiple from the pam file."

editing /etc/pam.d/su, changing
session    required     /lib/security/$ISA/pam_selinux.so open multiple
session    required     /lib/security/$ISA/pam_selinux.so open

Did the trick.

# rpm -q -f /etc/pam.d/su
Comment 1 Tim Waugh 2006-01-24 08:06:13 EST
Adding Steve Grubb to cc - Steve, do you think this might be due to the
coreutils-pam.patch changes you suggested?
Comment 2 Steve Grubb 2006-01-24 17:02:33 EST
Tim, the pam patch tweeks made sure that pam failures were handled correctly. It
shouldn't have anything to do with this. The problem is the su pam config file
has "multiple" as a param which tells pam_selinux that it should ask which role
the user wants. This is definitely not what the average user wants. 

I checked cvs for FC-3 & FC-4 and this seems to be the case. RHEL-4 does not
have the multiple option by comparison. I'd delete the "multiple" option out of
su.pamd for both FC-3 and FC-4.
Comment 4 Rex Dieter 2006-01-24 21:46:14 EST
> I checked cvs for FC-3 & FC-4 and this seems to be the case. RHEL-4 does not
> have the multiple option by comparison. I'd delete the "multiple" option out of
> su.pamd for both FC-3 and FC-4.

I'm seeing "multiple" on RHEL-4 with coreutils-5.2.1-31.2
Comment 5 Tim Waugh 2006-01-25 04:15:44 EST
Rex, the "multiple" keyword was already present in the package that shipped with
Red Hat Enterprise Linux 4, coreutils-5.2.1-31.  That has not changed in the update.

Steve: given this, what other change from 5.2.1-31 to 5.2.1-31.2 could cause
this?  Surely it has to be one of the coreutils-pam.patch changes.
Comment 6 Steve Grubb 2006-01-25 08:21:54 EST
Tim, it might be pam_selinux that changed during this time. Adding Dan to see if
he has any ideas.
Comment 7 Rex Dieter 2006-01-25 08:47:39 EST
Regardless, can't we agree that 'multiple' should be removed?
Comment 8 Steve Grubb 2006-01-25 09:07:51 EST
Rex, multiple is already removed in cvs and this change will be released in U3.
I think Tim just wants to know exactly what changed that caused this problem.
Comment 10 Daniel Walsh 2006-01-25 10:26:46 EST
Yes, multiple should be removed and actually the entire pam_selinux.so can be
removed.  The changes to /etc/pam.d/su are more for strict policy and were added
back in FC2 timeframe when we were shipping with strict.  pam_selinux.so in the
su module has no effect in the targeted policy, since the user goes from
unconfined_t to unconfined_t.  

The problem was caused by an upgrade to policy in U2 that caused su to think
there were multiple types that the user could reach and the pam module gives the
user  the choice.  

This choice makes no sense in a targeted policy environment.  If a init script
is running su to change user, it is recommended that they use runuser which will
eliminate any of the pam functions.
Comment 17 Bob Johnson 2006-04-11 12:57:39 EDT
This issue is on Red Hat Engineering's list of planned work items 
for the upcoming Red Hat Enterprise Linux 4.4 release.  Engineering 
resources have been assigned and barring unforeseen circumstances, Red 
Hat intends to include this item in the 4.4 release.
Comment 20 Red Hat Bugzilla 2006-08-10 17:11:30 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.