Bug 193335 - /etc/pam.d/system-auth contains bad logic
/etc/pam.d/system-auth contains bad logic
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2006-05-27 12:38 EDT by Chris Tyler
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-29 03:55:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Chris Tyler 2006-05-27 12:38:08 EDT
Description of problem:
The file /etc/pam.d/system-auth, which is included into a number of other PAM
configuration files and which is (apparently) generated by authconfig, contains
what looks like nonsense logic.

Version-Release number of selected component (if applicable):

This is the content of the auth section of that file using only local
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

The pam_succeed_if line does not affect the outcome. (It was probably intended
to deny logins where 0<UID<500?)

In the account section there is similar fluff:
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

The pam_succeed_if line here has no effect on the outcome.
Comment 1 Tomas Mraz 2006-05-29 03:55:38 EDT
This is not a bug. These lines come to effect when the authentication against a
network service (LDAP, KRB5) is enabled. Otherwise they just don't change
anything so there is no need to remove them if no such authentication service is

The auth line disappears when "Authenticate system accounts by network services"
is enabled.

Note You need to log in before you can comment on or make changes to this bug.