+++ This bug was initially created as a clone of Bug #198623 +++ This package contains the "xdm" program for which the PAM script needs to be modified. WHAT NEEDS TO BE DONE ===================== The PAM scripts for the login programs need to be altered to forcibly create a new session keyring when a login event occurs. These simply require the following line adding to their PAM scripts: session optional pam_keyinit.so force revoke This forces them to create a new session keyring during login, replacing the one inherited from their parent, and causes the session keyring so created to be revoked when the login process exits. Ideally, this should be "required" not "optional", but it still has to work if the pam_keyinit.so library is absent. The authlogin program needs modifying to add: session optional pam_keyinit.so revoke To the default session (system-auth). This just creates a new session keyring if one doesn't yet exist for this process. The "su" program needs to split its "su - [user]" mode PAM script from its "su [user]" PAM script, so that the former can forcibly create a keyring whilst the latter doesn't.
Created attachment 132368 [details] Add keyinit instruction to PAM script Patch to devel/ directory to patch the SPEC file and the PAM scripts to add keyinit instructions.
Does this change require a specific version-release of pam or newer in order to work properly? We'll be releasing Xorg 7.1 for FC5 soon, and want to keep the packages in sync as much as possible. If a newer pam is required, what version-release is minimum? If so, has that package been released for FC5 also, and if so, what is the package version in FC5? I'm hoping we can avoid spec conditionalization, but if we need to do it I'd like to do it all at once to avoid probs. Thanks in advance.
It doesn't require a specific version of PAM. If we mark the instruction as optional, it just gets skipped if the installed PAM doesn't have that library.
But note that there will be a nasty syslog message for every login attempt if the pam module is missing. However I plan to update PAM in FC5 to version containing pam_keyinit soon.
pam >= 0.99.5.0 contains pam_keyinit module
xorg-x11-xdm-1.0.5-3.fc6 contains the requested changes. I have not updated the dependency on pam however, as the module is not supported in FC5 currently. tmraz: Let me know when you release this for FC5, so we can decide wether we want to update the dep or not, as it is going to be a different minimum pam name-ver-rel for each OS release since they don't share the same package NVR. TIA