Bug 198631 - Make login processes initialise session keyring
Summary: Make login processes initialise session keyring
Alias: None
Product: Fedora
Classification: Fedora
Component: xorg-x11-xdm (Show other bugs)
(Show other bugs)
Version: 6
Hardware: All Linux
Target Milestone: ---
Assignee: X/OpenGL Maintenance List
QA Contact:
Depends On:
Blocks: FC6Blocker 198623
TreeView+ depends on / blocked
Reported: 2006-07-12 13:24 UTC by David Howells
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-07-19 10:34:42 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add keyinit instruction to PAM script (1.56 KB, patch)
2006-07-13 13:05 UTC, David Howells
no flags Details | Diff

Description David Howells 2006-07-12 13:24:18 UTC
+++ This bug was initially created as a clone of Bug #198623 +++

This package contains the "xdm" program for which the PAM script needs to be 

The PAM scripts for the login programs need to be altered to forcibly create a 
new session keyring when a login event occurs.

These simply require the following line adding to their PAM scripts:

	session	    optional    pam_keyinit.so    force revoke

This forces them to create a new session keyring during login, replacing the
one inherited from their parent, and causes the session keyring so created to
be revoked when the login process exits.

Ideally, this should be "required" not "optional", but it still has to work if 
the pam_keyinit.so library is absent.

The authlogin program needs modifying to add:

	session	    optional    pam_keyinit.so    revoke

To the default session (system-auth).  This just creates a new session keyring 
if one doesn't yet exist for this process.

The "su" program needs to split its "su - [user]" mode PAM script from its "su 
[user]" PAM script, so that the former can forcibly create a keyring whilst 
the latter doesn't.

Comment 1 David Howells 2006-07-13 13:05:14 UTC
Created attachment 132368 [details]
Add keyinit instruction to PAM script

Patch to devel/ directory to patch the SPEC file and the PAM scripts to add
keyinit instructions.

Comment 3 Mike A. Harris 2006-07-15 20:51:33 UTC
Does this change require a specific version-release of pam or newer in order
to work properly?  We'll be releasing Xorg 7.1 for FC5 soon, and want to
keep the packages in sync as much as possible.

If a newer pam is required, what version-release is minimum?
If so, has that package been released for FC5 also, and if so, what
is the package version in FC5?

I'm hoping we can avoid spec conditionalization, but if we need to do it
I'd like to do it all at once to avoid probs.

Thanks in advance.

Comment 4 David Howells 2006-07-17 12:41:39 UTC
It doesn't require a specific version of PAM.  If we mark the instruction as 
optional, it just gets skipped if the installed PAM doesn't have that library.

Comment 5 Tomas Mraz 2006-07-18 14:43:13 UTC
But note that there will be a nasty syslog message for every login attempt if
the pam module is missing. However I plan to update PAM in FC5 to version
containing pam_keyinit soon.

Comment 6 Tomas Mraz 2006-07-18 14:44:35 UTC
pam >= contains pam_keyinit module

Comment 7 Mike A. Harris 2006-07-19 10:34:42 UTC
xorg-x11-xdm-1.0.5-3.fc6 contains the requested changes.  I have not
updated the dependency on pam however, as the module is not supported
in FC5 currently.

tmraz:  Let me know when you release this for FC5, so we can decide
wether we want to update the dep or not, as it is going to be a
different minimum pam name-ver-rel for each OS release since they
don't share the same package NVR.


Note You need to log in before you can comment on or make changes to this bug.