Red Hat Bugzilla – Bug 198631
Make login processes initialise session keyring
Last modified: 2007-11-30 17:11:37 EST
+++ This bug was initially created as a clone of Bug #198623 +++
This package contains the "xdm" program for which the PAM script needs to be
WHAT NEEDS TO BE DONE
The PAM scripts for the login programs need to be altered to forcibly create a
new session keyring when a login event occurs.
These simply require the following line adding to their PAM scripts:
session optional pam_keyinit.so force revoke
This forces them to create a new session keyring during login, replacing the
one inherited from their parent, and causes the session keyring so created to
be revoked when the login process exits.
Ideally, this should be "required" not "optional", but it still has to work if
the pam_keyinit.so library is absent.
The authlogin program needs modifying to add:
session optional pam_keyinit.so revoke
To the default session (system-auth). This just creates a new session keyring
if one doesn't yet exist for this process.
The "su" program needs to split its "su - [user]" mode PAM script from its "su
[user]" PAM script, so that the former can forcibly create a keyring whilst
the latter doesn't.
Created attachment 132368 [details]
Add keyinit instruction to PAM script
Patch to devel/ directory to patch the SPEC file and the PAM scripts to add
Does this change require a specific version-release of pam or newer in order
to work properly? We'll be releasing Xorg 7.1 for FC5 soon, and want to
keep the packages in sync as much as possible.
If a newer pam is required, what version-release is minimum?
If so, has that package been released for FC5 also, and if so, what
is the package version in FC5?
I'm hoping we can avoid spec conditionalization, but if we need to do it
I'd like to do it all at once to avoid probs.
Thanks in advance.
It doesn't require a specific version of PAM. If we mark the instruction as
optional, it just gets skipped if the installed PAM doesn't have that library.
But note that there will be a nasty syslog message for every login attempt if
the pam module is missing. However I plan to update PAM in FC5 to version
containing pam_keyinit soon.
pam >= 0.99.5.0 contains pam_keyinit module
xorg-x11-xdm-1.0.5-3.fc6 contains the requested changes. I have not
updated the dependency on pam however, as the module is not supported
in FC5 currently.
tmraz: Let me know when you release this for FC5, so we can decide
wether we want to update the dep or not, as it is going to be a
different minimum pam name-ver-rel for each OS release since they
don't share the same package NVR.