Bug 198637 - Make login processes initialise session keyring
Make login processes initialise session keyring
Product: Fedora
Classification: Fedora
Component: vsftpd (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Radek Vokal
Mike McLean
Depends On:
Blocks: 198623
  Show dependency treegraph
Reported: 2006-07-12 09:29 EDT by David Howells
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 2.0.5-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-07-13 11:16:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add keyinit instruction to PAM script (2.78 KB, patch)
2006-07-13 10:16 EDT, David Howells
no flags Details | Diff

  None (edit)
Description David Howells 2006-07-12 09:29:24 EDT
+++ This bug was initially created as a clone of Bug #198623 +++

This package contains the "ftp" service for which the PAM script needs to 
be modified.

The PAM scripts for the login programs need to be altered to forcibly create a 
new session keyring when a login event occurs.

These simply require the following line adding to their PAM scripts:

	session	    optional    pam_keyinit.so    force revoke

This forces them to create a new session keyring during login, replacing the
one inherited from their parent, and causes the session keyring so created to
be revoked when the login process exits.

Ideally, this should be "required" not "optional", but it still has to work if 
the pam_keyinit.so library is absent.

The authlogin program needs modifying to add:

	session	    optional    pam_keyinit.so    revoke

To the default session (system-auth).  This just creates a new session keyring 
if one doesn't yet exist for this process.

The "su" program needs to split its "su - [user]" mode PAM script from its "su 
[user]" PAM script, so that the former can forcibly create a keyring whilst 
the latter doesn't.
Comment 1 David Howells 2006-07-13 10:16:09 EDT
Created attachment 132375 [details]
Add keyinit instruction to PAM script

This patch modifies the contents of the devel/ directory to add keyinit
instructions to the vsftpd PAM script.
Comment 2 Radek Vokal 2006-07-13 11:16:27 EDT
I don't know why you hardcoded the path in the pam module? Also I've moved the
session line to the very top of the pam file.
Comment 3 David Howells 2006-07-13 11:21:10 EDT
> I don't know why you hardcoded the path in the pam module?

I followed the separate styles of each of the three PAM scripts I modified.  
Only one is actually installed, and that one doesn't have paths hardcoded.

Note You need to log in before you can comment on or make changes to this bug.