Bug 198639 - Make login processes initialise session keyring
Summary: Make login processes initialise session keyring
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: coreutils
Version: 6
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 198623
TreeView+ depends on / blocked
 
Reported: 2006-07-12 13:33 UTC by David Howells
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-07-18 10:25:01 UTC


Attachments (Terms of Use)
Patch to split su/runuser -l PAM scripts and add keyinit instructions (4.74 KB, patch)
2006-07-13 11:37 UTC, David Howells
no flags Details | Diff

Description David Howells 2006-07-12 13:33:41 UTC
+++ This bug was initially created as a clone of Bug #198623 +++

This package contains the "su" program for which the PAM script needs to be 
modified.  The "su" program also needs its PAM script duplicating so that 
there's a separate script for "su - [user]" mode.

WHAT NEEDS TO BE DONE
=====================
The PAM scripts for the login programs need to be altered to forcibly create a 
new session keyring when a login event occurs.

These simply require the following line adding to their PAM scripts:

	session	    optional    pam_keyinit.so    force revoke

This forces them to create a new session keyring during login, replacing the
one inherited from their parent, and causes the session keyring so created to
be revoked when the login process exits.

Ideally, this should be "required" not "optional", but it still has to work if 
the pam_keyinit.so library is absent.

The authlogin program needs modifying to add:

	session	    optional    pam_keyinit.so    revoke

To the default session (system-auth).  This just creates a new session keyring 
if one doesn't yet exist for this process.

The "su" program needs to split its "su - [user]" mode PAM script from its "su 
[user]" PAM script, so that the former can forcibly create a keyring whilst 
the latter doesn't.

Comment 1 David Howells 2006-07-13 11:37:45 UTC
Created attachment 132363 [details]
Patch to split su/runuser -l PAM scripts and add keyinit instructions

This patch modifies the devel/ directory contents (spec file, PAM scripts and
adds a code patch) to split the su/runuser -l PAM scripts from the normal
su/runuser PAM scripts.  It also adds keyinit instructions to those PAM scripts
as needed.

Comment 2 Tim Waugh 2006-07-13 11:59:56 UTC
Applied in CVS.  Thanks.


Note You need to log in before you can comment on or make changes to this bug.