Bug 201 - login no longer honors PAM sessions
Summary: login no longer honors PAM sessions
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: distribution
Version: 5.2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact:
: 1009 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 1998-11-25 19:53 UTC by allbery
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1998-12-06 04:35:31 UTC

Attachments (Terms of Use)

Description allbery 1998-11-25 19:53:30 UTC

The following comment can be found in

    /* There was some junk with
fork()/exec()/signal()/wait() here
       that was incorrect, and util-linux-2.7-11.src.rpm
       a patch that makes the fork entirely useless.
       If you introduce one again, please document in the
       what its purpose is. - aeb */

Will someone please track down "aeb" and make him read the
PAM documentation, followed by an overview of Kerberos?  I
was not amused to discover that our Kerberos tickets and AFS
tokens (similar) were being destroyed immediately because
the above brokenness invokes pam_close_session() to destroy
the tickets/tokens before exec()ing the user's shell instead
of at logout.  PAM is now fairly useless for its intended
purpose except in cases where it doesn't buy one anything.

I have worked around this problem locally for AFS tokens;
the solution for Kerberos was to replace /bin/login with a
non-PAMified Kerberized version until such time as it can be
fixed properly.

Comment 1 Jeff Johnson 1998-12-06 04:35:59 UTC
Restored the util-linux-2.7 fork/exec/wait/PAM_END.
I also added your comments and e-mail address to the source.

Fixed in dist-6.0/util-linux-2.9-4

Comment 2 Jeff Johnson 1999-02-02 14:34:59 UTC
*** Bug 1009 has been marked as a duplicate of this bug. ***

In util-linux 2.8, a piece of code of login.c was
eliminated. This code waited for the shell to end to call
pam_close_session. So, the version that comes with redhat
5.2 calls pam_close_session before executing the shell
instead of waiting for it to end and then close the session.
The bug is fixed since util-linux-2.9c

------- Additional Comments From ayn2  02/02/99 01:24 -------
This is a duplicate of #201

Note You need to log in before you can comment on or make changes to this bug.