Bug 201 - login no longer honors PAM sessions
login no longer honors PAM sessions
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: distribution (Show other bugs)
5.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
:
: 1009 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1998-11-25 14:53 EST by allbery
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1998-12-05 23:35:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description allbery 1998-11-25 14:53:30 EST
[util-linux-2.8-

The following comment can be found in
util-linux-2.8/login-utils/login.c:

    /* There was some junk with
fork()/exec()/signal()/wait() here
       that was incorrect, and util-linux-2.7-11.src.rpm
contains
       a patch that makes the fork entirely useless.
       If you introduce one again, please document in the
source
       what its purpose is. - aeb */
    PAM_END;

Will someone please track down "aeb" and make him read the
PAM documentation, followed by an overview of Kerberos?  I
was not amused to discover that our Kerberos tickets and AFS
tokens (similar) were being destroyed immediately because
the above brokenness invokes pam_close_session() to destroy
the tickets/tokens before exec()ing the user's shell instead
of at logout.  PAM is now fairly useless for its intended
purpose except in cases where it doesn't buy one anything.

I have worked around this problem locally for AFS tokens;
the solution for Kerberos was to replace /bin/login with a
non-PAMified Kerberized version until such time as it can be
fixed properly.
Comment 1 Jeff Johnson 1998-12-05 23:35:59 EST
Restored the util-linux-2.7 fork/exec/wait/PAM_END.
I also added your comments and e-mail address to the source.

Fixed in dist-6.0/util-linux-2.9-4
Comment 2 Jeff Johnson 1999-02-02 09:34:59 EST
*** Bug 1009 has been marked as a duplicate of this bug. ***

In util-linux 2.8, a piece of code of login.c was
eliminated. This code waited for the shell to end to call
pam_close_session. So, the version that comes with redhat
5.2 calls pam_close_session before executing the shell
instead of waiting for it to end and then close the session.
The bug is fixed since util-linux-2.9c

------- Additional Comments From ayn2@cornell.edu  02/02/99 01:24 -------
This is a duplicate of #201

Note You need to log in before you can comment on or make changes to this bug.