Red Hat Bugzilla – Bug 212329
"Unable to change GID to 501 temporarily"
Last modified: 2007-11-30 17:07:36 EST
Description of problem:
I get lots of messages like this in /var/log/secure:
Oct 25 11:30:18 cyberelk su: pam_keyinit(su-l:session): Unable to change GID to
Is this likely to be a pam_keyinit problem or a coreutils problem?
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. As root, 'su - someuser'
2. Exit from that sub-shell.
Bug in pam_keyinit. In kill_keyrings() it sets effective uid instead of the real
David, IMO real uid is important for kernel keyrings or am I wrong?
This should be fixed for RHEL5 final.
Ah so my comment #1 was wrong as revoking the keyrings must be done with
effective uid set to user id. So we must switch the order of setreuid and
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release. Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release. This request is not yet committed for
Fixed in pam-0.99.6.2-3.4.el5
A package has been built which should help the problem described in
this bug report. This report is therefore being closed with a resolution
of CURRENTRELEASE. You may reopen this bug report if the solution does
not work for you.