Description of problem: I get lots of messages like this in /var/log/secure: Oct 25 11:30:18 cyberelk su: pam_keyinit(su-l:session): Unable to change GID to 501 temporarily Is this likely to be a pam_keyinit problem or a coreutils problem? Version-Release number of selected component (if applicable): pam-0.99.6.2-3.fc6 coreutils-5.97-11 How reproducible: 100% Steps to Reproduce: 1. As root, 'su - someuser' 2. Exit from that sub-shell.
Bug in pam_keyinit. In kill_keyrings() it sets effective uid instead of the real uid. David, IMO real uid is important for kernel keyrings or am I wrong?
This should be fixed for RHEL5 final.
Ah so my comment #1 was wrong as revoking the keyrings must be done with effective uid set to user id. So we must switch the order of setreuid and setregid call.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion.
Fixed in pam-0.99.6.2-3.4.el5
A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.