Bug 245578 - login's "remote" PAM configuration inits the keyring at an inconvenient time
Summary: login's "remote" PAM configuration inits the keyring at an inconvenient time
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: util-linux
Version: 5.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
: ---
Assignee: Karel Zak
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 198623
TreeView+ depends on / blocked
 
Reported: 2007-06-25 14:50 UTC by Nalin Dahyabhai
Modified: 2011-01-13 23:43 UTC (History)
3 users (show)

Fixed In Version: 2.13-0.52.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-01-13 23:43:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0085 0 normal SHIPPED_LIVE util-linux bug fix update 2011-01-12 17:29:18 UTC

Description Nalin Dahyabhai 2007-06-25 14:50:06 UTC 
Description of problem:
The third comment in bug #198623 points out that the keyring should be
initialized before the rest of the PAM session modules are called, but in
/etc/pam.d/remote, pam_keyinit.so called last.


Version-Release number of selected component (if applicable):
2.13-0.44
Comment 1 Nalin Dahyabhai 2007-06-25 15:34:11 UTC 
Somehow I missed that the "login" configuration has the same problem, but
it appears to as well.
Comment 2 Karel Zak 2007-07-09 11:28:59 UTC 
Well, there is also "pam_selinux close" that should be the first PAM session
module, I've moved the pam_keyinit behind the pam_selinux. Updated version:


#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the
user context
session    required     pam_selinux.so open
session    optional     pam_ck_connector.so


ok?
Comment 3 Karel Zak 2007-07-09 11:31:11 UTC 
(Note, I'm changing this in devel & F7 now.)
Comment 4 Nalin Dahyabhai 2007-07-09 13:58:41 UTC 
I think so -- the SELinux module doesn't interact with the keyring (to
double-check, running ldd on pam_selinux.so didn't list the keyutils library, so
I'm pretty sure), so that should be fine.

The important thing on my test box is that the keyring is set up before pam_krb5
is run, because it may put AFS session data in the keyring.

Thanks!
Comment 5 Fedora Update System 2007-07-11 15:16:55 UTC 
util-linux-2.13-0.52.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2007-07-18 20:57:19 UTC 
util-linux-2.13-0.52.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 RHEL Program Management 2007-12-03 20:43:31 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release.  This request will
be reviewed for a future Red Hat Enterprise Linux release.
Comment 13 errata-xmlrpc 2011-01-13 23:43:38 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0085.html
Note You need to log in before you can comment on or make changes to this bug.