Bug 429169
| Summary: | pam_tally2 in system-auth prevents gnome-screensaver from unlocking | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Bryan Schneiders <bschneiders> |
| Component: | pam | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.0 | CC: | bschneiders, ohudlick, sgrubb |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-09-02 11:24:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Bryan Schneiders
2008-01-17 18:31:31 UTC
Additional verification and work arounds. http://www.mail-archive.com/rhelv5-list@redhat.com/msg00022.html The question is what can we do with that. 1) There are some easy workarounds - use onerr=succeed instead of onerr=fail 2) second workaround - prepend auth [success=1 default=ignore] pam_succeed_if.so service in xscreensaver:gnome-screensaver:kscreensaver just before the auth ... pam_tally2.so... 3) patch pam_tally2 so it ignores the open error when euid != 0 even if onerr=fail Making pam_tally2 fully work would require setuid helper which could easily reset the tally count for an user even if it wouldn't be a real login success so it would be potential security hole. So I don't think it is an option. Actually the pam_tally2 already should return PAM_IGNORE in case the tallylog open fails due to permissions but the code wrongly tests for EPERM instead of EACCES. It should be fixed. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1358.html |