Bug 442565 - pam_sepermit exclusive does not work with gnome-screensaver
pam_sepermit exclusive does not work with gnome-screensaver
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-04-15 11:21 EDT by Daniel Walsh
Modified: 2008-05-21 03:54 EDT (History)
0 users

See Also:
Fixed In Version: Fedora 9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 03:54:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
I was thinking just check for uid==0 (871 bytes, application/octet-stream)
2008-04-15 12:00 EDT, Daniel Walsh
no flags Details
Base decision on euid (581 bytes, patch)
2008-04-15 12:34 EDT, Tomas Mraz
no flags Details | Diff

  None (edit)
Description Daniel Walsh 2008-04-15 11:21:02 EDT
Description of problem:

 sepermit should only check exclusive if it is running as root, otherwise it
sees itself and fails.
Comment 1 Tomas Mraz 2008-04-15 11:41:07 EDT
I was thinking about this and I simply think that pam_sepermit should not be
added to the gnome-screensaver pam configuration at all (and use for example
'auth sufficient pam_succeed_if.so user = xguest') or there should be an option
to ignore the exclusive flags in the configuration file which would be used with
pam_sepermit and screensaver.
Comment 2 Daniel Walsh 2008-04-15 12:00:02 EDT
Created attachment 302484 [details]
I was thinking just check for uid==0
Comment 3 Daniel Walsh 2008-04-15 12:00:51 EDT
This patch works for me.

The problem with hard coding xguest is it forces users to edit the pam stack.
Comment 4 Tomas Mraz 2008-04-15 12:34:56 EDT
Created attachment 302491 [details]
Base decision on euid

The decision should be based on effective uid rather than on real. Also I moved
the test a little bit later - there might be some more flags added in future.
The question is whether adding an explicit option to the module to ignore the
exclusive flag could be useful or not. But as I see it currently this patch
should be sufficient.
Comment 5 Daniel Walsh 2008-04-15 13:13:25 EDT
Ok, I was debating whether to put it there.  I can never remember the correct
get*uid call to call.

Can you get this out for Fedora 9?
Comment 6 Bug Zapper 2008-05-14 05:29:31 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:

Note You need to log in before you can comment on or make changes to this bug.