Description of problem: While investigating bug 459057 I noticed that the tog-pegasus RPM based on Pegasus 2.7.0 no longer sets the PAM tty name to "wbemLocal" or "wbemRemote" as in previous releases. It's always set to the service name, "wbem". I believe this completely bypasses the security settings in /etc/Pegasus/access.conf. To test, install the 2.7.0 RPM and enumerate the PG_ComputerSystem instance as root. By default this should not work, but it does. If you change the access.conf file from: -: ALL EXCEPT pegasus:wbemNetwork to: -: ALL EXCEPT pegasus:wbem and retry accessing PG_ComputerSystem, the request fails as it is supposed to. Looking at the differences between the local-or-remote-auth patch in tog-pegasus-2.6.1-2.el5.src.rpm vs tog-pegasus-2.7.0-2.el5.src.rpm, it appears that both patches pass whether the connection is remote further down through various Pegasus classes, but the 2.7.0 patch looks like it's missing a whole chunk of code in Security/Authentication/PAMBasicAuthenticatorUnix.cpp where the isRemoteUser parameter is unused. Tested on ia64 system upgraded from rhel5.0 to rhel5.2 and freshly installed rhel5.2 on x86_64. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I investigated it and your are right. It looks like mistake when rebasing to 2.7.x branch. As far as I know, local-or-remote-auth patch should be part of upstream code in near future, so I check or fix it.
Created attachment 320192 [details] fixed local-or-remote-patch Proposed patch (NOT tested yet!) Not very nice, but it's only provisional solution till this functionality will be part of upstream.
This issue affects all versions of the tog-pegasus package, as shipped with Red Hat Enterprise Linux 5 and within Fedora releases of 9 and 10. This issue does NOT affect the versions of the tog-pegasus package, as shipped with Red Hat Enterprise Linux 4 and within Fedora release of 8.
tog-pegasus-2.7.1-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/tog-pegasus-2.7.1-3.fc10
tog-pegasus-2.7.0-7.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/tog-pegasus-2.7.0-7.fc9
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-1001.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10061 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9688