Bug 596887 - ksu with pam occasionally fails
ksu with pam occasionally fails
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5 (Show other bugs)
5.5
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Nalin Dahyabhai
BaseOS QE Security Team
: ZStream
Depends On:
Blocks: 596937 602967
  Show dependency treegraph
 
Reported: 2010-05-27 13:40 EDT by Jeff Bastian
Modified: 2016-01-22 12:07 EST (History)
5 users (show)

See Also:
Fixed In Version: krb5-1.6.1-41.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 596937 (view as bug list)
Environment:
Last Closed: 2011-01-13 18:52:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (6.23 KB, patch)
2010-05-27 17:05 EDT, Nalin Dahyabhai
no flags Details | Diff

  None (edit)
Description Jeff Bastian 2010-05-27 13:40:44 EDT
Description of problem:
ksu had pam support added with bug 477033.  It's occasionally failing with an error, "Error opening session for <USERNAME>".

Adding "[ksu] { use_pam = false }" to /etc/krb5.conf "fixes" the problem by disabling pam usage, but this also removes the other pam modules from the mix like pam_access.


Version-Release number of selected component (if applicable):
krb5-workstation-1.6.1-36.el5_4.1.x86_64

How reproducible:
occasionally

Steps to Reproduce:
1. configure system for kerberos
2. ksu username
  
Actual results:
Error opening session for <USERNAME>

Expected results:
become the <USERNAME> user
Comment 7 Nalin Dahyabhai 2010-05-27 17:05:50 EDT
Created attachment 417384 [details]
proposed patch

This moves the pam_session_open() call earlier, to do it before switching to the target user's privileges.  Incorporates currently-proposed changes for bug #540769 because they're intertwined.
Comment 24 errata-xmlrpc 2011-01-13 18:52:53 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0098.html

Note You need to log in before you can comment on or make changes to this bug.