596887 – ksu with pam occasionally fails

Bug 596887 - ksu with pam occasionally fails

Summary: ksu with pam occasionally fails

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	krb5
Sub Component:	(Show other bugs)
Version:	5.5
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Keywords:	ZStream
Depends On:
Blocks:	596937 602967
TreeView+	depends on / blocked

Reported:	2010-05-27 17:40 UTC by Jeff Bastian
Modified:	2018-11-14 19:28 UTC (History)
CC List:	5 users (show)
Fixed In Version:	krb5-1.6.1-41.el5
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Clones:	596937 (view as bug list)
Environment:
Last Closed:	2011-01-13 23:52:53 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---
Dependent Products:

Attachments	(Terms of Use)
proposed patch (6.23 KB, patch) 2010-05-27 21:05 UTC, Nalin Dahyabhai	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0098	normal	SHIPPED_LIVE	krb5 bug fix and enhancement update	2011-01-12 17:39:25 UTC

Description Jeff Bastian 2010-05-27 17:40:44 UTC

Description of problem:
ksu had pam support added with bug 477033.  It's occasionally failing with an error, "Error opening session for <USERNAME>".

Adding "[ksu] { use_pam = false }" to /etc/krb5.conf "fixes" the problem by disabling pam usage, but this also removes the other pam modules from the mix like pam_access.


Version-Release number of selected component (if applicable):
krb5-workstation-1.6.1-36.el5_4.1.x86_64

How reproducible:
occasionally

Steps to Reproduce:
1. configure system for kerberos
2. ksu username
  
Actual results:
Error opening session for <USERNAME>

Expected results:
become the <USERNAME> user

Comment 7 Nalin Dahyabhai 2010-05-27 21:05:50 UTC

Created attachment 417384 [details]
proposed patch

This moves the pam_session_open() call earlier, to do it before switching to the target user's privileges.  Incorporates currently-proposed changes for bug #540769 because they're intertwined.

Comment 24 errata-xmlrpc 2011-01-13 23:52:53 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0098.html

Note You need to log in before you can comment on or make changes to this bug.