Bug 596887 - ksu with pam occasionally fails
Summary: ksu with pam occasionally fails
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5
Version: 5.5
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Keywords: ZStream
Depends On:
Blocks: 596937 602967
TreeView+ depends on / blocked
 
Reported: 2010-05-27 17:40 UTC by Jeff Bastian
Modified: 2018-11-14 19:28 UTC (History)
5 users (show)

(edit)
Clone Of:
: 596937 (view as bug list)
(edit)
Last Closed: 2011-01-13 23:52:53 UTC


Attachments (Terms of Use)
proposed patch (6.23 KB, patch)
2010-05-27 21:05 UTC, Nalin Dahyabhai
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0098 normal SHIPPED_LIVE krb5 bug fix and enhancement update 2011-01-12 17:39:25 UTC

Description Jeff Bastian 2010-05-27 17:40:44 UTC
Description of problem:
ksu had pam support added with bug 477033.  It's occasionally failing with an error, "Error opening session for <USERNAME>".

Adding "[ksu] { use_pam = false }" to /etc/krb5.conf "fixes" the problem by disabling pam usage, but this also removes the other pam modules from the mix like pam_access.


Version-Release number of selected component (if applicable):
krb5-workstation-1.6.1-36.el5_4.1.x86_64

How reproducible:
occasionally

Steps to Reproduce:
1. configure system for kerberos
2. ksu username
  
Actual results:
Error opening session for <USERNAME>

Expected results:
become the <USERNAME> user

Comment 7 Nalin Dahyabhai 2010-05-27 21:05:50 UTC
Created attachment 417384 [details]
proposed patch

This moves the pam_session_open() call earlier, to do it before switching to the target user's privileges.  Incorporates currently-proposed changes for bug #540769 because they're intertwined.

Comment 24 errata-xmlrpc 2011-01-13 23:52:53 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0098.html


Note You need to log in before you can comment on or make changes to this bug.