Bug 624489 - pam_nologin should be migrated to use /var/run/nologin
pam_nologin should be migrated to use /var/run/nologin
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-16 11:58 EDT by Matthew Miller
Modified: 2011-11-24 09:17 EST (History)
2 users (show)

See Also:
Fixed In Version: pam-1.1.4-1.fc15
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-11-24 09:17:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Miller 2010-08-16 11:58:40 EDT
Right now, pam_nologin and its various services use /etc/nologin. FreeBSD (and others?) have migrated to /var/run/nologin, which makes more sense.

We should, eventually, move to using that, and migrate all daemons and pam configurations which use this file to the new location.
Comment 1 Lennart Poettering 2010-08-16 12:13:59 EDT
For a short while pam_nologin could check for both files, to provide compatibility with existing tools.
Comment 2 Matthew Miller 2010-08-16 12:23:02 EDT
Also, openssh checks for the file directly, if PAM is not enabled. PAM *is* of course enabled in our default configuration, so I'm not sure how much of a concern that is.
Comment 3 Tomas Mraz 2010-08-16 12:33:44 EDT
The compatibility check would be definitely needed. I'll write a patch and talk
with other upstream developers what do they think about the path change. Also
note that pam_nologin can be explicitely configured to look into a specified
path.

For openssh you can open a bug against it.
Comment 4 Lennart Poettering 2010-08-17 12:18:43 EDT
Any chance we can get this in for f14? Would love to make this change in systemd before f14.
Comment 5 Matthew Miller 2010-08-17 12:28:00 EDT
(In reply to comment #4)
> Any chance we can get this in for f14? Would love to make this change in
> systemd before f14.

I think we're a little bit late in the development cycle for that. I wish I'd thought of it sooner. Anyway, it might be good for systemd to be versatile as to the location of the file, in order to support different behavior across different Linux distributions and even platforms.
Comment 6 Lennart Poettering 2010-08-17 13:03:22 EDT
Nah, shouldn't be too late. I think the fallout from moving one flag file which is accessed by <= 3 pkgs is something we can deal with.
Comment 7 Matthew Miller 2010-08-17 13:14:20 EDT
There's also a documentation and release-notes change, since this file can be (and often is) created manually. There's a lot of stuff like (first google result) http://techgurulive.com/2008/10/11/how-to-restrict-login-attempts-etcnologin/ out there.

I wouldn't even suggest the change if FreeBSD didn't already have it in the "sensible" place.
Comment 8 Lennart Poettering 2010-08-18 15:21:39 EDT
Well, if pam_nologin checks both the old and the new flag file then all existing documentation would still be correct and just fine. And then in F15 or F16 we could remove support for the old flag file and make sure the documentation is updated too.

I don't see why we should delay the switch. If Tomas gives me the OK then I could switch what flag file /sbin/shutdown writes in minutes. All that matters is that PAM is updated at the same time, so that it actually considers the flag file I write. Tomas?
Comment 9 Lennart Poettering 2010-10-07 14:21:43 EDT
Seems PAM 1.1.2 now does this. I'll fix systemd to write only /var/run/nologin from now on.

Tomas, thanks for the fix!

Note You need to log in before you can comment on or make changes to this bug.