Red Hat Bugzilla – Bug 624489
pam_nologin should be migrated to use /var/run/nologin
Last modified: 2011-11-24 09:17:35 EST
Right now, pam_nologin and its various services use /etc/nologin. FreeBSD (and others?) have migrated to /var/run/nologin, which makes more sense.
We should, eventually, move to using that, and migrate all daemons and pam configurations which use this file to the new location.
For a short while pam_nologin could check for both files, to provide compatibility with existing tools.
Also, openssh checks for the file directly, if PAM is not enabled. PAM *is* of course enabled in our default configuration, so I'm not sure how much of a concern that is.
The compatibility check would be definitely needed. I'll write a patch and talk
with other upstream developers what do they think about the path change. Also
note that pam_nologin can be explicitely configured to look into a specified
For openssh you can open a bug against it.
Any chance we can get this in for f14? Would love to make this change in systemd before f14.
(In reply to comment #4)
> Any chance we can get this in for f14? Would love to make this change in
> systemd before f14.
I think we're a little bit late in the development cycle for that. I wish I'd thought of it sooner. Anyway, it might be good for systemd to be versatile as to the location of the file, in order to support different behavior across different Linux distributions and even platforms.
Nah, shouldn't be too late. I think the fallout from moving one flag file which is accessed by <= 3 pkgs is something we can deal with.
There's also a documentation and release-notes change, since this file can be (and often is) created manually. There's a lot of stuff like (first google result) http://techgurulive.com/2008/10/11/how-to-restrict-login-attempts-etcnologin/ out there.
I wouldn't even suggest the change if FreeBSD didn't already have it in the "sensible" place.
Well, if pam_nologin checks both the old and the new flag file then all existing documentation would still be correct and just fine. And then in F15 or F16 we could remove support for the old flag file and make sure the documentation is updated too.
I don't see why we should delay the switch. If Tomas gives me the OK then I could switch what flag file /sbin/shutdown writes in minutes. All that matters is that PAM is updated at the same time, so that it actually considers the flag file I write. Tomas?
Seems PAM 1.1.2 now does this. I'll fix systemd to write only /var/run/nologin from now on.
Tomas, thanks for the fix!