Bug 624489 - pam_nologin should be migrated to use /var/run/nologin
Summary: pam_nologin should be migrated to use /var/run/nologin
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
low
low
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-16 15:58 UTC by Matthew Miller
Modified: 2011-11-24 14:17 UTC (History)
2 users (show)

Fixed In Version: pam-1.1.4-1.fc15
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-11-24 14:17:35 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Matthew Miller 2010-08-16 15:58:40 UTC
Right now, pam_nologin and its various services use /etc/nologin. FreeBSD (and others?) have migrated to /var/run/nologin, which makes more sense.

We should, eventually, move to using that, and migrate all daemons and pam configurations which use this file to the new location.

Comment 1 Lennart Poettering 2010-08-16 16:13:59 UTC
For a short while pam_nologin could check for both files, to provide compatibility with existing tools.

Comment 2 Matthew Miller 2010-08-16 16:23:02 UTC
Also, openssh checks for the file directly, if PAM is not enabled. PAM *is* of course enabled in our default configuration, so I'm not sure how much of a concern that is.

Comment 3 Tomas Mraz 2010-08-16 16:33:44 UTC
The compatibility check would be definitely needed. I'll write a patch and talk
with other upstream developers what do they think about the path change. Also
note that pam_nologin can be explicitely configured to look into a specified
path.

For openssh you can open a bug against it.

Comment 4 Lennart Poettering 2010-08-17 16:18:43 UTC
Any chance we can get this in for f14? Would love to make this change in systemd before f14.

Comment 5 Matthew Miller 2010-08-17 16:28:00 UTC
(In reply to comment #4)
> Any chance we can get this in for f14? Would love to make this change in
> systemd before f14.

I think we're a little bit late in the development cycle for that. I wish I'd thought of it sooner. Anyway, it might be good for systemd to be versatile as to the location of the file, in order to support different behavior across different Linux distributions and even platforms.

Comment 6 Lennart Poettering 2010-08-17 17:03:22 UTC
Nah, shouldn't be too late. I think the fallout from moving one flag file which is accessed by <= 3 pkgs is something we can deal with.

Comment 7 Matthew Miller 2010-08-17 17:14:20 UTC
There's also a documentation and release-notes change, since this file can be (and often is) created manually. There's a lot of stuff like (first google result) http://techgurulive.com/2008/10/11/how-to-restrict-login-attempts-etcnologin/ out there.

I wouldn't even suggest the change if FreeBSD didn't already have it in the "sensible" place.

Comment 8 Lennart Poettering 2010-08-18 19:21:39 UTC
Well, if pam_nologin checks both the old and the new flag file then all existing documentation would still be correct and just fine. And then in F15 or F16 we could remove support for the old flag file and make sure the documentation is updated too.

I don't see why we should delay the switch. If Tomas gives me the OK then I could switch what flag file /sbin/shutdown writes in minutes. All that matters is that PAM is updated at the same time, so that it actually considers the flag file I write. Tomas?

Comment 9 Lennart Poettering 2010-10-07 18:21:43 UTC
Seems PAM 1.1.2 now does this. I'll fix systemd to write only /var/run/nologin from now on.

Tomas, thanks for the fix!


Note You need to log in before you can comment on or make changes to this bug.