Bug 737906 - pam_exec issues after 1.1.4 update
pam_exec issues after 1.1.4 update
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
15
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-13 07:23 EDT by Andrew Travneff
Modified: 2011-09-14 03:13 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-13 17:56:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Andrew Travneff 2011-09-13 07:23:40 EDT
Description of problem:

pam_exec.so now fails to execute a shell.


Version-Release number of selected component:

Current versions from fedora repos:
pam-1.1.4-4.fc15.x86_64
util-linux-2.19.1-1.4.fc15.x86_64
kernel 2.6.40.4-5.fc15.x86_64


Steps to Reproduce:

1. Add to /etc/pam.d/login
a) `session    optional     pam_exec.so debug log=/tmp/pam.log /root/test.sh`
or
b) `session    optional     pam_exec.so debug log=/tmp/pam.log /bin/bash -c "sleep 5"`

2. Login with any user. Observe an error like following:
a)
localhost.localdomain login: test
Password:
/root/test.sh failed: exit code 13

b) localhost.localdomain login: test
Password:
/bin/bash failed: exit code 1
Comment 1 Tomas Mraz 2011-09-13 17:56:32 EDT
I do not think this is a real regression or even a bug at all.

In case of the /root/test.sh either you do not have the file with executable permission or even if you do SELinux will prevent login from executing scripts from /root/ directory. The script should be placed in some place where executables should be held. Perhaps /usr/local/bin would be appropriate for you (and if you move the script from /root, do not forget to call restorecon on it).

In case of the /bin/bash -c "sleep 5" - this never worked, the line should be:
session    optional     pam_exec.so debug log=/tmp/pam.log /bin/bash -c [sleep 5]
The " have to be replaced with [] as this is the marker for merging multiple space separated words into a single argument in the PAM configuration file.
Comment 2 Andrew Travneff 2011-09-14 03:13:43 EDT
You are right, it was SELinux related. Maybe I've missed sealert notifications, sorry.
Thanks.

Note You need to log in before you can comment on or make changes to this bug.