Bug 737906 - pam_exec issues after 1.1.4 update
Summary: pam_exec issues after 1.1.4 update
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: 15
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-13 11:23 UTC by Andrew Travneff
Modified: 2011-09-14 07:13 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-13 21:56:32 UTC


Attachments (Terms of Use)

Description Andrew Travneff 2011-09-13 11:23:40 UTC
Description of problem:

pam_exec.so now fails to execute a shell.


Version-Release number of selected component:

Current versions from fedora repos:
pam-1.1.4-4.fc15.x86_64
util-linux-2.19.1-1.4.fc15.x86_64
kernel 2.6.40.4-5.fc15.x86_64


Steps to Reproduce:

1. Add to /etc/pam.d/login
a) `session    optional     pam_exec.so debug log=/tmp/pam.log /root/test.sh`
or
b) `session    optional     pam_exec.so debug log=/tmp/pam.log /bin/bash -c "sleep 5"`

2. Login with any user. Observe an error like following:
a)
localhost.localdomain login: test
Password:
/root/test.sh failed: exit code 13

b) localhost.localdomain login: test
Password:
/bin/bash failed: exit code 1

Comment 1 Tomas Mraz 2011-09-13 21:56:32 UTC
I do not think this is a real regression or even a bug at all.

In case of the /root/test.sh either you do not have the file with executable permission or even if you do SELinux will prevent login from executing scripts from /root/ directory. The script should be placed in some place where executables should be held. Perhaps /usr/local/bin would be appropriate for you (and if you move the script from /root, do not forget to call restorecon on it).

In case of the /bin/bash -c "sleep 5" - this never worked, the line should be:
session    optional     pam_exec.so debug log=/tmp/pam.log /bin/bash -c [sleep 5]
The " have to be replaced with [] as this is the marker for merging multiple space separated words into a single argument in the PAM configuration file.

Comment 2 Andrew Travneff 2011-09-14 07:13:43 UTC
You are right, it was SELinux related. Maybe I've missed sealert notifications, sorry.
Thanks.


Note You need to log in before you can comment on or make changes to this bug.