Red Hat Bugzilla – Bug 742403
disconnect between /etc/login.defs and /etc/pam.d/system-auth-ac
Last modified: 2012-09-25 16:27:56 EDT
Description of problem:
There are hard-coded uid constants in /etc.login.defs and /etc/pam.d/system-auth-ac which should not be allowed to get out of sync.
Version-Release number of selected component (if applicable):
1. UID_MIN 500
2. auth requisite pam_succeed_if.so uid >= 500 quiet
1. UID_MIN 500
2. auth requisite pam_succeed_if.so uid >= $UID_MIN quiet
It is all very nice having an authconfig to try and tie everything together but it would be better, and more robust, for individual config files that actually depend on each other to properly share whatever they have in common.
You cannot have it both ways - want to retain simple flat config files yet have a higher-level configuration utility - if the simple config files are inherently broken in their implementation. If the simple config files are going to be inherently broken then you might as well totally remove accessible simple config files and only have the authconfig configuration utility.
If these two config files get out of sync - which is quite easy - then useradd etc are going to create users whose uid's don't properly match what pam is configured for. Very bad. Very sloppy.
Instead, both /etc/login.defs and /etc/pam.d/system-auth-ac need to somehow share the same value (eg 500). They might source or include a common file. Or somehow /etc/security/pam_env.conf can contain the definition and /etc/login.defs can share that definition.
Hard-coded constants in independent config files is about the worst possible sin that can possibly be committed. Very bad. Very sloppy.