Bug 742403 - disconnect between /etc/login.defs and /etc/pam.d/system-auth-ac
disconnect between /etc/login.defs and /etc/pam.d/system-auth-ac
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2011-09-29 21:54 EDT by JW
Modified: 2012-09-25 16:27 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-09-25 16:27:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description JW 2011-09-29 21:54:07 EDT
Description of problem:
There are hard-coded uid constants in /etc.login.defs and /etc/pam.d/system-auth-ac which should not be allowed to get out of sync.

Version-Release number of selected component (if applicable):

How reproducible:
1. UID_MIN                   500
2. auth        requisite     pam_succeed_if.so uid >= 500 quiet

Expected results:
1. UID_MIN                   500
2. auth        requisite     pam_succeed_if.so uid >= $UID_MIN quiet

Additional info:
It is all very nice having an authconfig to try and tie everything together but it would be better, and more robust, for individual config files that actually depend on each other to properly share whatever they have in common.

You cannot have it both ways - want to retain simple flat config files yet have a higher-level configuration utility - if the simple config files are inherently broken in their implementation.  If the simple config files are going to be inherently broken then you might as well totally remove accessible simple config files and only have the authconfig configuration utility.

If these two config files get out of sync - which is quite easy - then useradd etc are going to create users whose uid's don't properly match what pam is configured for. Very bad. Very sloppy.

Instead, both /etc/login.defs and /etc/pam.d/system-auth-ac need to somehow share the same value (eg 500).  They might source or include a common file. Or somehow /etc/security/pam_env.conf can contain the definition and /etc/login.defs can share that definition.

Hard-coded constants in independent config files is about the worst possible sin  that can possibly be committed. Very bad. Very sloppy.

Note You need to log in before you can comment on or make changes to this bug.