Bug 88370 - pam_console doesn't change ownership/permissions of directories
Summary: pam_console doesn't change ownership/permissions of directories
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam
Version: 9
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2003-04-09 14:48 UTC by Jonathan Rawle
Modified: 2007-04-18 16:52 UTC (History)
0 users

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2005-04-08 13:53:53 UTC

Attachments (Terms of Use)
Proposed patch (1.19 KB, patch)
2004-09-21 13:42 UTC, Tomas Mraz
no flags Details | Diff

Description Jonathan Rawle 2003-04-09 14:48:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020326

Description of problem:
If an entry is added to /etc/security/console.perms to change the ownership of a
directory to the console user, nothing happens when a user logs in at the
console. This behaviour has deliberately been changed at some stage, so that if
a directory is specified, the corresponding device is looked up in fstab and the
ownership of the device file changed instead.

In some circumstances, it would be useful to be able to change the ownership of
an ordinary directory to the console user, for example /mnt so that only the
console user may read mounted removable disks. I can't see that this would be a
security loophole as directories would have to be specified in console.perms for
their ownership to be changed in this way.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Edit /etc/security/console.perms to include the line:
<console>  0500 /mnt         0755 root
2. As root, run /sbin/pam_console_apply

Actual Results:  Ownership of /mnt changes to the console user with permissions

Expected Results:  Onwership and permissions of /mnt are unchanged.

Additional info:

Comment 1 Jonathan Rawle 2003-04-09 14:51:10 UTC
Sorry, actual and expected results should be the other way round!

Comment 2 Tomas Mraz 2004-09-21 13:42:37 UTC
Created attachment 104065 [details]
Proposed patch

We should apply the chmod/chown to dir if it isn't found in fstab.

Comment 3 Tomas Mraz 2004-10-14 16:49:34 UTC
Actually the patch isn't right because it could cause unwanted changes.

We would have to invent a way how to signal to pam_console that the
user really wants to change directory permissions and not to look into

Comment 4 Tomas Mraz 2005-04-08 13:53:53 UTC
In the new pam from the Fedora Core Development you can use console.handlers for
this purpose.
The console.perms semantics shouldn't be changed.

Note You need to log in before you can comment on or make changes to this bug.