bugzilla-daemon at bugzilla.mindrot.org
2008-Jun-30  07:39 UTC
[Bug 926] pam_session_close called as user or not at all
https://bugzilla.mindrot.org/show_bug.cgi?id=926
Damien Miller <djm at mindrot.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
--- Comment #36 from Damien Miller <djm at mindrot.org>  2008-06-30
17:39:52 ---
pam_mount tries to ask a password from the user*, which puts it in
challenge-response case of needing more than one interaction. Since
session modules can't interact with the user other than to display
messages, you'd also need to put it in the PAM accounting stack. This
is what bug #688 is about, and isn't related to this one
(pam_session_close behaviour).
IMO this bug can be closed with the release of openssh-4.8p1. Darren,
do you agree? Isn't this also incorrectly marked as blocking 5.1?
* See
http://www.google.com/codesearch?hl=en&q=show:9Q9GBXVnR7k:chgFMim3giQ:glu2lh4-EfU&sa=N&ct=rd&cs_p=http://open-systems.ufl.edu/mirrors/gentoo/distfiles/pam_mount-0.18.tar.bz2&cs_f=pam_mount-0.18/src/pam_mount.c&start=1#l195
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jun-30  10:25 UTC
[Bug 926] pam_session_close called as user or not at all
https://bugzilla.mindrot.org/show_bug.cgi?id=926 --- Comment #37 from Darren Tucker <dtucker at zip.com.au> 2008-06-30 20:25:45 --- (In reply to comment #36)> pam_mount tries to ask a password from the user*, which puts it in > challenge-response case of needing more than one interaction. Since > session modules can't interact with the user other than to display > messages, you'd also need to put it in the PAM accounting stack. This > is what bug #688 is about, and isn't related to this one > (pam_session_close behaviour). > > IMO this bug can be closed with the release of openssh-4.8p1. Darren, > do you agree? Isn't this also incorrectly marked as blocking 5.1?The thing is it (pam_mount) probably used to work with at least privsep=no, because the session wasn't opened until the pty had been allocated, thus the modules could interact using the tty conversation function. So, this is a regression (I what I was worried about in comment #27). Now that the session is opened in the monitor, the session modules can't interact with the user. On the flip side, the session close now runs with privilege. So, take the bug out of the 5.1 list, but I wouldn't close it yet. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching someone on the CC list of the bug. You are watching the reporter.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jun-30  10:50 UTC
[Bug 926] pam_session_close called as user or not at all
https://bugzilla.mindrot.org/show_bug.cgi?id=926
Damien Miller <djm at mindrot.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1452                        |
-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter.
Reasonably Related Threads
- [Bug 926] pam_session_close called as user or not at all
- [Bug 926] pam_session_close called as user or not at all
- [Bug 926] pam_session_close called as user or not at all
- [Bug 926] pam_session_close called as user or not at all
- [Bug 926] pam_session_close called as user or not at all