Brandon S. Allbery KF8NH
1998-Dec-04 16:42 UTC
Red Hat 5.2''s login doesn''t do PAM session management correctly
This is a "heads up" for anyone who relies on PAM session management in order to clean up after a login session. Red Hat 5.2''s login does not perform PAM session management correctly, potentially resulting in sessions which lose their authentication before the login shell starts. login.c in Red Hat 5.2''s util-linux package was modified so that it no longer forks a separate process for the user''s shell; instead, it immediately closes the session and execs the user''s shell. This means that a PAM module which expects to be able to do post-session cleanup in its pam_close_session hook will do the cleanup *before* the user''s shell is invoked. This breaks the pam_linux_afs module (which invokes AFS''s unlog) and KTH Kerberos''s pam_krb4 module (which destroys the ticket cache), among others, so the session is effectively unauthenticated (contrary to both PAM documentation and users'' and administrators'' expectations). The workaround for pam_linux_afs is to remove the session entry for pam_linux_afs from /etc/pam.d/login and add "no_unlog" to the auth entry. I haven''t tried to produce a workaround for KTH pam_krb4 yet because it has several other bugs which make it unusable in our environment and I haven''t had the time to sit down and fix it. I have a temporary patch to util-login which restores the original behavior, and I have submitted a bug report to Red Hat (which was acknowledged today). (If anyone needs the patch, send mail to me at allbery@ece.cmu.edu and I''ll send you the patch and spec file.) -- brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net system administrator [WAY too many hats] allbery@ece.cmu.edu carnegie mellon / electrical and computer engineering KF8NH Kiss my bits, Billy-boy.
Andries.Brouwer@cwi.nl
1998-Dec-05 02:47 UTC
[linux-security] Re: Red Hat 5.2''s login doesn''t do PAM session management correctly
> I have a temporary patch to util-login which restores the original behaviorThis was corrected a few weeks ago when the problem was recognized. See util-linux-2.9e.tar.gz from ftp.win.tue.nl:/pub/linux/util . Andries