bugzilla-daemon
2006-Aug-04 15:19 UTC
[Bug 926] pam_session_close called as user or not at all
http://bugzilla.mindrot.org/show_bug.cgi?id=926 ------- Comment #21 from t8m at centrum.cz 2006-08-05 01:18 ------- The patch causes a regression with pam_krb5 module. See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201341 As I said above I think that the only correct solution which would solve all cases (privsep yes/no, root/regular user) would be to add another fork before the setuid calls and shell process exec. login does this: 1. call pam_open_session 2. fork 3. parent waits for child, child impersonates user, execs shell 4. when child exits, parent calls pam_close_session ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Aug-20 05:58 UTC
[Bug 926] pam_session_close called as user or not at all
http://bugzilla.mindrot.org/show_bug.cgi?id=926
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO|1155 |
nThis| |
------- Comment #22 from dtucker at zip.com.au 2006-08-20 15:58 -------
(In reply to comment #21)> The patch causes a regression with pam_krb5 module.
> See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201341
Thanks for giving it a spin in Fedora. Does this particular problem
also occur with PrivSep=no?
> As I said above I think that the only correct solution which would
> solve all cases (privsep yes/no, root/regular user) would be to add
> another fork before the setuid calls and shell process exec.
Would there be any downside to setting KRB5CCNAME in the parent too?
(since it causes a regression, I'm taking this bug out of the list for
4.4 pending further work.)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Aug-23 12:03 UTC
[Bug 926] pam_session_close called as user or not at all
http://bugzilla.mindrot.org/show_bug.cgi?id=926 ------- Comment #23 from t8m at centrum.cz 2006-08-23 22:03 ------- (In reply to comment #22)> (In reply to comment #21) > > The patch causes a regression with pam_krb5 module. > > See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201341 > > Thanks for giving it a spin in Fedora. Does this particular problem > also occur with PrivSep=no?I don't think that this occurs with privsep disabled.> > As I said above I think that the only correct solution which would > > solve all cases (privsep yes/no, root/regular user) would be to add > > another fork before the setuid calls and shell process exec. > > Would there be any downside to setting KRB5CCNAME in the parent too?I don't know of any however note that with privsep disabled or when called as root the pam_session_close still won't be called correctly. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- [Bug 926] pam_session_close called as user or not at all
- [Bug 926] pam_session_close called as user or not at all
- [Bug 926] pam_session_close called as user or not at all
- [Bug 926] pam_session_close called as user or not at all
- [Bug 926] pam_session_close called as user or not at all