Possibly incorrect pam.d/* files in many packages
Hello.
I just found that in some files in /etc/pam.d/ some 'required' lines are
after '@include' lines. E.g.:
...
@include common-auth
auth required pam_env.so
...
AFAIK, '@include common-auth' is there to make it easy to set up other
(than pam_unix) auth methods. In a common LDAP accounts setup, common-auth
will have 'sufficient' line for one auth method (e.g. pam_unix), and
'required' line for another method (e.g. pam_ldap).
But if it is possible that common-* files contain at least one 'sufficient'
line, it seems to be incorrect to have any 'auth required' lines after
common-auth is included is included - those line will not be executed if
module listed in common-auth as 'sufficient' succeeds. Same about account,
session and password, and probably same about 'optional' lines.
I think it's a bug int a package if 'required' is after '@include'. I first
found that in /etc/pam.d/cron, and filed a bug against cron package
(#273631). However, later I found same situation in other files in pam.d
(kdm, kdm-np, login, ssh, su). Before reporting bugs against packages
containing those files, I am askeng in -devel - it this really a bug (do I
understand things correctly)?
Btw, probably other packages that provide pam.d files have the same issue.
Reply to: