Possibly incorrect pam.d/* files in many packages

To: debian-devel@lists.debian.org
Subject: Possibly incorrect pam.d/* files in many packages
From: "Nikita V. Youshchenko" <yoush@cs.msu.su>
Date: Mon, 27 Sep 2004 18:14:41 +0400
Message-id: <[🔎] 200409271814.42078@zigzag.lvk.cs.msu.su>

Hello.

I just found that in some files in /etc/pam.d/ some 'required' lines are 
after '@include' lines. E.g.:

...
@include common-auth
auth       required   pam_env.so
...

AFAIK, '@include common-auth' is there to make it easy to set up other 
(than pam_unix) auth methods. In a common LDAP accounts setup, common-auth 
will have 'sufficient' line for one auth method (e.g. pam_unix), and 
'required' line for another method (e.g. pam_ldap).

But if it is possible that common-* files contain at least one 'sufficient' 
line, it seems to be incorrect to have any 'auth required' lines after 
common-auth is included  is included - those line will not be executed if 
module listed in common-auth as 'sufficient' succeeds. Same about account, 
session and password, and probably same about 'optional' lines.

I think it's a bug int a package if 'required' is after '@include'. I first 
found that in /etc/pam.d/cron, and filed a bug against cron package 
(#273631). However, later I found same situation in other files in pam.d 
(kdm, kdm-np, login, ssh, su). Before reporting bugs against packages 
containing those files, I am askeng in -devel - it this really a bug (do I 
understand things correctly)?

Btw, probably other packages that provide pam.d files have the same issue.

Reply to:

Follow-Ups:
- Re: Possibly incorrect pam.d/* files in many packages
  - From: Philipp Matthias Hahn <pmhahn@debian.org>

Prev by Date: Re: Bug#270974: ITP: linux-xbox -- Xbox support in Linux
Next by Date: Bug#273649: ITP: phpunit -- A Unit Testing framework for PHP
Previous by thread: Packaging devel-only libraries
Next by thread: Re: Possibly incorrect pam.d/* files in many packages
Index(es):
- Date
- Thread