Bug#677439: Please enable pam_loginuid by default
- To: 677438@bugs.debian.org, 661745@bugs.debian.org, 677435@bugs.debian.org, 677436@bugs.debian.org, 677441@bugs.debian.org, 677440@bugs.debian.org, 677442@bugs.debian.org, 677437@bugs.debian.org, 677443@bugs.debian.org, 677439@bugs.debian.org
- Subject: Bug#677439: Please enable pam_loginuid by default
- From: Laurent Bigonville <bigon@debian.org>
- Date: Thu, 14 Jun 2012 11:48:27 +0200
- Message-id: <[🔎] 20120614114827.27602d88@eldamar.bigon.be>
- Reply-to: Laurent Bigonville <bigon@debian.org>, 677439@bugs.debian.org
Hi,
So let's try to be more clear about this bug.
pam_loginuid is used to track user login. This module is needed
by different things: the audit daemon, consolekit and systemd (for the
later, the lack of calling this module, produces some nasty issues, like
breaking sudo).
The module must only be called in login-like services (login, xDM,...)
and not in services like sudo as this is defeating the purpose of
having a UID per login. The pam-auth-update is currently laking (see
#677288) a way to add modules to login services only.
pam_loginuid.so module is already present in the libpam-modules package
which is Priority: required which means it's installed on every system
by default.
The module need to be added in between the call to selinux close/open
and before pam_ck_connector modules (if they are already present in your
pam service file), I also recommend to add it before the
common-session(-noninteractive) include. For example:
session required pam_selinux.so close
[...]
session required pam_loginuid.so << Add it here
@include common-session
session required pam_selinux.so open
Cheers
Laurent Bigonville
Reply to: