[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#677439: Please enable pam_loginuid by default


So let's try to be more clear about this bug.

pam_loginuid is used to track user login. This module is needed
by different things: the audit daemon, consolekit and systemd (for the
later, the lack of calling this module, produces some nasty issues, like
breaking sudo).

The module must only be called in login-like services (login, xDM,...)
and not in services like sudo as this is defeating the purpose of
having a UID per login. The pam-auth-update is currently laking (see
#677288) a way to add modules to login services only.

pam_loginuid.so module is already present in the libpam-modules package
which is Priority: required which means it's installed on every system
by default.

The module need to be added in between the call to selinux close/open
and before pam_ck_connector modules (if they are already present in your
pam service file), I also recommend to add it before the
common-session(-noninteractive) include. For example:

 session required        pam_selinux.so close
 session required        pam_loginuid.so   << Add it here
 @include common-session
 session required        pam_selinux.so open


Laurent Bigonville

Reply to: