Bug#664808: Please enable pam_loginuid by default
tag 664808 + patch
tag 677438 + patch
thanks
Hello,
Please find here attached a patch that fixes both #677438 and #664808.
The pam modules should be called in that order:
1) session pam_selinux close
2) other sessions modules including pam_loginuid
3) include common-session
4) session pam_selinux open
It's important that the pam_loginuid is located before the include of
common-session as pam_systemd module, which is included in
common-session, must be called after the loginuid process attribute
has been properly set.
Regarding the selinux module, if selinux is disabled on the machine of
the user, the module is just returning succeed. And as pam_selinux is
not existing on !linux platforms, we cannot unfortunately use the
"required" control.
If you have any questions, please do not hesitate to contact me.
Cheers
Laurent Bigonville
diff -Nru kde-workspace-4.10.2/debian/kdm.pam kde-workspace-4.10.2/debian/kdm.pam
--- kde-workspace-4.10.2/debian/kdm.pam 2013-03-25 23:56:12.000000000 +0100
+++ kde-workspace-4.10.2/debian/kdm.pam 2013-05-17 16:34:13.000000000 +0200
@@ -5,7 +5,16 @@
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
+session required pam_loginuid.so
+@include common-session
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-account
@include common-password
-@include common-session
Reply to: