Bug#677440: Please enable pam_loginuid by default
On Fri, May 17, 2013 at 04:44:24PM +0200, Laurent Bigonville wrote:
> Now that the freeze is over, could please include my patch?
>
> ATM the audit package is loading a PAM snippets that add this
> pam_loginuid module in common-session. This has an unfortunate side
> effect of breaking sudo when using systemd (it should only be called
> in initial login services).
>
> I'm planning to make an upload in unstable soon that drop this snippet.
> It would be nice if both could be synchronized.
>
> Do not hesitate to contact me if you have any questions.
I'm concerned about some of the side-effects of moving common-session
the way your patch does. For instance, one likely effect I see is that
if you're using ecryptfs and you have a mailbox in your home directory
(thus presumably updated by something inside your session) then pam_mail
will no longer work properly. (Yes, in the standard configuration
pam_mail will only be looking in /var/mail/, but it's easily conceivable
that somebody might have added a dir= parameter locally.) The ordering
here is pretty delicate, and I'd need a better reason for moving it than
"other PAM services are doing this".
Wouldn't it be safer to insert pam_loginuid above common-session, but
otherwise leave it where it is?
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: