Bug#726661: Does not permit login as root from version 1:6.2p2-6
On Mon, Mar 24, 2014 at 11:06 AM, Olivier Berger
<olivier.berger@telecom-sudparis.eu> wrote:
> Hi.
>
> On Mon, Nov 11, 2013 at 12:58:00PM +1100, Darren Tucker wrote:
>> Workaround: comment out this line in /etc/pam.d/ssh:
>>
>> session required pam_loginuid.so
>
> Would you care commenting on how this helps, and what the side effects could be ?
I *think* the only impact is that the audit logs will not have the
correct loginuid associated with them.
The problem is that loginuid once set can't be changed, and any
attempt to do so (eg by pam_loginuid.so writing to
/proc/self/loginuid) will fail. In sshd's case this can be if you run
(or restart) it from the command line.
Here's the links from my notes last time around:
http://www.linux-pam.org/Linux-PAM-html/sag-pam_loginuid.html
https://www.cendio.com/bugzilla/show_bug.cgi?id=4634
https://bugzilla.redhat.com/show_bug.cgi?id=959418
> FWIW, I'm experiencing a similar issue inside a docker container running sid, adapted from phusion/baseimage-docker, and even though the workaround helps, I'm concerned of the impact.
pam_loginuid.so would try to write to /proc/self/loginuid
unconditionally. If you're not actually trying to switch loginuids,
https://fedorahosted.org/linux-pam/ticket/23 prevents unnecessary
failures in this case by skipping the write if it's already what you
want.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Reply to: