Bug 27204

Summary: Проблемы с pam_loginuid
Product: Sisyphus Reporter: Fr. Br. George <george>
Component: kernel-image-un-defAssignee: Vitaly Chikunov <vt>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: major    
Priority: P3 CC: kernelbot, placeholder, vt
Version: unstable   
Hardware: all   
OS: Linux   

Description Fr. Br. George 2012-04-11 12:19:21 MSK 
Ядро 3.3.1-un-def-alt1

Если сделать service sshd restart, получаем при логине по ssh такое:
Apr  9 15:40:36 host-245 sshd[5056]: Accepted publickey for george from 10.6.16.13 port 37685 ssh2
Apr  9 15:40:36 host-245 sshd[5056]: pam_tcb(sshd:session): Session opened for george by (uid=0)
Apr  9 15:40:36 host-245 sshd[5056]: pam_loginuid(sshd:session): set_loginuid failed 
Apr  9 15:40:36 host-245 sshd[5056]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Apr  9 15:40:36 host-245 sshd[5061]: Received disconnect from 10.6.16.13: 11: disconnected by user

Та же песня с KDM, т. е. после рестарта этих сервисов залогиниться нельзя.  На 3.3.1-std-def-alt1 не воспроизводится.

Что странно, /proc/`pidof sshd`/loginuid в первый раз (до service sshd restart) содержит -1, а во все остальные разы -- 0, но другим ядрам это не мешало.
Comment 1 Dmitry V. Levin 2012-04-12 18:50:57 MSK 
from init/Kconfig:

config AUDIT_LOGINUID_IMMUTABLE
        bool "Make audit loginuid immutable"
        depends on AUDIT
        help
          The config option toggles if a task setting its loginuid requires
          CAP_SYS_AUDITCONTROL or if that task should require no special permissions
          but should instead only allow setting its loginuid if it was never
          previously set.  On systems which use systemd or a similar central
          process to restart login services this should be set to true.  On older
          systems in which an admin would typically have to directly stop and
          start processes this should be set to false.  Setting this to true allows
          one to drop potentially dangerous capabilites from the login tasks,
          but may not be backwards compatible with older init systems.
Comment 2 Fr. Br. George 2012-04-20 10:29:10 MSK 
в 3.3.2* работает