Bug 27204 - Проблемы с pam_loginuid
Summary: Проблемы с pam_loginuid
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: kernel-image-un-def (show other bugs)
Version: unstable
Hardware: all Linux
: P3 major
Assignee: Vitaly Chikunov
QA Contact: qa-sisyphus
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-11 12:19 MSK by Fr. Br. George
Modified: 2012-04-20 10:29 MSK (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fr. Br. George 2012-04-11 12:19:21 MSK
Ядро 3.3.1-un-def-alt1

Если сделать service sshd restart, получаем при логине по ssh такое:
Apr  9 15:40:36 host-245 sshd[5056]: Accepted publickey for george from 10.6.16.13 port 37685 ssh2
Apr  9 15:40:36 host-245 sshd[5056]: pam_tcb(sshd:session): Session opened for george by (uid=0)
Apr  9 15:40:36 host-245 sshd[5056]: pam_loginuid(sshd:session): set_loginuid failed 
Apr  9 15:40:36 host-245 sshd[5056]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Apr  9 15:40:36 host-245 sshd[5061]: Received disconnect from 10.6.16.13: 11: disconnected by user

Та же песня с KDM, т. е. после рестарта этих сервисов залогиниться нельзя.  На 3.3.1-std-def-alt1 не воспроизводится.

Что странно, /proc/`pidof sshd`/loginuid в первый раз (до service sshd restart) содержит -1, а во все остальные разы -- 0, но другим ядрам это не мешало.
Comment 1 Dmitry V. Levin 2012-04-12 18:50:57 MSK
from init/Kconfig:

config AUDIT_LOGINUID_IMMUTABLE
        bool "Make audit loginuid immutable"
        depends on AUDIT
        help
          The config option toggles if a task setting its loginuid requires
          CAP_SYS_AUDITCONTROL or if that task should require no special permissions
          but should instead only allow setting its loginuid if it was never
          previously set.  On systems which use systemd or a similar central
          process to restart login services this should be set to true.  On older
          systems in which an admin would typically have to directly stop and
          start processes this should be set to false.  Setting this to true allows
          one to drop potentially dangerous capabilites from the login tasks,
          but may not be backwards compatible with older init systems.
Comment 2 Fr. Br. George 2012-04-20 10:29:10 MSK
в 3.3.2* работает