Re: Re: About pam_access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



About unpredictable results.
Here is a my /etc/pam.d/rsh config, for simpleness
/etc/security/access.conf is empty(allow everyone) and
/etc/security/pam_env.conf is also empty(not set any env):

#%PAM-1.0

auth       sufficient            pam_access.so
auth       optional     pam_env.so

account    include      password-auth
session    optional     pam_keyinit.so    force revoke
session    required     pam_loginuid.so
session    include      password-auth

The rsh authorizes me successfully:
[u1333@um32 ~]$ rsh umu4 id
uid=1003(u1333) gid=100(users)
группы=100(users),1013(OSO),5001(um32),5005(um64),5006(umt),5007(cluster_sudo)

But this configuration gives me an access denied error:

#%PAM-1.0

auth       sufficient            pam_access.so
#auth       optional     pam_env.so

account    include      password-auth
session    optional     pam_keyinit.so    force revoke
session    required     pam_loginuid.so
session    include      password-auth

[u1333@um32 ~]$ rsh umu4 id
Permission denied.

If I use "auth required pam_securetty.so" instead of "auth optional
pam_env.so" in above samples the results are same.

I think it is a kind of unpredictable. In my environment I forced to
keep almost-do-noting module pam_env.so(with empty config file) and
"don't del this line or it will be broken" comment.

Also the line "auth required pam_access.so" in pam.d will always fall.
Changing "return (PAM_SUCCESS)" instead (PAM_IGNORE) in pam_sm_setcred
solves a problem, but I don't know about possible drawbacks of this
decision.

Best,

Alexander Bersenev

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list



[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux