Bug 5836 - tl-session fails to run PAM credential steps
Summary: tl-session fails to run PAM credential steps
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VSM Agent (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Pierre Ossman
Depends on:
Reported: 2016-04-05 09:39 CEST by Pierre Ossman
Modified: 2016-04-12 13:47 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2016-04-05 09:39:05 CEST
We've overlooked calling pam_setcred() from tl-session, which should be called just before pam_open_session() and just after pam_close_session().

The consequences of this is currently unknown. We need to have a look at what popular PAM modules use the credentials step for.
Comment 1 Pierre Ossman cendio 2016-04-06 12:08:43 CEST
Did a grep in the linux pam tree and found these modules using the credential step:

 - pam_env : Adds/removes arbitrary environment variables

 - pam_filter : filters the login TTY (which we don't have, so no issue)

 - pam_group : adds additional supplemental groups

 - pam_mail : informs about new mail and sets $MAIL

 - pam_nologin : does something weird, but it seems to be a no-op

 - pam_tally[2] : resets the login tally (not relevant as we don't increase it)

 - pam_unix : was originally designed to call initgroups() but now does nothing of value

Fortunately most of these also do their work as part of the session step, meaning we haven't lost any functionality in practice. The exception is pam_group which has a hard requirement on the credentials step.

pam_krb5 also uses the credential step, but it also has a redundant handling in the session step.

Note You need to log in before you can comment on or make changes to this bug.