[Bug 1856703] Re: Return only PAM_IGNORE or error from pam_motd
Balint Reczey
balint.reczey at canonical.com
Tue Dec 17 17:55:28 UTC 2019
[ Impact ]
* In highly unlikely non-default configuration pam_motd may be configured to influence PAM's authentication and reporting PAM_SUCCESS may let users in the system.
* The fix is returning only PAM_IGNORE and error values.
[ Test Case ]
* Configure PAM to deny access when pam_motd returns PAM_SUCCESS:
$ cat /etc/pam.d/login
...
session [success=die ignore=ignore] pam_motd.so motd=/run/motd.dynamic
...
* Try to log in:
# login ubuntu
* Observe being able to log in due to pam_motd not returning
PAM_SUCCESS
[Regression Potential]
* Minimal this is a fix partially reverting the behaviour change that
was found undesired in LP: #1855092 . The return value of pam_motd is
ignored in real-world configurations, thus it does not matter.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1856703
Title:
Return only PAM_IGNORE or error from pam_motd
Status in pam package in Ubuntu:
New
Status in pam source package in Eoan:
New
Bug description:
https://github.com/linux-pam/linux-pam/pull/157
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1856703/+subscriptions
More information about the foundations-bugs
mailing list