[Pkg-shadow-devel] Bug#397793: login: Should /bin/su really call
pam_end() in child before exec()?
Arne Nordmark
nordmark at mech.kth.se
Thu Nov 9 16:25:42 CET 2006
Package: login
Version: 1:4.0.18.1-5
Severity: minor
>From src/su.c:
child = fork ();
if (child == 0) { /* child shell */
pam_end (pamh, PAM_SUCCESS);
if (doshell)
(void) shell (shellstr, (char *) args[0], envp);
else
(void) execve (shellstr, (char **) args, envp);
exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
} else if (child == -1) {
Is there a good reason (security related or other) why pam_end() is
called here? With libpam-krb5, it has the effect that the ticket cache
is removed, before the user has a chance to use it.
Thanks
Arne
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages login depends on:
ii libc6 2.3.6.ds1-7 GNU C Library: Shared libraries
ii libpam-modules 0.79-4 Pluggable Authentication Modules f
ii libpam-runtime 0.79-4 Runtime support for the PAM librar
ii libpam0g 0.79-4 Pluggable Authentication Modules l
login recommends no packages.
-- no debconf information
More information about the Pkg-shadow-devel
mailing list