Bug#412061: [Pkg-shadow-devel] Bug#412061: login: su ends PAM sesstion in subshell

Philipp Matthias Hahn pmhahn at debian.org
Mon Feb 26 16:45:18 CET 2007


On Sun, Feb 25, 2007 at 12:28:13AM +0100, Nicolas François wrote:
> On Fri, Feb 23, 2007 at 09:05:57AM -0800, rra at debian.org wrote:
> > I'm not sure if this is the correct behavior or not.  I inherited it, and
> > I don't know if there's any documentation about what one is *supposed* to
> > to.  It causes strange problems on Solaris 8 and 9 as well (I haven't been
> > able to test Solaris 10).
> pam-krb5's behavior is probably correct. (maybe it could implement
> PAM_DATA_SILENT support for pam_end; but it would not help in this case,
> as su do not use it;)

PAM_DATA_SILENT is only a proposed extension, therefor I would not
recommend using it.
It seems strange, that "su" should be the only/first program
encountering this problem.

> Philipp, does su seems to behave correctly when you remove the pam_end
> call in the child?

Yes, it works as expected. This is also what I think is right, but
before proposing this change, I liked some discussion with others.

> My current opinion is that we should remove this pam_end, which would make
> the su behavior consistent with login. (BTW, does login behaves correctly
> regarding pam-krb5?)

Yes, login works right.

Perhaps taking a look at all those libpam-\* modules might shed some
more light on the situation, what modules do. Especially what they do in
cleanup() on pam_end().

Philipp Matthias Hahn <pmhahn at debian.org>
 GPG/PGP: 9A540E39 @ keyrings.debian.org

More information about the Pkg-shadow-devel mailing list