[Pkg-shadow-devel] Bug#677441: Please enable pam_loginuid by default

Laurent Bigonville bigon at debian.org
Thu Jun 14 09:48:27 UTC 2012


Hi,

So let's try to be more clear about this bug.

pam_loginuid is used to track user login. This module is needed
by different things: the audit daemon, consolekit and systemd (for the
later, the lack of calling this module, produces some nasty issues, like
breaking sudo).

The module must only be called in login-like services (login, xDM,...)
and not in services like sudo as this is defeating the purpose of
having a UID per login. The pam-auth-update is currently laking (see
#677288) a way to add modules to login services only.

pam_loginuid.so module is already present in the libpam-modules package
which is Priority: required which means it's installed on every system
by default.

The module need to be added in between the call to selinux close/open
and before pam_ck_connector modules (if they are already present in your
pam service file), I also recommend to add it before the
common-session(-noninteractive) include. For example:

 session required        pam_selinux.so close
 [...]
 session required        pam_loginuid.so   << Add it here
 @include common-session
 session required        pam_selinux.so open

Cheers

Laurent Bigonville





More information about the Pkg-shadow-devel mailing list