[Pkg-shadow-devel] Bug#677441: Please enable pam_loginuid by default
Laurent Bigonville
bigon at debian.org
Thu Jun 14 09:48:27 UTC 2012
Hi,
So let's try to be more clear about this bug.
pam_loginuid is used to track user login. This module is needed
by different things: the audit daemon, consolekit and systemd (for the
later, the lack of calling this module, produces some nasty issues, like
breaking sudo).
The module must only be called in login-like services (login, xDM,...)
and not in services like sudo as this is defeating the purpose of
having a UID per login. The pam-auth-update is currently laking (see
#677288) a way to add modules to login services only.
pam_loginuid.so module is already present in the libpam-modules package
which is Priority: required which means it's installed on every system
by default.
The module need to be added in between the call to selinux close/open
and before pam_ck_connector modules (if they are already present in your
pam service file), I also recommend to add it before the
common-session(-noninteractive) include. For example:
session required pam_selinux.so close
[...]
session required pam_loginuid.so << Add it here
@include common-session
session required pam_selinux.so open
Cheers
Laurent Bigonville
More information about the Pkg-shadow-devel
mailing list