Bug 36743 - /etc/pam.d/kdm allows normal user login
/etc/pam.d/kdm allows normal user login
Product: UCS
Classification: Unclassified
Component: PAM
UCS 4.0
All Linux
: P5 normal (vote)
: UCS 4.0
Assigned To: Philipp Hahn
Stefan Gohmann
: interim-4
Depends on:
Blocks: 36490
  Show dependency treegraph
Reported: 2014-11-17 12:21 CET by Philipp Hahn
Modified: 2014-11-26 06:54 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Bug #36743: Provide PAM configuration for KDM (11.57 KB, patch)
2014-11-17 12:43 CET, Philipp Hahn
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2014-11-17 12:21:39 CET
PT 4.0-0
UCS-4 uses KDM, while UCS-3 used GDM. A PAM file is only provided for GDM by UCR, so a "normal" user can still login:

# egrep -v '^#|^$' /etc/pam.d/[gk]dm

/etc/pam.d/gdm:@include common-auth
/etc/pam.d/gdm:account required pam_access.so accessfile=/etc/security/access-gdm.conf listsep=, maxent=0x400001
/etc/pam.d/gdm:@include common-account
/etc/pam.d/gdm:@include common-session
/etc/pam.d/gdm:@include common-password

/etc/pam.d/kdm:auth       required     pam_nologin.so
/etc/pam.d/kdm:auth       required     pam_env.so readenv=1
/etc/pam.d/kdm:auth       required     pam_env.so readenv=1 envfile=/etc/default/locale
/etc/pam.d/kdm:@include common-auth
/etc/pam.d/kdm:session    required     pam_limits.so
/etc/pam.d/kdm:@include common-account
/etc/pam.d/kdm:@include common-password
/etc/pam.d/kdm:@include common-session

# dpkg -S /etc/univention/templates/files/etc/pam.d/?dm
univention-pam: /etc/univention/templates/files/etc/pam.d/gdm

# dpkg-query -W univention-pam
univention-pam  8.0.2-1.257.201411061731
Comment 1 Philipp Hahn univentionstaff 2014-11-17 12:43:47 CET
Created attachment 6388 [details]
Bug #36743: Provide PAM configuration for KDM

Comment 2 Stefan Gohmann univentionstaff 2014-11-17 22:38:19 CET
Please apply the kdm part of your patch but don't change the gdm related files.
Comment 3 Philipp Hahn univentionstaff 2014-11-18 11:15:16 CET
r55911 | Bug #36743: Provide PAM configuration for KDM
 added PAM configuration for KDM.

Package: univention-pam
Version: 8.0.3-1.258.201411180912
Branch: ucs_4.0-0

r55911 | Bug #36743: Provide PAM configuration for KDM
 <application>kdm</application> is not used as the display manager for graphical login.
 The PAM configuration was updated to reflect this change (<ulink url="&ucsbug;35266">Bug 35266</ulink>, <ulink url="&ucsbug;36743">Bug 36743</ulink>)
Comment 4 Stefan Gohmann univentionstaff 2014-11-19 07:40:57 CET
Changelog: OK

Code: OK

Tests: OK:
- Access is denied, after setting 'ucr set auth/kdm/user/stefan=yes', the login is allowed

The login as root is currently not allowed: Bug #36852
Comment 5 Stefan Gohmann univentionstaff 2014-11-26 06:54:52 CET
UCS 4.0-0 has been released:

If this error occurs again, please use "Clone This Bug".